Difference between revisions of "EasyVPN Cisco IOS"
From Teknologisk videncenter
m (→==Cisco 897 EasyVPN server) |
m |
||
Line 2: | Line 2: | ||
==Cisco 819 EasyVPN client== | ==Cisco 819 EasyVPN client== | ||
<source lang=cli> | <source lang=cli> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
ip dhcp pool RFC1918 | ip dhcp pool RFC1918 | ||
− | import all | + | import all |
− | network 192.168.44.0 255.255.255.0 | + | network 192.168.44.0 255.255.255.0 |
− | default-router 192.168.44.1 | + | default-router 192.168.44.1 |
− | dns-server 8.8.8.8 | + | dns-server 8.8.8.8 |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
crypto ipsec client ezvpn HW-CLIENT | crypto ipsec client ezvpn HW-CLIENT | ||
− | connect auto | + | connect auto |
− | group HW-CLIENT-GROUP45 key HW-GROUP5 | + | group HW-CLIENT-GROUP45 key HW-GROUP5 |
− | mode client | + | mode client |
− | peer 83.90.239.189 | + | peer 83.90.239.189 |
− | xauth userid mode interactive | + | xauth userid mode interactive |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface Cellular0 | interface Cellular0 | ||
− | ip address negotiated | + | ip address negotiated |
− | ip nat outside | + | ip nat outside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | encapsulation slip | + | encapsulation slip |
− | dialer in-band | + | dialer in-band |
− | dialer pool-member 1 | + | dialer pool-member 1 |
− | dialer-group 1 | + | dialer-group 1 |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface Vlan1 | interface Vlan1 | ||
− | ip addre 255.255.255.0 | + | ip addre 255.255.255.0 |
− | ip nat inside | + | ip nat inside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | crypto ipsec client ezvpn HW-CLIENT inside | + | crypto ipsec client ezvpn HW-CLIENT inside |
! | ! | ||
− | interface | + | interface Dialer 1 |
− | ip nat outside | + | ip address negotiated |
− | + | ip nat outside | |
− | + | dialer-group 1 | |
− | + | crypto ipsec client ezvpn HW-CLIENT | |
− | |||
− | |||
− | |||
− | |||
− | dialer-group 1 | ||
− | |||
− | |||
! | ! | ||
− | |||
− | |||
− | |||
nat inside source list 140 interface Dialer1 overload | nat inside source list 140 interface Dialer1 overload | ||
ip route 0.0.0.0 0.0.0.0 Dialer1 | ip route 0.0.0.0 0.0.0.0 Dialer1 | ||
Line 135: | Line 43: | ||
access-list 140 deny ip any 192.168.40.0 0.0.0.255 | access-list 140 deny ip any 192.168.40.0 0.0.0.255 | ||
access-list 140 permit ip 192.168.44.00.255 any | access-list 140 permit ip 192.168.44.00.255 any | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</source> | </source> | ||
==Cisco 897 EasyVPN server== | ==Cisco 897 EasyVPN server== | ||
<source lang=cli> | <source lang=cli> | ||
version 15.2 | version 15.2 | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
no aaa new-model | no aaa new-model | ||
clock timezone CET 1 0 | clock timezone CET 1 0 |
Revision as of 11:44, 22 August 2014
Example
Cisco 819 EasyVPN client
!
ip dhcp pool RFC1918
import all
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1
dns-server 8.8.8.8
!
crypto ipsec client ezvpn HW-CLIENT
connect auto
group HW-CLIENT-GROUP45 key HW-GROUP5
mode client
peer 83.90.239.189
xauth userid mode interactive
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
!
interface Vlan1
ip addre 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn HW-CLIENT inside
!
interface Dialer 1
ip address negotiated
ip nat outside
dialer-group 1
crypto ipsec client ezvpn HW-CLIENT
!
nat inside source list 140 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 107 permit ip 194.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 deny ip any 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.44.00.255 any
Cisco 897 EasyVPN server
version 15.2
no aaa new-model
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
!
ip cef
!
!
!
!
ip port-map user-SMTPS port tcp 587 description MAIL
!
ip vrf DATA
rd 420:20
route-target export 420:20
route-target import 420:20
!
ip vrf VOICE
rd 410:10
route-target export 410:10
route-target import 410:10
!
no ip dhcp conflict logging
!
ip dhcp pool VOICE
import all
vrf VOICE
network 192.168.41.0 255.255.255.0
default-router 192.168.41.1
dns-server 192.168.41.1
option 150 ip 10.1.0.10
domain-name tekkom.local
class VOICE
address range 192.168.41.2 192.168.41.200
!
ip dhcp pool DATA
import all
vrf DATA
network 192.168.42.0 255.255.255.0
default-router 192.168.42.1
dns-server 192.168.42.1
domain-name tekkom.local
class DATA
address range 192.168.42.2 192.168.42.200
!
ip dhcp pool DMZ
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
class DMZ
address range 192.168.40.2 192.168.40.99
!
ip dhcp pool GUEST
import all
vrf DATA
network 192.168.43.0 255.255.255.0
default-router 192.168.43.1
dns-server 192.168.43.1
domain-name tekkom.local
class GUEST
address range 192.168.43.2 192.168.43.200
!
!
ip dhcp class VOICE
!
ip dhcp class DATA
!
ip dhcp class DMZ
!
ip dhcp class GUEST
!
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid C897VAM-W-E-K9 sn FCZ1821901R
!
!
vtp mode transparent
!
!
!
!
!
controller VDSL 0
shutdown
!
vlan 10
name VOICE
!
vlan 20
name DATA
!
vlan 30
name GUEST
!
!
class-map match-all EF
match ip dscp ef
class-map type inspect match-any DMZ2INT-CM
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any GUEST2INT-CM
match protocol dns
match protocol http
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol imaps
match protocol pop3s
match protocol user-SMTPS
class-map match-any AF3-NB
match ip precedence 3
class-map type inspect match-any DATA2INT-PROTO-CM
match protocol ftp
match protocol tftp
class-map type inspect match-any INT2self-CM
match protocol telnet
match protocol icmp
match protocol bootpc
match protocol isakmp
match access-group name INT2self-ACL
match protocol ntp
class-map type inspect match-any DMZ2INT-PROTO-CM
match protocol ftp
match protocol tftp
class-map type inspect match-any DATA2INT-CM
match class-map DATA2INT-PROTO-CM
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect INT2self-PM
class type inspect INT2self-CM
pass
class class-default
drop
policy-map type inspect GUEST2INT-PM
class type inspect GUEST2INT-CM
inspect
class class-default
drop log
policy-map type inspect DATA2INT-PM
class type inspect DATA2INT-CM
inspect
class class-default
drop log
policy-map type inspect DMZ2INT-PM
class type inspect DMZ2INT-CM
inspect
class class-default
drop log
policy-map CHILD
class EF
priority
police cir 2000000
conform-action transmit
exceed-action drop
violate-action drop
class AF3-NB
bandwidth 2000
police cir 2000000
conform-action transmit
exceed-action drop
policy-map PARENT
class class-default
shape average 1000000000
service-policy CHILD
!
zone security DMZ
zone security DATA
zone security GUEST
zone security INTERNET
zone-pair security DATA2INT-ZP source DATA destination INTERNET
service-policy type inspect DATA2INT-PM
zone-pair security GUEST2INT-ZP source GUEST destination INTERNET
service-policy type inspect GUEST2INT-PM
zone-pair security DMZ2INT-ZP source DMZ destination INTERNET
service-policy type inspect DMZ2INT-PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local EZVPN-POOL
!
crypto isakmp client configuration group HW-CLIENT-GROUP45
key HW-GROUP5
dns 192.168.40.1
domain tekkom.local
pool EZVPN-POOL
acl EZVPN-ACL
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map EZVPN-MAP 1
set transform-set TS
reverse-route
!
!
!
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
crypto map EZVPN-MAP client configuration address respond
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
description VOICE
switchport trunk native vlan 20
switchport mode trunk
switchport voice vlan 10
no ip address
!
interface GigabitEthernet4
description VOICE
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description DMZ
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
description DATA
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
description DATA
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
bandwidth 1000000
no ip address
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
service-policy output PARENT
!
interface GigabitEthernet8.66
description INTERNET
encapsulation dot1Q 66
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
crypto map EZVPN-MAP
!
interface GigabitEthernet8.410
description VOICE
encapsulation dot1Q 410
ip vrf forwarding VOICE
ip address 172.16.4.6 255.255.255.252
!
interface GigabitEthernet8.420
description DATA
encapsulation dot1Q 420
ip vrf forwarding DATA
ip address 172.16.4.10 255.255.255.252
!
interface Wlan-GigabitEthernet8
description AP-CONNECT
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description DMZ
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
!
interface Vlan10
description VOICE
ip vrf forwarding VOICE
ip address 192.168.41.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description DATA
ip vrf forwarding DATA
ip address 192.168.42.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DATA
!
interface Vlan30
description GUEST
ip vrf forwarding DATA
ip address 192.168.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
!
router bgp 65004
bgp log-neighbor-changes
!
address-family ipv4 vrf DATA
network 192.168.42.0
neighbor 172.16.4.9 remote-as 3292
neighbor 172.16.4.9 transport path-mtu-discovery
neighbor 172.16.4.9 activate
neighbor 172.16.4.9 soft-reconfiguration inbound
exit-address-family
!
address-family ipv4 vrf VOICE
network 192.168.41.0
neighbor 172.16.4.5 remote-as 3292
neighbor 172.16.4.5 transport path-mtu-discovery
neighbor 172.16.4.5 activate
neighbor 172.16.4.5 soft-reconfiguration inbound
exit-address-family
!
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.120
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 overload
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf DATA overload
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf VOICE overload
ip route vrf DATA 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
ip route vrf VOICE 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
!
ip access-list extended EZVPN-ACL
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended INT2self-ACL
permit udp any eq domain any gt 1023
ip access-list extended IP-TO-NAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.7.255 any
permit ip 192.168.48.0 0.0.1.255 any
!
!
!
control-plane
!
!
alias exec gotoap service-module wlan-ap 0 session
!
line con 0
no modem enable
length 45
width 142
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
exec-timeout 480 0
password Cisco
login
transport input all
!
scheduler allocate 20000 1000
ntp server 192.168.146.1
!