Difference between revisions of "EasyVPN Cisco IOS"

From Teknologisk videncenter
Jump to: navigation, search
m
m (added Category:Security using HotCat)
 
(4 intermediate revisions by the same user not shown)
Line 46: Line 46:
 
==Cisco 897 EasyVPN server==
 
==Cisco 897 EasyVPN server==
 
<source lang=cli>
 
<source lang=cli>
version 15.2
 
no aaa new-model
 
clock timezone CET 1 0
 
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
 
service-module wlan-ap 0 bootimage autonomous
 
!
 
!
 
ip cef
 
!
 
!
 
!
 
!
 
 
 
ip port-map user-SMTPS port tcp 587 description MAIL
 
!
 
ip vrf DATA
 
rd 420:20
 
route-target export 420:20
 
route-target import 420:20
 
!
 
ip vrf VOICE
 
rd 410:10
 
route-target export 410:10
 
route-target import 410:10
 
!
 
no ip dhcp conflict logging
 
!
 
ip dhcp pool VOICE
 
import all
 
vrf VOICE
 
network 192.168.41.0 255.255.255.0
 
default-router 192.168.41.1
 
dns-server 192.168.41.1
 
option 150 ip 10.1.0.10
 
domain-name tekkom.local
 
class VOICE
 
  address range 192.168.41.2 192.168.41.200
 
!
 
ip dhcp pool DATA
 
import all
 
vrf DATA
 
network 192.168.42.0 255.255.255.0
 
default-router 192.168.42.1
 
dns-server 192.168.42.1
 
domain-name tekkom.local
 
class DATA
 
  address range 192.168.42.2 192.168.42.200
 
!
 
ip dhcp pool DMZ
 
import all
 
network 192.168.40.0 255.255.255.0
 
default-router 192.168.40.1
 
class DMZ
 
  address range 192.168.40.2 192.168.40.99
 
!
 
ip dhcp pool GUEST
 
import all
 
vrf DATA
 
network 192.168.43.0 255.255.255.0
 
default-router 192.168.43.1
 
dns-server 192.168.43.1
 
domain-name tekkom.local
 
class GUEST
 
  address range 192.168.43.2 192.168.43.200
 
!
 
!
 
ip dhcp class VOICE
 
!       
 
ip dhcp class DATA
 
!
 
ip dhcp class DMZ
 
!
 
ip dhcp class GUEST
 
!
 
!
 
no ipv6 cef
 
!
 
!
 
multilink bundle-name authenticated
 
license udi pid C897VAM-W-E-K9 sn FCZ1821901R
 
!
 
!
 
vtp mode transparent
 
!
 
!
 
!
 
!
 
!
 
controller VDSL 0
 
shutdown
 
!
 
vlan 10
 
name VOICE
 
!
 
vlan 20
 
name DATA
 
!
 
vlan 30
 
name GUEST
 
!
 
!
 
class-map match-all EF
 
match ip dscp ef
 
class-map type inspect match-any DMZ2INT-CM
 
match protocol tcp
 
match protocol udp
 
match protocol icmp
 
class-map type inspect match-any GUEST2INT-CM
 
match protocol dns
 
match protocol http
 
match protocol https
 
match protocol smtp
 
match protocol pop3
 
match protocol imap
 
match protocol imaps
 
match protocol pop3s
 
match protocol user-SMTPS
 
class-map match-any AF3-NB
 
match ip precedence 3
 
class-map type inspect match-any DATA2INT-PROTO-CM
 
match protocol ftp
 
match protocol tftp
 
class-map type inspect match-any INT2self-CM
 
match protocol telnet
 
match protocol icmp
 
match protocol bootpc
 
match protocol isakmp
 
match access-group name INT2self-ACL
 
match protocol ntp
 
class-map type inspect match-any DMZ2INT-PROTO-CM
 
match protocol ftp
 
match protocol tftp
 
class-map type inspect match-any DATA2INT-CM
 
match class-map DATA2INT-PROTO-CM
 
match protocol tcp
 
match protocol udp
 
match protocol icmp
 
!
 
policy-map type inspect INT2self-PM
 
class type inspect INT2self-CM
 
  pass
 
class class-default
 
  drop
 
policy-map type inspect GUEST2INT-PM
 
class type inspect GUEST2INT-CM
 
  inspect
 
class class-default
 
  drop log
 
policy-map type inspect DATA2INT-PM
 
class type inspect DATA2INT-CM
 
  inspect
 
class class-default
 
  drop log
 
policy-map type inspect DMZ2INT-PM
 
class type inspect DMZ2INT-CM
 
  inspect
 
class class-default
 
  drop log
 
policy-map CHILD
 
class EF
 
  priority
 
  police cir 2000000
 
  conform-action transmit
 
  exceed-action drop
 
  violate-action drop
 
class AF3-NB
 
  bandwidth 2000
 
  police cir 2000000
 
  conform-action transmit
 
  exceed-action drop
 
policy-map PARENT
 
class class-default
 
  shape average 1000000000
 
  service-policy CHILD
 
!
 
zone security DMZ
 
zone security DATA
 
zone security GUEST
 
zone security INTERNET
 
zone-pair security DATA2INT-ZP source DATA destination INTERNET
 
service-policy type inspect DATA2INT-PM
 
zone-pair security GUEST2INT-ZP source GUEST destination INTERNET
 
service-policy type inspect GUEST2INT-PM
 
zone-pair security DMZ2INT-ZP source DMZ destination INTERNET
 
service-policy type inspect DMZ2INT-PM
 
!
 
!
 
 
crypto isakmp policy 1
 
crypto isakmp policy 1
encr 3des
+
encr 3des
authentication pre-share
+
authentication pre-share
group 2
+
group 2
crypto isakmp client configuration address-pool local EZVPN-POOL
+
crypto isakmp client configuration address-pool local EZVPN-POOL
 
!
 
!
 
crypto isakmp client configuration group HW-CLIENT-GROUP45
 
crypto isakmp client configuration group HW-CLIENT-GROUP45
key HW-GROUP5
+
key HW-GROUP5
dns 192.168.40.1
+
dns 192.168.40.1
domain tekkom.local
+
domain tekkom.local
pool EZVPN-POOL
+
pool EZVPN-POOL
acl EZVPN-ACL
+
acl EZVPN-ACL
 
!         
 
!         
 
!
 
!
 
crypto ipsec transform-set TS esp-3des esp-sha-hmac  
 
crypto ipsec transform-set TS esp-3des esp-sha-hmac  
mode tunnel
+
mode tunnel
!
 
!
 
 
!
 
!
 
crypto dynamic-map EZVPN-MAP 1
 
crypto dynamic-map EZVPN-MAP 1
set transform-set TS  
+
set transform-set TS  
reverse-route
+
reverse-route
!
 
!
 
 
!
 
!
 
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
 
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
 
crypto map EZVPN-MAP client configuration address respond
 
crypto map EZVPN-MAP client configuration address respond
 
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP  
 
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP  
!
 
!
 
!
 
!
 
!
 
!
 
interface ATM0
 
no ip address
 
shutdown
 
no atm ilmi-keepalive
 
!
 
interface Ethernet0
 
no ip address
 
shutdown
 
!
 
interface GigabitEthernet0
 
description INTERNET
 
no ip address
 
spanning-tree portfast
 
!
 
interface GigabitEthernet1
 
description INTERNET
 
no ip address
 
spanning-tree portfast
 
!
 
interface GigabitEthernet2
 
description INTERNET
 
no ip address
 
spanning-tree portfast
 
!
 
interface GigabitEthernet3
 
description VOICE
 
switchport trunk native vlan 20
 
switchport mode trunk
 
switchport voice vlan 10
 
no ip address
 
!
 
interface GigabitEthernet4
 
description VOICE
 
switchport access vlan 10
 
no ip address
 
!
 
interface GigabitEthernet5
 
description DMZ
 
no ip address
 
spanning-tree portfast
 
!
 
interface GigabitEthernet6
 
description DATA
 
switchport access vlan 20
 
no ip address
 
spanning-tree portfast
 
!
 
interface GigabitEthernet7
 
description DATA
 
switchport access vlan 20
 
no ip address
 
spanning-tree portfast
 
 
!
 
!
 
interface GigabitEthernet8
 
interface GigabitEthernet8
bandwidth 1000000
+
bandwidth 1000000
no ip address
+
no ip address
ip nat outside
+
ip nat outside
ip virtual-reassembly in
+
ip virtual-reassembly in
load-interval 30
+
load-interval 30
duplex auto
+
duplex auto
speed auto
+
speed auto
service-policy output PARENT
+
service-policy output PARENT
 
!
 
!
 
interface GigabitEthernet8.66
 
interface GigabitEthernet8.66
description INTERNET
+
description INTERNET
encapsulation dot1Q 66
+
encapsulation dot1Q 66
ip address dhcp
+
ip address dhcp
ip nat outside
+
ip nat outside
ip virtual-reassembly in
+
ip virtual-reassembly in
zone-member security INTERNET
+
zone-member security INTERNET
crypto map EZVPN-MAP
+
crypto map EZVPN-MAP
!
 
interface GigabitEthernet8.410
 
description VOICE
 
encapsulation dot1Q 410
 
ip vrf forwarding VOICE
 
ip address 172.16.4.6 255.255.255.252
 
!
 
interface GigabitEthernet8.420
 
description DATA
 
encapsulation dot1Q 420
 
ip vrf forwarding DATA
 
ip address 172.16.4.10 255.255.255.252
 
!
 
interface Wlan-GigabitEthernet8
 
description AP-CONNECT
 
switchport mode trunk
 
no ip address
 
!
 
interface wlan-ap0
 
description Embedded Service module interface to manage the embedded AP
 
ip unnumbered Vlan1
 
 
!
 
!
 
interface Vlan1
 
interface Vlan1
description DMZ
+
description DMZ
ip address 192.168.40.1 255.255.255.0
+
ip address 192.168.40.1 255.255.255.0
ip nat inside
+
ip nat inside
ip virtual-reassembly in
+
ip virtual-reassembly in
zone-member security DMZ
+
zone-member security DMZ
!
 
interface Vlan10
 
description VOICE
 
ip vrf forwarding VOICE
 
ip address 192.168.41.1 255.255.255.0
 
ip nat inside
 
ip virtual-reassembly in
 
!
 
interface Vlan20
 
description DATA
 
ip vrf forwarding DATA
 
ip address 192.168.42.1 255.255.255.0
 
ip nat inside
 
ip virtual-reassembly in
 
zone-member security DATA
 
!
 
interface Vlan30
 
description GUEST
 
ip vrf forwarding DATA
 
ip address 192.168.43.1 255.255.255.0
 
ip nat inside
 
ip virtual-reassembly in
 
zone-member security GUEST
 
 
!
 
!
router bgp 65004
+
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.12
bgp log-neighbor-changes
 
 
!
 
!
address-family ipv4 vrf DATA
 
  network 192.168.42.0
 
  neighbor 172.16.4.9 remote-as 3292
 
  neighbor 172.16.4.9 transport path-mtu-discovery
 
  neighbor 172.16.4.9 activate
 
  neighbor 172.16.4.9 soft-reconfiguration inbound
 
exit-address-family
 
!
 
address-family ipv4 vrf VOICE
 
  network 192.168.41.0
 
  neighbor 172.16.4.5 remote-as 3292
 
  neighbor 172.16.4.5 transport path-mtu-discovery
 
  neighbor 172.16.4.5 activate
 
  neighbor 172.16.4.5 soft-reconfiguration inbound
 
exit-address-family
 
!
 
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.120
 
ip forward-protocol nd
 
no ip http server
 
no ip http secure-server
 
!
 
!
 
ip dns server
 
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 overload
 
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf DATA overload
 
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf VOICE overload
 
ip route vrf DATA 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
 
ip route vrf VOICE 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
 
!       
 
 
ip access-list extended EZVPN-ACL
 
ip access-list extended EZVPN-ACL
permit ip 192.168.40.0 0.0.0.255 any
+
permit ip 192.168.40.0 0.0.0.255 any
 
ip access-list extended INT2self-ACL
 
ip access-list extended INT2self-ACL
permit udp any eq domain any gt 1023
+
permit udp any eq domain any gt 1023
 
ip access-list extended IP-TO-NAT
 
ip access-list extended IP-TO-NAT
 
deny  ip any 10.0.0.0 0.255.255.255
 
deny  ip any 10.0.0.0 0.255.255.255
Line 433: Line 109:
 
permit ip 192.168.40.0 0.0.7.255 any
 
permit ip 192.168.40.0 0.0.7.255 any
 
permit ip 192.168.48.0 0.0.1.255 any
 
permit ip 192.168.48.0 0.0.1.255 any
!
 
!
 
!
 
control-plane
 
!
 
!
 
alias exec gotoap service-module wlan-ap 0 session
 
!
 
line con 0
 
no modem enable
 
length 45
 
width 142
 
line aux 0
 
line 2
 
no activation-character
 
no exec
 
transport preferred none
 
transport input all
 
stopbits 1
 
line vty 0 4
 
exec-timeout 480 0
 
password Cisco
 
login
 
transport input all
 
!
 
scheduler allocate 20000 1000
 
ntp server 192.168.146.1
 
 
!
 
!
 
</source>
 
</source>
Line 467: Line 116:
 
*[http://mars.tekkom.dk/mediawiki/images/8/85/EasyVPN.pdf EasyVPN]
 
*[http://mars.tekkom.dk/mediawiki/images/8/85/EasyVPN.pdf EasyVPN]
 
{{Source cli2}}
 
{{Source cli2}}
 +
 +
[[Category:Cisco]]
 +
[[Category:WiFi]]
 +
[[Category:Security]]

Latest revision as of 08:20, 15 January 2016

Example

Cisco 819 EasyVPN client

!
ip dhcp pool RFC1918
 import all
 network 192.168.44.0 255.255.255.0
 default-router 192.168.44.1 
 dns-server 8.8.8.8 
!
crypto ipsec client ezvpn HW-CLIENT
 connect auto
 group HW-CLIENT-GROUP45 key HW-GROUP5
 mode client
 peer 83.90.239.189
 xauth userid mode interactive
!
interface Cellular0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 dialer in-band
 dialer pool-member 1
 dialer-group 1
!
interface Vlan1
 ip addre 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 crypto ipsec client ezvpn HW-CLIENT inside
!
interface Dialer 1
 ip address negotiated
 ip nat outside
 dialer-group 1
 crypto ipsec client ezvpn HW-CLIENT
!
nat inside source list 140 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 107 permit ip 194.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 deny   ip any 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.44.00.255 any

Cisco 897 EasyVPN server

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 crypto isakmp client configuration address-pool local EZVPN-POOL
!
crypto isakmp client configuration group HW-CLIENT-GROUP45
 key HW-GROUP5
 dns 192.168.40.1
 domain tekkom.local
 pool EZVPN-POOL
 acl EZVPN-ACL
!         
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
 mode tunnel
!
crypto dynamic-map EZVPN-MAP 1
 set transform-set TS 
 reverse-route
!
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
crypto map EZVPN-MAP client configuration address respond
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP 
!
interface GigabitEthernet8
 bandwidth 1000000
 no ip address
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 service-policy output PARENT
!
interface GigabitEthernet8.66
 description INTERNET
 encapsulation dot1Q 66
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security INTERNET
 crypto map EZVPN-MAP
!
interface Vlan1
 description DMZ
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ
!
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.12
!
ip access-list extended EZVPN-ACL
 permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended INT2self-ACL
 permit udp any eq domain any gt 1023
ip access-list extended IP-TO-NAT
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.7.255 any
permit ip 192.168.48.0 0.0.1.255 any
!

Links

Retrieved from "http://mars.merhot.dk/w/index.php?title=EasyVPN_Cisco_IOS&oldid=33130"