Difference between revisions of "EasyVPN Cisco IOS"

From Teknologisk videncenter
Jump to: navigation, search
m (==Cisco 897 EasyVPN server)
m
Line 2: Line 2:
 
==Cisco 819 EasyVPN client==
 
==Cisco 819 EasyVPN client==
 
<source lang=cli>
 
<source lang=cli>
Current configuration : 2458 bytes
 
!
 
! Last configuration change at 09:54:59 UTC Fri Aug 22 2014
 
version 15.2
 
service timestamps debug datetime msec
 
service timestamps log datetime msec
 
no service password-encryption
 
!
 
hostname hold4-5
 
!
 
boot-start-marker
 
boot-end-marker
 
!
 
!
 
!
 
no aaa new-model
 
!
 
!
 
ip cef
 
!
 
!
 
!
 
!
 
 
 
!
 
 
!
 
!
 
ip dhcp pool RFC1918
 
ip dhcp pool RFC1918
import all
+
import all
network 192.168.44.0 255.255.255.0
+
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1  
+
default-router 192.168.44.1  
dns-server 8.8.8.8  
+
dns-server 8.8.8.8  
!
 
!
 
!
 
no ip domain lookup
 
no ipv6 cef
 
!
 
!
 
multilink bundle-name authenticated
 
chat-script gsm "" "AT!CALL" TIMEOUT 20 "OK"
 
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
 
license udi pid C819G-4G-G-K9 sn FCZ181391HH
 
!
 
!
 
vtp mode transparent
 
!
 
!
 
!
 
!
 
!
 
controller Cellular 0
 
!
 
vlan 10
 
!
 
!
 
!
 
!
 
!
 
!
 
!
 
 
!
 
!
 
crypto ipsec client ezvpn HW-CLIENT
 
crypto ipsec client ezvpn HW-CLIENT
connect auto
+
connect auto
group HW-CLIENT-GROUP45 key HW-GROUP5
+
group HW-CLIENT-GROUP45 key HW-GROUP5
mode client
+
mode client
peer 83.90.239.189
+
peer 83.90.239.189
xauth userid mode interactive
+
xauth userid mode interactive
!
 
!
 
!
 
!
 
!
 
!
 
 
!
 
!
 
interface Cellular0
 
interface Cellular0
ip address negotiated
+
ip address negotiated
ip nat outside
+
ip nat outside
ip virtual-reassembly in
+
ip virtual-reassembly in
encapsulation slip
+
encapsulation slip
dialer in-band
+
dialer in-band
dialer pool-member 1
+
dialer pool-member 1
dialer-group 1
+
dialer-group 1
!
 
interface FastEthernet0
 
no ip address
 
!
 
addresse FastEthernet1
 
!
 
interface FastEthernet2
 
no ip address
 
!
 
interface FastEthernet3
 
no ip address
 
!
 
interface GigabitEthernet0
 
p
 
duplex auto
 
speed auto
 
!
 
interface Serial0
 
no ip address
 
shutdown
 
clock rate 2000000
 
 
!
 
!
 
interface Vlan1
 
interface Vlan1
ip addre 255.255.255.0
+
ip addre 255.255.255.0
ip nat inside
+
ip nat inside
ip virtual-reassembly in
+
ip virtual-reassembly in
crypto ipsec client ezvpn HW-CLIENT inside
+
crypto ipsec client ezvpn HW-CLIENT inside
 
!
 
!
interface Dialep address negotiated
+
interface Dialer 1
ip nat outside
+
ip address negotiated
ip virtual-reassembly in
+
ip nat outside
encapsulation slip
+
dialer-group 1
load-interval 30
+
crypto ipsec client ezvpn HW-CLIENT
dialer pool 1
 
dialer
 
dialer string gsm
 
dialer persistent
 
dialer-group 1
 
no snmp trap link-status
 
o ipsec client ezvpn HW-CLIENT
 
 
!
 
!
ip forward-protocol nd
 
no ip http server
 
no ip http secure-server
 
 
nat inside source list 140 interface Dialer1 overload
 
nat inside source list 140 interface Dialer1 overload
 
ip route 0.0.0.0 0.0.0.0 Dialer1
 
ip route 0.0.0.0 0.0.0.0 Dialer1
Line 135: Line 43:
 
access-list 140 deny  ip any 192.168.40.0 0.0.0.255
 
access-list 140 deny  ip any 192.168.40.0 0.0.0.255
 
access-list 140 permit ip 192.168.44.00.255 any
 
access-list 140 permit ip 192.168.44.00.255 any
!
 
!
 
control-plane
 
!
 
!
 
!
 
line con 0
 
no modem enable
 
length 42
 
width 91
 
line aux 0
 
line 2
 
no activation-exec
 
transport preferred none
 
transport input all
 
stopbits 1
 
line 3
 
exec-timeout 0 0
 
script dialer lte
 
modem InOut
 
no exec
 
rxspeed 100000txspeed 50000000
 
line vty 0 4
 
login
 
transport input all
 
!
 
scheduler allocate 20000 1000
 
 
</source>
 
</source>
 
==Cisco 897 EasyVPN server==
 
==Cisco 897 EasyVPN server==
 
<source lang=cli>
 
<source lang=cli>
 
version 15.2
 
version 15.2
service timestamps debug datetime localtime
 
service timestamps log datetime localtime
 
no service password-encryption
 
!
 
hostname hold4
 
!
 
boot-start-marker
 
boot system flash:c800-universalk9-mz.SPA.152-4.M6.bin
 
boot-end-marker
 
!
 
!
 
no logging console
 
enable password Cisco
 
!
 
 
no aaa new-model
 
no aaa new-model
 
clock timezone CET 1 0
 
clock timezone CET 1 0

Revision as of 12:44, 22 August 2014

Example

Cisco 819 EasyVPN client

!
ip dhcp pool RFC1918
 import all
 network 192.168.44.0 255.255.255.0
 default-router 192.168.44.1 
 dns-server 8.8.8.8 
!
crypto ipsec client ezvpn HW-CLIENT
 connect auto
 group HW-CLIENT-GROUP45 key HW-GROUP5
 mode client
 peer 83.90.239.189
 xauth userid mode interactive
!
interface Cellular0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 dialer in-band
 dialer pool-member 1
 dialer-group 1
!
interface Vlan1
 ip addre 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 crypto ipsec client ezvpn HW-CLIENT inside
!
interface Dialer 1
 ip address negotiated
 ip nat outside
 dialer-group 1
 crypto ipsec client ezvpn HW-CLIENT
!
nat inside source list 140 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 107 permit ip 194.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 deny   ip any 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.44.00.255 any

Cisco 897 EasyVPN server

version 15.2
no aaa new-model
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
!
ip cef
!
!
!
!
 
 
ip port-map user-SMTPS port tcp 587 description MAIL
!
ip vrf DATA
rd 420:20
route-target export 420:20
route-target import 420:20
!
ip vrf VOICE
rd 410:10
route-target export 410:10
route-target import 410:10
!
no ip dhcp conflict logging
!
ip dhcp pool VOICE
import all
vrf VOICE
network 192.168.41.0 255.255.255.0
default-router 192.168.41.1 
dns-server 192.168.41.1 
option 150 ip 10.1.0.10 
domain-name tekkom.local
class VOICE
  address range 192.168.41.2 192.168.41.200
!
ip dhcp pool DATA
import all
vrf DATA
network 192.168.42.0 255.255.255.0
default-router 192.168.42.1 
dns-server 192.168.42.1 
domain-name tekkom.local
class DATA
  address range 192.168.42.2 192.168.42.200
!
ip dhcp pool DMZ
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1 
class DMZ
  address range 192.168.40.2 192.168.40.99
!
ip dhcp pool GUEST
import all
vrf DATA
network 192.168.43.0 255.255.255.0
default-router 192.168.43.1 
dns-server 192.168.43.1 
domain-name tekkom.local
class GUEST
  address range 192.168.43.2 192.168.43.200
!
!
ip dhcp class VOICE
!         
ip dhcp class DATA
!
ip dhcp class DMZ
!
ip dhcp class GUEST
!
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid C897VAM-W-E-K9 sn FCZ1821901R
!
!
vtp mode transparent
!
!
!
!
!
controller VDSL 0
shutdown
!
vlan 10
name VOICE
!
vlan 20
name DATA
!
vlan 30
name GUEST
!
!
class-map match-all EF
match ip dscp ef 
class-map type inspect match-any DMZ2INT-CM
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any GUEST2INT-CM
match protocol dns
match protocol http
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol imaps
match protocol pop3s
match protocol user-SMTPS
class-map match-any AF3-NB
match ip precedence 3 
class-map type inspect match-any DATA2INT-PROTO-CM
match protocol ftp
match protocol tftp
class-map type inspect match-any INT2self-CM
match protocol telnet
match protocol icmp
match protocol bootpc
match protocol isakmp
match access-group name INT2self-ACL
match protocol ntp
class-map type inspect match-any DMZ2INT-PROTO-CM
match protocol ftp
match protocol tftp
class-map type inspect match-any DATA2INT-CM
match class-map DATA2INT-PROTO-CM
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect INT2self-PM
class type inspect INT2self-CM
  pass
class class-default
  drop
policy-map type inspect GUEST2INT-PM
class type inspect GUEST2INT-CM
  inspect 
class class-default
  drop log
policy-map type inspect DATA2INT-PM
class type inspect DATA2INT-CM
  inspect 
class class-default
  drop log
policy-map type inspect DMZ2INT-PM
class type inspect DMZ2INT-CM
  inspect 
class class-default
  drop log
policy-map CHILD
class EF
  priority
  police cir 2000000
   conform-action transmit 
   exceed-action drop 
   violate-action drop 
class AF3-NB
  bandwidth 2000
  police cir 2000000
   conform-action transmit 
   exceed-action drop 
policy-map PARENT
class class-default
  shape average 1000000000
   service-policy CHILD
!
zone security DMZ
zone security DATA
zone security GUEST
zone security INTERNET
zone-pair security DATA2INT-ZP source DATA destination INTERNET
service-policy type inspect DATA2INT-PM
zone-pair security GUEST2INT-ZP source GUEST destination INTERNET
service-policy type inspect GUEST2INT-PM
zone-pair security DMZ2INT-ZP source DMZ destination INTERNET
service-policy type inspect DMZ2INT-PM
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local EZVPN-POOL
!
crypto isakmp client configuration group HW-CLIENT-GROUP45
key HW-GROUP5
dns 192.168.40.1
domain tekkom.local
pool EZVPN-POOL
acl EZVPN-ACL
!         
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
mode tunnel
!
!
!
crypto dynamic-map EZVPN-MAP 1
set transform-set TS 
reverse-route
!
!
!
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
crypto map EZVPN-MAP client configuration address respond
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP 
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
description VOICE
switchport trunk native vlan 20
switchport mode trunk
switchport voice vlan 10
no ip address
!
interface GigabitEthernet4
description VOICE
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description DMZ
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
description DATA
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
description DATA
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
bandwidth 1000000
no ip address
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
service-policy output PARENT
!
interface GigabitEthernet8.66
description INTERNET
encapsulation dot1Q 66
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
crypto map EZVPN-MAP
!
interface GigabitEthernet8.410
description VOICE
encapsulation dot1Q 410
ip vrf forwarding VOICE
ip address 172.16.4.6 255.255.255.252
!
interface GigabitEthernet8.420
description DATA
encapsulation dot1Q 420
ip vrf forwarding DATA
ip address 172.16.4.10 255.255.255.252
!
interface Wlan-GigabitEthernet8
description AP-CONNECT
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description DMZ
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
!
interface Vlan10
description VOICE
ip vrf forwarding VOICE
ip address 192.168.41.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description DATA
ip vrf forwarding DATA
ip address 192.168.42.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DATA
!
interface Vlan30
description GUEST
ip vrf forwarding DATA
ip address 192.168.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
!
router bgp 65004
bgp log-neighbor-changes
!
address-family ipv4 vrf DATA
  network 192.168.42.0
  neighbor 172.16.4.9 remote-as 3292
  neighbor 172.16.4.9 transport path-mtu-discovery
  neighbor 172.16.4.9 activate
  neighbor 172.16.4.9 soft-reconfiguration inbound
exit-address-family
!
address-family ipv4 vrf VOICE
  network 192.168.41.0
  neighbor 172.16.4.5 remote-as 3292
  neighbor 172.16.4.5 transport path-mtu-discovery
  neighbor 172.16.4.5 activate
  neighbor 172.16.4.5 soft-reconfiguration inbound
exit-address-family
!
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.120
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 overload
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf DATA overload
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf VOICE overload
ip route vrf DATA 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
ip route vrf VOICE 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
!         
ip access-list extended EZVPN-ACL
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended INT2self-ACL
permit udp any eq domain any gt 1023
ip access-list extended IP-TO-NAT
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.7.255 any
permit ip 192.168.48.0 0.0.1.255 any
!
!
!
control-plane
!
!
alias exec gotoap service-module wlan-ap 0 session
!
line con 0
no modem enable
length 45
width 142
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
exec-timeout 480 0
password Cisco
login
transport input all
!
scheduler allocate 20000 1000
ntp server 192.168.146.1
!

Links