Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Friday, February 5, 2016

Example - How to configure Site-to-site VPN with IOS router



  • Router 1 (Left):

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key CISCO address 10.10.20.3
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
 set peer 10.10.20.3
 set transform-set My-Set
 match address R1_TO_R3
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 crypto map MyMap
!
interface FastEthernet0/1
 ip address 172.16.1.1 255.255.255.0
!
router ospf 10
 router-id 1.1.1.1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R1_TO_R3
 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
  • Router 3 (Right):

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key CISCO address 10.10.10.1
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
 set peer 10.10.10.1
 set transform-set My-Set
 match address R3_TO_R1
!
interface FastEthernet0/0
 ip address 172.16.3.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.20.3 255.255.255.0
 crypto map MyMap
!
router ospf 10
 router-id 3.3.3.3
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R3_TO_R1
 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

  • Validation:


Router3#show  crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: MyMap, local addr 10.10.20.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 10.10.10.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3242, #pkts encrypt: 3242, #pkts digest: 3242
    #pkts decaps: 3242, #pkts decrypt: 3242, #pkts verify: 3242
    #pkts compressed: 0, #pkts decompressed: 0


Router3#show  crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.10.10.1      10.10.20.3      QM_IDLE           1002    0 ACTIVE






Thursday, August 9, 2012

VPN connexion and Internet Access

When you are connected to a VPN session, normally you can access to the corporate LAN.
However, it's also possible to have access (in the same time) to Internet.

To do this on ASA, you have to configure some NAT rule.
All traffic that will go to Internet have to use the Internet facing interface like source IP address.

The configuration below is an example that can be applied:

ip local pool Pool_VPN 192.168.40.10-192.168.40.250 mask 255.255.255.0
!
interface GigabitEthernet0/1
 description Outside Facing Interface
 nameif INTERNET
 security-level 0
 ip address 199.199.199.199 255.255.255.240
!
object network NAT-VPN-POOL
 subnet 192.168.40.0 255.255.255.0
 description Pool VPN
!
object network NAT-VPN-POOL
 nat (any,INTERNET) dynamic interface

All traffic with VPN IP Pool source address and with Internet destination will match this NAT rule.
Source address will be modified with the outside interface.