Difference between revisions of "EasyVPN Cisco IOS"
From Teknologisk videncenter
m |
m (→Cisco 897 EasyVPN server) |
||
Line 46: | Line 46: | ||
==Cisco 897 EasyVPN server== | ==Cisco 897 EasyVPN server== | ||
<source lang=cli> | <source lang=cli> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
crypto isakmp policy 1 | crypto isakmp policy 1 | ||
− | encr 3des | + | encr 3des |
− | authentication pre-share | + | authentication pre-share |
− | group 2 | + | group 2 |
− | crypto isakmp client configuration address-pool local EZVPN-POOL | + | crypto isakmp client configuration address-pool local EZVPN-POOL |
! | ! | ||
crypto isakmp client configuration group HW-CLIENT-GROUP45 | crypto isakmp client configuration group HW-CLIENT-GROUP45 | ||
− | key HW-GROUP5 | + | key HW-GROUP5 |
− | dns 192.168.40.1 | + | dns 192.168.40.1 |
− | domain tekkom.local | + | domain tekkom.local |
− | pool EZVPN-POOL | + | pool EZVPN-POOL |
− | acl EZVPN-ACL | + | acl EZVPN-ACL |
! | ! | ||
! | ! | ||
crypto ipsec transform-set TS esp-3des esp-sha-hmac | crypto ipsec transform-set TS esp-3des esp-sha-hmac | ||
− | mode tunnel | + | mode tunnel |
− | |||
− | |||
! | ! | ||
crypto dynamic-map EZVPN-MAP 1 | crypto dynamic-map EZVPN-MAP 1 | ||
− | set transform-set TS | + | set transform-set TS |
− | reverse-route | + | reverse-route |
− | |||
− | |||
! | ! | ||
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45 | crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45 | ||
crypto map EZVPN-MAP client configuration address respond | crypto map EZVPN-MAP client configuration address respond | ||
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP | crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface GigabitEthernet8 | interface GigabitEthernet8 | ||
− | bandwidth 1000000 | + | bandwidth 1000000 |
− | no ip address | + | no ip address |
− | ip nat outside | + | ip nat outside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | load-interval 30 | + | load-interval 30 |
− | duplex auto | + | duplex auto |
− | speed auto | + | speed auto |
− | service-policy output PARENT | + | service-policy output PARENT |
! | ! | ||
interface GigabitEthernet8.66 | interface GigabitEthernet8.66 | ||
− | description INTERNET | + | description INTERNET |
− | encapsulation dot1Q 66 | + | encapsulation dot1Q 66 |
− | ip address dhcp | + | ip address dhcp |
− | ip nat outside | + | ip nat outside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | zone-member security INTERNET | + | zone-member security INTERNET |
− | crypto map EZVPN-MAP | + | crypto map EZVPN-MAP |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface Vlan1 | interface Vlan1 | ||
− | description DMZ | + | description DMZ |
− | ip address 192.168.40.1 255.255.255.0 | + | ip address 192.168.40.1 255.255.255.0 |
− | ip nat inside | + | ip nat inside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | zone-member security DMZ | + | zone-member security DMZ |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
ip access-list extended EZVPN-ACL | ip access-list extended EZVPN-ACL | ||
− | permit ip 192.168.40.0 0.0.0.255 any | + | permit ip 192.168.40.0 0.0.0.255 any |
ip access-list extended INT2self-ACL | ip access-list extended INT2self-ACL | ||
− | permit udp any eq domain any gt 1023 | + | permit udp any eq domain any gt 1023 |
ip access-list extended IP-TO-NAT | ip access-list extended IP-TO-NAT | ||
deny ip any 10.0.0.0 0.255.255.255 | deny ip any 10.0.0.0 0.255.255.255 | ||
Line 433: | Line 107: | ||
permit ip 192.168.40.0 0.0.7.255 any | permit ip 192.168.40.0 0.0.7.255 any | ||
permit ip 192.168.48.0 0.0.1.255 any | permit ip 192.168.48.0 0.0.1.255 any | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
</source> | </source> |
Revision as of 11:47, 22 August 2014
Example
Cisco 819 EasyVPN client
!
ip dhcp pool RFC1918
import all
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1
dns-server 8.8.8.8
!
crypto ipsec client ezvpn HW-CLIENT
connect auto
group HW-CLIENT-GROUP45 key HW-GROUP5
mode client
peer 83.90.239.189
xauth userid mode interactive
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
!
interface Vlan1
ip addre 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn HW-CLIENT inside
!
interface Dialer 1
ip address negotiated
ip nat outside
dialer-group 1
crypto ipsec client ezvpn HW-CLIENT
!
nat inside source list 140 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 107 permit ip 194.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 deny ip any 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.44.00.255 any
Cisco 897 EasyVPN server
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local EZVPN-POOL
!
crypto isakmp client configuration group HW-CLIENT-GROUP45
key HW-GROUP5
dns 192.168.40.1
domain tekkom.local
pool EZVPN-POOL
acl EZVPN-ACL
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto dynamic-map EZVPN-MAP 1
set transform-set TS
reverse-route
!
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
crypto map EZVPN-MAP client configuration address respond
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP
!
interface GigabitEthernet8
bandwidth 1000000
no ip address
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
service-policy output PARENT
!
interface GigabitEthernet8.66
description INTERNET
encapsulation dot1Q 66
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
crypto map EZVPN-MAP
!
interface Vlan1
description DMZ
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
!
ip access-list extended EZVPN-ACL
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended INT2self-ACL
permit udp any eq domain any gt 1023
ip access-list extended IP-TO-NAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.7.255 any
permit ip 192.168.48.0 0.0.1.255 any
!