Scribd Logo
Upload

Welcome to Scribd!

  • LAB Topology Configuration

    Uploaded by

    Rc Johnny
    35 views16 pages
    The document describes the configuration of two routers, London and Paris, to establish an IPsec VPN tunnel between their networks. Key details include: - The London router configures DHCP, static routes, IKE Phase 1/2, crypto maps, and ACLs to encrypt traffic between its LANs and Paris' LAN. - The Paris router similarly configures DHCP, static routes, a matching IKE/IPsec configuration, and crypto maps to establish the VPN tunnel. - The routers authenticate using pre-shared keys and encrypt traffic between specific LAN subnets, routing all other traffic over the IPsec tunnel.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes the configuration of two routers, London and Paris, to establish an IPsec VPN tunnel between their networks. Key details include: - The London router configures DHCP, static routes, IKE Phase 1/2, crypto maps, and ACLs to encrypt traffic between its LANs and Paris' LAN. - The Paris router similarly configures DHCP, static routes, a matching IKE/IPsec configuration, and crypto maps to establish the VPN tunnel. - The routers authenticate using pre-shared keys and encrypt traffic between specific LAN subnets, routing all other traffic over the IPsec tunnel.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    35 views16 pages

    LAB Topology Configuration

    Uploaded by

    Rc Johnny
    The document describes the configuration of two routers, London and Paris, to establish an IPsec VPN tunnel between their networks. Key details include: - The London router configures DHCP, static routes, IKE Phase 1/2, crypto maps, and ACLs to encrypt traffic between its LANs and Paris' LAN. - The Paris router similarly configures DHCP, static routes, a matching IKE/IPsec configuration, and crypto maps to establish the VPN tunnel. - The routers authenticate using pre-shared keys and encrypt traffic between specific LAN subnets, routing all other traffic over the IPsec tunnel.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    LAB Topology Configuration

    London Router (Cisco 2611 XM) The serial and the fast ethernet interfaces are configured with the appropriate IP addressing as shown below. The DTE end of the cable is connected to the router. Interface configuration interface FastEthernet0/0 ip address 10.1.0.1 255.255.0.0 interface Serial0/0 ip address 172.16.1.1 255.255.0.0 interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 DHCP configuration DHCP is configured on the appropriate interfaces to provide ip addresses to computers connected to the networks in the specific range. DHCP on FE0/1 ip dhcp pool lan2 (Creates a dhcp pool with name lan 2) network 192.168.1.0 /24(DHCP addresses would be provided in this range) dns-server 192.168.1.1 (DNS server IP ) default-router 192.168.1.1 (Default gateway IP )

    DHCP on FE 0/0 ip dhcp pool lan1 network 10.1.0.0 /16 dns-server 10.1.0.1 default-router 10.1.0.1 Excluding DHCP addresses for static ip address on the network (To be done in global config mode) ip dhcp excluded-address 10.1.0.0 10.1.0.3 ip dhcp excluded-address 192.168.1.0 192.168.1.3 The IP addresses till 10.1.0.3 and 192.168.1.3 are used for servers, routers, access points which are used on the network, which is excluded from the addresses leased out by the dhcp server. IPSEC Tunnel Configuration IKE Phase 1 configuration Crypto isakmp enable crypto isakmp policy 10 hash md5 authentication pre-share encryption DES group 1 lifetime 3600

    Shared key configuration with the peer.

    The value of the shared key asterix is configured with the peer crypto isakmp key asterix address 172.16.1.2. IKE Phase 2 configuration crypto ipsec transform-set ipsec1 esp-des esp-md5-hmac mode tunnel ESP is selected as the IPSEC protocol along with DES and MD5-HMAC. The mode is selected as tunnel. Crypto ACL The following ACL are used by IPSEC to identify the traffic which needs to be encrypted. access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.255.255 192.168.2.0 0.0.0.255 This would let the router know that the traffic from 192.168.1.0 to 192.168.2.0 and traffic from 10.1.0.0 to 192.168.2.0 is to be sent via the tunnel Crypto MAP After the ACL is created, crypto maps are configured on the router. The name is l2r crypto map l2r 10 ipsec-isakmp set peer 172.16.1.2 set transform-set ipsec1 match address 101

    The crypto map is then applied to the corresponding interface. interface Serial0/0 crypto map l2r Routing After the IPSEC tunnel is configured, a default route is set to route all packets to the peer router. ip route 0.0.0.0 0.0.0.0 172.16.1.2 Access restriction to servers on the staff network. Access restriction is provided to the AD and management server systems from the guest network. Note: Only the configuration is identified, but is not demonstrated or configured in the routers in the tests, due to the number of systems required. access-list 102 deny ip host 192.168.1.2 10.1.0.0 0.0.255.255 access-list 102 deny ip host 192.168.1.2 10.2.0.0 0.0.255.255 access-list 102 deny ip host 192.168.1.3 10.1.0.0 0.0.255.255 access-list 102 deny ip host 192.168.1.3 10.2.0.0 0.0.255.255 access-list 102 permit ip any any The first four lines would deny traffic to the hosts 192.168.1.2 and 192.168.1.3 (AD and management server) from the guest networks. The ACL is applied as inbound on the interface on which the staff network is connected , which is FE0/1 interface FastEthernet0/0 ip address 10.1.0.1 255.255.0.0 ip access-group 101 in

    Paris Router (Cisco 1751) The serial and the fast ethernet interface are configured with the appropriate IP addressing as shown below. The DCE end of the cable is connected to the router. The clock rate is configured as it is the DCE end of the cable. Interface configuration interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 interface Serial0/0 ip address 172.16.1.2 255.255.0.0 clockrate 56000 DHCP configuration DHCP is configured on the appropriate interface to provide ip addresses to computers connected to the networks in the specific range. DHCP on FE0/0 ip dhcp pool lan1 (Creates a dhcp pool with name lan 1) network 192.168.2.0 255.255.255.0 ((DHCP addresses would be provided in this range) dns-server 192.168.2.1 (DNS-server IP ) default-router 192.168.2.1(Default gateway IP) Excluding DHCP addresses for static ip address on the network (To be done in global config mode) ip dhcp excluded-address 192.168.2.0 192.168.2.4

    The IP addresses till 192.168.2.4 are used for servers, routers, access points which are used on the network, which is excluded from the addresses leased out by the dhcp server. IPSEC Tunnel Configuration IKE Phase 1 configuration Crypto isakmp enable crypto isakmp policy 10 hash md5 authentication pre-share encryption DES group 1 lifetime 3600 Shared key configuration with the peer. The value of the shared key asterix is configured with the peer crypto isakmp key asterix address 172.16.1.1 IKE Phase 2 configuration crypto ipsec transform-set ipsec1 esp-des esp-md5-hmac mode tunnel ESP is selected as the IPSEC protocol along with DES and MD5-HMAC. The mode is selected as tunnel. Crypto ACL The following ACL are used by IPSEC to identify the traffic which needs to be encrypted.

    access-list 101 permit ip 192.168.2.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 This would let the router know that the traffic from 192.168.2.0 to 10.1.0.0 and traffic from 192.168.2.0 to 192.168.1.0 is to be sent via the tunnel Crypto MAP After the ACL is created, crypto maps are configured on the router. The name is r2l. crypto map r2l 10 ipsec-isakmp set peer 172.16.1.2 set transform-set ipsec1 match address 101 The crypto map is then applied to the corresponding interface. interface Serial0/0 crypto map r2l Routing After the IPSEC tunnel is configured, a default route is set to route all packets to the peer router. ip route 0.0.0.0 0.0.0.0 172.16.1.1

    Running Config (Cisco 2611 XM) Building configuration...

    Current configuration : 2047 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname LONDON ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 15 no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef !

    ! no ip dhcp use vrf connected ip dhcp excluded-address 10.1.0.0 10.1.0.3 ip dhcp excluded-address 192.168.1.0 192.168.1.3 ! ip dhcp pool lan1 network 10.1.0.0 255.255.0.0 dns-server 10.1.0.1 default-router 10.1.0.1 ! ip dhcp pool lan2 network 192.168.1.0 255.255.255.0 dns-server 192.168.1.1 default-router 192.168.1.1 ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! !

    !crypto isakmp policy 10 hash md5 authentication pre-share lifetime 3600 crypto isakmp key asterix address 172.16.1.2 ! ! crypto ipsec transform-set ipsec1 esp-des esp-md5-hmac ! crypto map l2r 10 ipsec-isakmp set peer 172.16.1.2 set transform-set ipsec1 match address 101 ! interface FastEthernet0/0 ip address 10.1.0.1 255.255.0.0 duplex auto speed auto ! interface Serial0/0 ip address 172.16.1.1 255.255.0.0 no fair-queue

    crypto map l2r ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Serial1/0 no ip address shutdown ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 no ip address shutdown ! interface Serial1/3 no ip address shutdown

    ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 172.16.1.2 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 permit ip 10.1.0.0 0.0.255.255 192.168.2.0 0.0.0.255 ! ! control-plane ! !line con 0 line aux 0 line vty 0 4 login ! ! end

    Paris Router ( Cisco 1751 ) PARIS#show run Building configuration...

    Current configuration : 1272 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname PARIS ! ! memory-size iomem 20 ip subnet-zero ! ! ip dhcp excluded-address 192.168.2.0 192.168.2.4 ! ip dhcp pool lan1

    network 192.168.2.0 255.255.255.0 dns-server 192.168.2.1 default-router 192.168.2.1 ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 10 hash md5 authentication pre-share lifetime 3600 crypto isakmp key asterix address 172.16.1.1 ! ! crypto ipsec transform-set ipsec1 esp-des esp-md5-hmac crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! crypto map r2l 10 ipsec-isakmp set peer 172.16.1.1

    set transform-set ipsec1 match address 101 ! ! ! ! interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 speed auto ! interface Serial0/0 ip address 172.16.1.2 255.255.0.0 clockrate 256000 crypto map r2l ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.1.1 no ip http server ip pim bidir-enable ! access-list 101 permit ip 192.168.2.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    ! ! line con 0 line aux 0 line vty 0 4 login ! end

    You might also like