|
| ||||
 |
|
Home | Reviews | Tools | Forums | FAQs | Find Service | ISP News | Maps | About |
|
how-to block ads |
Suggested Prerequisite Reading »Cisco Forum FAQ »Setting Up Private Site-To-Site Connections Introduction When a local network needs to communicate with remote network, there are in general two ways of doing it. One way is to utilize Public network (such as the Internet) and another way is to utilize Private network. Traditionally, Private network consists of dedicated or private circuits of T1/E1 (and higher), ISDN, and frame relay. With today's VPN technology, one can utilize Public network to transport Private network with less cost than dedicated Public network, more convenient since it is On-Demand based, and yet still secure just like the traditional Private network. On implementation side, there must be a way to distinguish which traffic destined to Public network and which traffic destined to Private network. With IPSec VPN, this is where Split Tunnel come into place. With proper implementation, Split Tunnel decides which traffic destined to Public network and which traffic destined to Private network. Another scenario is when there is physical device separation between Public network gateway and Private network gateway. In VPN implementation, the Private network gateway is the device that terminates the VPN tunnel where the Public network gateway is the device that connects directly to the Public network. When there is a IPSec VPN implementation, then typically the Private network gateway terminates the IPSec tunnel where the Public network gateway passes the IPSec tunnel just like passes any other IP traffic. In some network, Public network gateway and Private network gateway resides at the same physical device. When this is the case, the same physical device terminates the IPSec tunnel and then passes the IPSec tunnel just like passes traffic destined to Public network. Typical IPSec VPN tunnel implementation is to not NAT/PAT traffic destined to Private network and to NAT/PAT only those traffic destined to Public network. Therefore there must be some mechanism that regulate which traffic to NAT/PAT and which traffic not to NAT/PAT. In Cisco devices, this mechanism is controlled by ACL that regulate such traffic. With routing protocol, there might be a need to implement GRE tunnel in addition to the IPSec tunnel. Depending on the implementation, there can be one device terminating the GRE tunnel, one device terminating the IPSec tunnel (that carries the GRE tunnel), and another device passes the GRE/IPSec (GRE over IPSec) tunnel just like passes traffic destined to Public network. Check out the following FAQ for more info on GRE/IPSec tunnel. »Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels Following is a list of sample configuration with various design and implementation. Static Routes over VPN PIX Firewall passing IPSec tunnel Configuring an IPSec Tunnel through a PIX Firewall with NAT IPSec tunnel passthrough on NAT/PAT Device and Utilize Single Public IP Address For Both Internet and IPSec Tunnel (Split Tunneling) 1. Router as the NAT/PAT Device IOS Router to Pass a LAN-to-LAN IPSec Tunnel via PAT 2. PIX Firewall as the NAT/PAT Device IPsec Tunnel Pass Through a PIX Firewall With use of Access List and with NAT Configuration Example 3. Static mappings with overloaded NAT and VPN Configuring Router-to-Router IPsec (Pre-shared Keys) on GRE Tunnel with IOS Firewall and NAT Kindly provided by Manta  courtesy of these posts.Quoted Post #1 Problem: Two 837 routers connected to ADSL lines. R1 is at Site1 and R2 at Site2. Both have single fixed IP addresses and run an ISAKMP/IPSEC tunnel between them to route the LAN traffic between sites. This works fine but the problem is that when a static NAT entry is put in so that, for example, Remote Desktop is available from the internet to a particular PC at Site1 then it stops access to any Remote Desktop from Site2. Solution: Change the IPSEC tunnel so that it only carries traffic from the loopback interface of R1 to the loopback interface of R2. Then run a GRE tunnel over that IPSEC tunnel and route and site to site traffic via Tunnel0. Site1: 10.0.0.0/24 GW: 10.0.0.254 Site2: 10.1.0.0/24 GW: 10.1.0.1 Sample Configuration: ! Last configuration change at 11:16:23 BST Thu Jun 3 2004 by gareth ! NVRAM config last updated at 11:16:25 BST Thu Jun 3 2004 by gareth ! version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec show-timezone service timestamps log datetime msec show-timezone service password-encryption ! hostname Site1 ! logging queue-limit 100 enable secret 5 ! username clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 aaa new-model ! ! aaa authentication login local-auth local-case aaa session-id common ip subnet-zero no ip source-route no ip domain lookup ip domain name ! ! no ip bootp server ip cef ip inspect udp idle-time 15 ip inspect tcp idle-time 1800 ip inspect tcp finwait-time 1 ip inspect tcp synwait-time 15 ip inspect name INTERNET-OUT tcp alert on ip inspect name INTERNET-OUT udp alert on ip inspect name INTERNET-OUT http alert on ip audit notify log ip audit po max-events 100 ip audit smtp spam 100 ip audit name INTERNET-OUT info action alarm ip audit name INTERNET-OUT attack action alarm drop reset ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! crypto isakmp policy 11 encr 3des authentication pre-share group 5 crypto isakmp key ! ! crypto ipsec transform-set lan-lan-tunnel esp-3des esp-sha-hmac ! crypto map vpn-tunnel 10 ipsec-isakmp description IPSec tunnel to carry GRE set peer set transform-set lan-lan-tunnel set pfs group5 match address site2-gre ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.255 ! interface Tunnel0 ip address 192.168.2.1 255.255.255.0 keepalive 3 3 tunnel source Loopback0 tunnel destination 192.168.1.2 ! interface Ethernet0 ip access-group Ethernet_In in ip address 10.0.0.254 255.255.255.0 ip access-group Ethernet-In in ip nat inside hold-queue 100 out ! interface ATM0 no ip address no ip mroute-cache no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface Dialer0 ip address negotiated ip access-group Internet_In in no ip unreachables no ip proxy-arp ip nat outside ip inspect INTERNET-OUT out encapsulation ppp dialer pool 1 dialer-group 1 ppp chap hostname ppp chap password crypto map vpn-tunnel ! ip nat inside source list NAT interface Dialer0 overload ! Collection of static mappings removed but example given ip nat inside source static tcp ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.1.0.0 255.255.255.0 Tunnel0 no ip http server no ip http secure-server ! ! ip access-list extended Ethernet-In remark Invalid internet addresses deny ip any 0.0.0.0 0.255.255.255 log permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 any deny ip any 10.0.0.0 0.255.255.255 log deny ip any 127.0.0.0 0.255.255.255 log deny ip any 169.254.0.0 0.0.255.255 log deny ip any 172.16.0.0 0.15.255.255 log deny ip any 192.0.2.0 0.0.0.255 log deny ip any 192.168.0.0 0.0.255.255 log remark Lock down email to servers permit tcp host 10.0.0.2 any eq smtp deny tcp any any eq smtp log deny tcp any any eq pop3 log remark other permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit tcp any any permit udp any any deny ip any any log ip access-list extended Internet-In remark vpn enable !Unsure if next two lines needed but it's belt and braces permit esp host permit udp host permit ip host 192.168.1.2 host 192.168.1.1 remark Invalid internet addresses deny ip 0.0.0.0 0.255.255.255 any log permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.0.2.0 0.0.0.255 any log deny ip 192.168.0.0 0.0.255.255 any log remark Port Mappings remark SMTP mail mapping permit tcp any any eq smtp remark SSH access mappings permit tcp host remark Other permit icmp host permit icmp any any unreachable permit icmp any any time-exceeded permit icmp any any echo-reply remark SNTP time servers permit udp host 158.43.128.33 eq ntp any permit udp host 158.43.128.66 eq ntp any deny ip any any log ip access-list extended NAT ! Don't know if these NAT Deny's are necessary any more but it's two hot to think about it at the moment. deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 any ip access-list extended site2-gre permit ip host 192.168.1.1 host 192.168.1.2 radius-server authorization permit missing Service-Type banner login $ Access to this device is only permitted by authorised users All access to this device is logged $ ! line con 0 logging synchronous login authentication local-auth no modem enable stopbits 1 line aux 0 login authentication local-auth stopbits 1 line vty 0 4 logging synchronous login authentication local-auth transport input ssh ! scheduler max-task-time 5000 sntp server 158.43.128.33 sntp server 158.43.128.66 ! end Quoted Post #2 version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec show-timezone service timestamps log datetime msec show-timezone service password-encryption ! hostname ! boot-start-marker boot-end-marker ! logging buffered 40960 warnings enable secret ! aaa new-model ! ! aaa group server radius wireless-radius server 10.1.0.2 auth-port 1645 acct-port 1646 ip radius source-interface Vlan1 ! aaa authentication login local-auth local-case aaa authentication login wireless-eap group wireless-radius aaa authentication ppp default local-case ! ! aaa session-id common clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 ! ! dot11 association mac-list 700 dot11 syslog ! dot11 ssid w-secure vlan 2 authentication open eap wireless-eap authentication key-management wpa ! dot11 ssid w-ps3 vlan 3 authentication open authentication key-management wpa guest-mode wpa-psk ascii ! no ip source-route ip cef ! ! ! ! no ip bootp server no ip domain lookup ip domain name bullet-systems.com ip multicast-routing ip inspect udp idle-time 15 ip inspect tcp idle-time 1800 ip inspect tcp finwait-time 1 ip inspect tcp synwait-time 15 ip inspect name INTERNET-OUT tcp alert on ip inspect name INTERNET-OUT udp alert on ip inspect name INTERNET-OUT http java-list 2 alert on ip inspect name INTERNET-OUT ftp alert on timeout 300 ip inspect name INTERNET-OUT tftp alert on ip inspect name INTERNET-OUT sip alert on ip inspect name INTERNET-OUT rtsp alert on ip ips name INTERNET-OUT ! multilink bundle-name authenticated ! ! username ! ! crypto isakmp policy 20 encr 3des authentication pre-share group 5 crypto isakmp key crypto isakmp key crypto isakmp invalid-spi-recovery ! ! crypto ipsec transform-set ipsec-tunnel esp-3des esp-sha-hmac ! crypto map vpn-tunnel 100 ipsec-isakmp description A to B IPSec tunnel to carry GRE set peer set transform-set ipsec-tunnel set pfs group5 match address adsl-gre ! crypto map vpn-tunnel 110 ipsec-isakmp description A to B via SDSL set peer set pfs group5 match address sdsl-gre ! archive log config hidekeys ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map match-any voip match ip rtp 9000 20 match access-group name voip ! ! policy-map voip class voip priority 516 class class-default fair-queue ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.255 ! interface Loopback5 ip address 192.168.1.5 255.255.255.255 ! interface Tunnel0 description Tunnel over ADSL bandwidth 800 ip unnumbered Loopback0 ip load-sharing per-packet ip multicast boundary multicast-boundary ip virtual-reassembly ip tcp adjust-mss 1200 qos pre-classify keepalive 3 3 tunnel source Loopback0 tunnel destination 192.168.1.2 tunnel key 0 tunnel bandwidth transmit 800 ! interface Tunnel5 description Tunnel SDSL bandwidth 800 bandwidth receive 1024 ip unnumbered Loopback5 ip load-sharing per-packet ip multicast boundary multicast-boundary ip virtual-reassembly ip tcp adjust-mss 1200 qos pre-classify keepalive 3 3 tunnel source Loopback5 tunnel destination 192.168.1.6 tunnel key 5 tunnel bandwidth transmit 800 ! ! interface ATM0 no ip address no ip mroute-cache no atm ilmi-keepalive pvc 0/38 ubr 832 encapsulation aal5mux ppp dialer dialer pool-member 1 service-policy output voip ! dsl operating-mode auto ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Dot11Radio0 no ip address ! encryption vlan 2 mode ciphers aes-ccm ! encryption vlan 3 mode ciphers aes-ccm ! ssid w-secure ! ssid w-ps3 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.2 description Wireless VLAN for laptop and trusted machines encapsulation dot1Q 2 ip address 10.2.2.1 255.255.255.0 ip helper-address 10.1.0.2 ip nat inside ip virtual-reassembly ! interface Dot11Radio0.3 description Wireless VLAN for PS3 encapsulation dot1Q 3 ip address 10.2.3.1 255.255.255.0 ip access-group wireless-lockdown in ip helper-address 10.1.0.2 ip pim sparse-dense-mode ip nat inside ip virtual-reassembly ! interface Vlan1 description Local Area Network bandwidth 100000 ip address 10.1.0.1 255.255.255.0 ip access-group ethernet-in in ip nbar protocol-discovery ip pim sparse-dense-mode ip nat inside ip virtual-reassembly hold-queue 100 out ! interface Dialer0 description ADSL line 8192kbps/832kbps bandwidth 8192 ip address negotiated ip access-group internet-in in no ip proxy-arp ip multicast boundary multicast-boundary ip nat outside ip inspect INTERNET-OUT out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp chap hostname ppp chap password crypto map vpn-tunnel ! no ip forward-protocol nd no ip forward-protocol udp domain no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.1.1.0 255.255.255.0 Tunnel0 ip route 10.1.1.0 255.255.255.0 Tunnel5 ! ! no ip http server no ip http secure-server ip nat translation timeout 1800 ip nat translation tcp-timeout 300 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ip nat translation max-entries host 10.1.0.52 1500 ip nat pool used-ip-block ip nat pool unused-ip-block ip nat inside source list nat-list pool used-ip-block overload ip nat inside source static tcp ip nat inside source static udp ! ip access-list standard multicast-boundary deny 239.255.0.0 0.0.255.255 permit any ! ip access-list extended sdsl-gre permit ip host 192.168.1.5 host 192.168.1.6 ! ip access-list extended ethernet-in permit ip any host 192.168.2.2 remark Invalid internet addresses deny ip any 0.0.0.0 0.255.255.255 log deny ip any 127.0.0.0 0.255.255.255 log deny ip any 169.254.0.0 0.0.255.255 log deny ip any 192.0.2.0 0.0.0.255 log deny ip any 192.168.0.0 0.0.255.255 log remark Other permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit tcp any any permit udp any any permit igmp 10.1.0.0 0.0.0.255 any deny ip any any log ! ip access-list extended internet-in permit esp host permit udp host remark Invalid internet addresses deny ip 0.0.0.0 0.255.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.0.2.0 0.0.0.255 any log deny ip 192.168.0.0 0.0.255.255 any log permit tcp any any eq domain permit udp any any eq domain remark Other permit icmp any any unreachable permit icmp any any time-exceeded permit icmp any any echo-reply permit udp host 158.43.128.33 any eq ntp permit udp host 158.43.128.66 any eq ntp deny ip any any log ! ip access-list extended adsl-gre permit ip host 192.168.1.1 host 192.168.1.2 ! ip access-list extended nat-list deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.1.0.0 0.0.255.255 any permit ip 10.2.2.0 0.0.0.255 any permit ip 10.2.3.0 0.0.0.255 any ! ip access-list extended voip permit ip any 217.10.79.0 0.0.0.255 permit udp host 10.1.0.2 range 9000 9020 any ! ip access-list extended wireless-lockdown permit tcp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain permit udp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain permit tcp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain permit udp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain permit ip 10.2.3.0 0.0.0.255 host 10.1.0.3 permit udp any eq bootpc any eq bootps deny ip 10.2.3.0 0.0.0.255 10.0.0.0 0.255.255.255 log deny ip 10.2.3.0 0.0.0.255 192.168.0.0 0.0.255.255 log permit igmp 10.2.3.0 0.0.0.255 any permit ip 10.2.3.0 0.0.0.255 any ! ip radius source-interface Vlan1 logging history size 100 access-list 1 remark SNMP access access-list 1 permit 10.1.0.2 access-list 1 deny any log ! access-list 2 remark JAVA applet firewall exception list access-list 2 permit 72.5.124.95 access-list 2 permit 85.210.20.0 0.0.0.255 ! ! access-list 700 permit 0123.4567.8901 0000.0000.0000 ! snmp-server community snmp-server contact Me snmp-server chassis-id snmp-server enable traps tty ! ! ! radius-server attribute 32 include-in-access-req format %h radius-server host 10.1.0.2 auth-port 1645 acct-port 1646 key radius-server vsa send accounting ! control-plane ! banner login ^CC Access to this device is only permitted by authorised users All access to this device is logged ^C ! line con 0 logging synchronous login authentication local-auth no modem enable stopbits 1 line aux 0 login authentication local-auth stopbits 1 line vty 0 4 exec-timeout 20 0 logging synchronous login authentication local-auth transport input ssh ! scheduler max-task-time 5000 sntp server 158.43.128.33 sntp server 158.43.128.66 ! ! end Private Routing over VPN GRE/IPSec tunnel to support IP Routing Protocols Configuring a GRE Tunnel over IPSec with OSPF GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites New OSPF Feature on ASA/PIX Firewall running OS version 7.x or later With new OS version, it is no longer requirement to encapsulate OSPF into GRE tunnel in order to pass it through IPSec VPN tunnel. By running OS version 7.x or later, ASA or PIX Firewall is now able to pass OSPF through IPSec VPN tunnel just like pass through GRE or any IP traffic. Furthermore, the ASA/PIX Firewall will also be part of the OSPF domain. In other words, the ASA/PIX Firewall running OS version 7.x or later can terminate IPSec VPN tunnel, has no requirement to have GRE tunnel to support OSPF, and will be part of the OSPF domain. With this new feature, you may notice that the ASA/PIX Firewall is more like a router. Check out the following link for sample configuration. PIX/ASA 7.x and later: VPN/IPsec with OSPF Configuration Example IPX Routing over GRE/IPSec Configuring GRE and IPSec with IPX Routing Configuring IPSec with EIGRP and IPX Using GRE Tunneling DMVPN When Cisco routers act as the VPN device at all sites, it is simpler and scalable to run DMVPN between routers instead the previous GRE over IPSec approach. With DMVPN, there will be no need to manually setup each tunnel for each connection between two sites. DMVPN will be "dynamically" setting up necessary GRE and IPSec tunnels. Should you decide to run DMVPN, verify your router IOS image version support it. IOS image version with either Advanced Enterprise or Advanced IP Services features should support DMVPN. Check out following links for more info on DMVPN. Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) Configuring DMVPN Spoke Router in Full Mesh IPsec VPN Using SDM Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall Some discussions »DMVPN vs individual tunnels »[Config] DMVPN works, restrictions needed... »[Config] Need Help with DMVPN »[Config] DMVPN reundandt WAN (SOLVED - config inside) More Sample Configurations »Sample network configuration
 got feedback?by Covenant | |||||
| Tuesday, 21-May 16:03:38 | Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo over 13.5 years online © 1999-2013 dslreports.com. |
