Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Similar documents
Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuring the Cisco Secure PIX Firewall with a Single Intern

Sample Configuration Using the ip nat outside source static

Sample Configuration Using the ip nat outside source list C

BRI to PRI Connection Using Data Over Voice

LAN-Cell to Cisco Tunneling

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Configuring Static and Dynamic NAT Simultaneously

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

Lab Creating a Network Map using CDP Instructor Version 2500

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Table of Contents. Cisco Configuring CET Encryption with a GRE Tunnel

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

isco Connecting Routers Back to Back Through the AUX P

LAB Configuring NAT. Objective. Background/Preparation

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Lab Load Balancing Across Multiple Paths

Document ID: Introduction

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Lab Load Balancing Across Multiple Paths Instructor Version 2500

IOS NAT Load Balancing for Two ISP Connections

Basic Router Configuration Using Cisco Configuration Professional

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Cisco 2621 Gateway-PBX Interoperability: Lucent/Avaya Definity G3si V7 PBX with Cisco CallManager Using T1 PRI NI-2 for an H.

Configuring a Cisco 2509-RJ Terminal Router

Lab a Configure Remote Access Using Cisco Easy VPN

Configuring a Leased Line

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

Remote Access VPN Business Scenarios

Configure ISDN Backup and VPN Connection

Configuring EtherChannel and 802.1Q Trunking Between Catalyst L2 Fixed Configuration Switches and Catalyst Switches Running CatOS

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Module 6 Configure Remote Access VPN

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

REMOTE ACCESS VPN NETWORK DIAGRAM

Lab Configuring Syslog and NTP (Instructor Version)

Most Common DMVPN Troubleshooting Solutions

Virtual Fragmentation Reassembly

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Lab Configure Basic AP Security through IOS CLI

Configuring DNS on Cisco Routers

Lab Configure a PIX Firewall VPN

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Using a Sierra Wireless AirLink Raven X or Raven-E with a Cisco Router Application Note

Configuring Remote Access IPSec VPNs

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

IPSec. User Guide Rev 2.2

Pre-lab and In-class Laboratory Exercise 10 (L10)

Configuring a VPN between a Sidewinder G2 and a NetScreen

Table of Contents. Cisco Mapping Outbound VoIP Calls to Specific Digital Voice Ports

ASA and Native L2TP IPSec Android Client Configuration Example

Lab 5.3.9b Managing Router Configuration Files Using TFTP

VPN. VPN For BIPAC 741/743GE

Network Security 2. Module 6 Configure Remote Access VPN

Lab Advanced Telnet Operations

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Skills Assessment Student Training Exam

Case Study for Layer 3 Authentication and Encryption

Lab Introductory Lab 1 - Getting Started and Building Start.txt

Configuring the PIX Firewall with PDM

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Lab assignment #2 IPSec and VPN Tunnels (Document version 1.1)

Table of Contents. Cisco Configuring a Basic MPLS VPN

PIX/ASA 7.x with Syslog Configuration Example

Network Diagram Scalability Testbed and Configuration Files

Scenario: Remote-Access VPN Configuration

CCT vs. CCENT Skill Set Comparison

Cisco Which VPN Solution is Right for You?

Lab Configure Syslog on AP

Cisco Configuring Commonly Used IP ACLs

How To Industrial Networking

Application Notes SL1000/SL500 VPN with Cisco PIX 501

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Godinich Consulting. VPN's Between Mikrotik and 3rd Party Devices

Cisco Secure PIX Firewall with Two Routers Configuration Example

Lab Introductory Lab 1 Getting Started and Building Start.txt

Configuring InterVLAN Routing and ISL/802.1Q Trunking on Catalyst 2900XL/3500XL/2940/2950/2970 Series Switches Using an External Router

Felix Rohrer. PT Activity 7.5.3: Troubleshooting Wireless WRT300N. Topology Diagram

Objectives. Background. Required Resources. CCNA Security

Lab Exercise Configure the PIX Firewall and a Cisco Router

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Lab QoS Classification and Policing Using CAR

Configuring the MNLB Forwarding Agent

Greenbow VPN Client with Teldat VPN Server. Configuration Highlights

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

TABLE OF CONTENTS NETWORK SECURITY 2...1

Lecture 17 - Network Security

co Sample Configurations for Cisco 7200 Broadband Aggreg

Transcription:

Table of Contents Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1 Conventions...1 Configure...2 Network Diagram...2 Configurations...2 Verify...5 Troubleshoot...5 Troubleshooting Commands...5 Related Information...6 i

Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot Troubleshooting Commands Related Information Introduction The following configuration would not be commonly used, but was designed to allow Cisco Secure VPN Client IPSec tunnel termination on a central router. As the tunnel comes up, the PC receives its IP address from the central router's IP address pool (in our example, the router is named "moss"), then the pool traffic can reach the local network behind moss or be routed and encrypted to the network behind the outlying router (in our example, the router is named "carter"). In addition, traffic from private network 10.13.1.X to 10.1.1.X is encrypted; the routers are doing NAT overload. Prerequisites Requirements There are no specific requirements for this document. Components Used The information in this document is based on these software and hardware versions: Cisco IOS Software Release 12.1.5.T (c3640 io3s56i mz.121 5.T) Cisco Secure VPN Client 1.1 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure In this section, you are presented with the information to configure the features described in this document. Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only). Network Diagram This document uses this network setup: Configurations This document uses these configurations: moss Configuration carter Configuration moss Configuration Version 12.1 no service single slot reload enable service timestamps debug uptime service timestamps log uptime no service password encryption hostname moss

logging rate limit console 10 except errors enable password ww ip subnet zero no ip finger ip audit notify log ip audit po max events 100 crypto isakmp policy 1 hash md5 authentication pre share crypto isakmp key cisco123 address 99.99.99.1 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp client configuration address pool local RTP POOL crypto ipsec transform set rtpset esp des esp md5 hmac crypto dynamic map rtp dynamic 20 set transform set rtpset crypto map rtp client configuration address initiate crypto map rtp client configuration address respond crypto map sequence for network to network traffic crypto map rtp 1 ipsec isakmp set peer 99.99.99.1 set transform set rtpset match address 115 crypto map sequence for VPN Client network traffic. crypto map rtp 10 ipsec isakmp dynamic rtp dynamic call rsvp sync interface Ethernet2/0 ip address 172.18.124.154 255.255.255.0 ip nat outside no ip route cache no ip mroute cache half duplex crypto map rtp interface Serial2/0 no ip address shutdown interface Ethernet2/1 ip address 10.13.1.19 255.255.255.0 ip nat inside half duplex ip local pool RTP POOL 192.168.1.1 192.168.1.254 ip nat pool ETH20 172.18.124.154 172.18.124.154 netmask 255.255.255.0 ip nat inside source route map nonat pool ETH20 overload ip classless ip route 0.0.0.0 0.0.0.0 172.18.124.1 ip route 10.1.1.0 255.255.255.0 172.18.124.158 ip route 99.99.99.0 255.255.255.0 172.18.124.158 no ip http server Exclude traffic from NAT process. access list 110 deny ip 10.13.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access list 110 deny ip 10.13.1.0 0.0.0.255 192.168.1.0 0.0.0.255 access list 110 permit ip 10.13.1.0 0.0.0.255 any

Include traffic in encryption process. access list 115 permit ip 10.13.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access list 115 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 route map nonat permit 10 match ip address 110 dial peer cor custom line con 0 transport input none line aux 0 line vty 0 4 login end carter Configuration Current configuration : 2059 bytes version 12.1 no service single slot reload enable service timestamps debug uptime service timestamps log uptime no service password encryption hostname carter logging rate limit console 10 except errors ip subnet zero no ip finger ip audit notify log ip audit po max events 100 crypto isakmp policy 1 hash md5 authentication pre share crypto isakmp key cisco123 address 172.18.124.154 crypto ipsec transform set rtpset esp des esp md5 hmac crypto map sequence for network to network traffic. crypto map rtp 1 ipsec isakmp set peer 172.18.124.154 set transform set rtpset match address 115 call rsvp sync interface Ethernet0/0 ip address 99.99.99.1 255.255.255.0 ip nat outside half duplex crypto map rtp interface FastEthernet3/0 ip address 10.1.1.1 255.255.255.0 ip nat inside duplex auto speed 10

ip nat pool ETH00 99.99.99.1 99.99.99.1 netmask 255.255.255.0 ip nat inside source route map nonat pool ETH00 overload ip classless ip route 0.0.0.0 0.0.0.0 99.99.99.2 no ip http server Exclude traffic from NAT process. access list 110 deny ip 10.1.1.0 0.0.0.255 10.13.1.0 0.0.0.255 access list 110 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 access list 110 permit ip 10.1.1.0 0.0.0.255 any Include traffic in encryption process. access list 115 permit ip 10.1.1.0 0.0.0.255 10.13.1.0 0.0.0.255 access list 115 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 route map nonat permit 10 match ip address 110 line con 0 transport input none line aux 0 line vty 0 4 password ww login end Verify This section provides information you can use to confirm your configuration is working properly. Certain show commands are supported by the Output Interpreter Tool ( registered customers only), which allows you to view an analysis of show command output. show crypto ipsec sashows the phase 2 security associations. show crypto isakmp sashows the phase 1 security associations. Troubleshoot This section provides information you can use to troubleshoot your configuration. Troubleshooting Commands Certain show commands are supported by the Output Interpreter Tool ( registered customers only), which allows you to view an analysis of show command output. Note: Before issuing debug commands, refer to Important Information on Debug Commands. debug crypto ipsecshows the IPSec negotiations of phase 2. debug crypto isakmpshows the ISAKMP negotiations of phase 1. debug crypto engineshows the traffic that is encrypted. clear crypto isakmpclears the security associations related to phase 1. clear crypto saclears the security associations related to phase 2.

Related Information Configuring IPSec Network Security Configuring Internet Key Exchange Security Protocol Cisco VPN Client Support Page IPSec Support Page Technical Support Cisco Systems All contents are Copyright 1992 2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.