EasyVPN Cisco IOS

From Teknologisk videncenter
Revision as of 12:35, 22 August 2014 by Heth (talk | contribs) (==Cisco 897 EasyVPN server)
Jump to: navigation, search

Example

Cisco 819 EasyVPN client

Current configuration : 2458 bytes
!
! Last configuration change at 09:54:59 UTC Fri Aug 22 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hold4-5
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
ip cef
!
!
!
!
 
 
!
!
ip dhcp pool RFC1918
import all
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1 
dns-server 8.8.8.8 
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script gsm "" "AT!CALL" TIMEOUT 20 "OK"
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
license udi pid C819G-4G-G-K9 sn FCZ181391HH
!
!
vtp mode transparent
!
!
!
!
!
controller Cellular 0
!
vlan 10 
!
! 
!
!
!
!
!
!
crypto ipsec client ezvpn HW-CLIENT
connect auto
group HW-CLIENT-GROUP45 key HW-GROUP5
mode client
peer 83.90.239.189
xauth userid mode interactive
!
!
!
!
!
!
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
!
interface FastEthernet0
no ip address
!
addresse FastEthernet1
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
p
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip addre 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn HW-CLIENT inside
!
interface Dialep address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer pool 1
dialer 
dialer string gsm
dialer persistent
dialer-group 1
no snmp trap link-status
o ipsec client ezvpn HW-CLIENT
!
ip forward-protocol nd
no ip http server
no ip http secure-server
nat inside source list 140 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 107 permit ip 194.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 deny   ip any 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.44.00.255 any
!
!
control-plane
!
!
!
line con 0
no modem enable
length 42
width 91
line aux 0
line 2
no activation-exec
transport preferred none
transport input all
stopbits 1
line 3
exec-timeout 0 0
script dialer lte
modem InOut
no exec
rxspeed 100000txspeed 50000000
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000

Cisco 897 EasyVPN server

version 15.2
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname hold4
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.152-4.M6.bin
boot-end-marker
!
!
no logging console
enable password Cisco
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
!
ip cef
!
!
!
!
 
 
ip port-map user-SMTPS port tcp 587 description MAIL
!
ip vrf DATA
rd 420:20
route-target export 420:20
route-target import 420:20
!
ip vrf VOICE
rd 410:10
route-target export 410:10
route-target import 410:10
!
no ip dhcp conflict logging
!
ip dhcp pool VOICE
import all
vrf VOICE
network 192.168.41.0 255.255.255.0
default-router 192.168.41.1 
dns-server 192.168.41.1 
option 150 ip 10.1.0.10 
domain-name tekkom.local
class VOICE
  address range 192.168.41.2 192.168.41.200
!
ip dhcp pool DATA
import all
vrf DATA
network 192.168.42.0 255.255.255.0
default-router 192.168.42.1 
dns-server 192.168.42.1 
domain-name tekkom.local
class DATA
  address range 192.168.42.2 192.168.42.200
!
ip dhcp pool DMZ
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1 
class DMZ
  address range 192.168.40.2 192.168.40.99
!
ip dhcp pool GUEST
import all
vrf DATA
network 192.168.43.0 255.255.255.0
default-router 192.168.43.1 
dns-server 192.168.43.1 
domain-name tekkom.local
class GUEST
  address range 192.168.43.2 192.168.43.200
!
!
ip dhcp class VOICE
!         
ip dhcp class DATA
!
ip dhcp class DMZ
!
ip dhcp class GUEST
!
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid C897VAM-W-E-K9 sn FCZ1821901R
!
!
vtp mode transparent
!
!
!
!
!
controller VDSL 0
shutdown
!
vlan 10
name VOICE
!
vlan 20
name DATA
!
vlan 30
name GUEST
!
!
class-map match-all EF
match ip dscp ef 
class-map type inspect match-any DMZ2INT-CM
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any GUEST2INT-CM
match protocol dns
match protocol http
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol imaps
match protocol pop3s
match protocol user-SMTPS
class-map match-any AF3-NB
match ip precedence 3 
class-map type inspect match-any DATA2INT-PROTO-CM
match protocol ftp
match protocol tftp
class-map type inspect match-any INT2self-CM
match protocol telnet
match protocol icmp
match protocol bootpc
match protocol isakmp
match access-group name INT2self-ACL
match protocol ntp
class-map type inspect match-any DMZ2INT-PROTO-CM
match protocol ftp
match protocol tftp
class-map type inspect match-any DATA2INT-CM
match class-map DATA2INT-PROTO-CM
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect INT2self-PM
class type inspect INT2self-CM
  pass
class class-default
  drop
policy-map type inspect GUEST2INT-PM
class type inspect GUEST2INT-CM
  inspect 
class class-default
  drop log
policy-map type inspect DATA2INT-PM
class type inspect DATA2INT-CM
  inspect 
class class-default
  drop log
policy-map type inspect DMZ2INT-PM
class type inspect DMZ2INT-CM
  inspect 
class class-default
  drop log
policy-map CHILD
class EF
  priority
  police cir 2000000
   conform-action transmit 
   exceed-action drop 
   violate-action drop 
class AF3-NB
  bandwidth 2000
  police cir 2000000
   conform-action transmit 
   exceed-action drop 
policy-map PARENT
class class-default
  shape average 1000000000
   service-policy CHILD
!
zone security DMZ
zone security DATA
zone security GUEST
zone security INTERNET
zone-pair security DATA2INT-ZP source DATA destination INTERNET
service-policy type inspect DATA2INT-PM
zone-pair security GUEST2INT-ZP source GUEST destination INTERNET
service-policy type inspect GUEST2INT-PM
zone-pair security DMZ2INT-ZP source DMZ destination INTERNET
service-policy type inspect DMZ2INT-PM
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local EZVPN-POOL
!
crypto isakmp client configuration group HW-CLIENT-GROUP45
key HW-GROUP5
dns 192.168.40.1
domain tekkom.local
pool EZVPN-POOL
acl EZVPN-ACL
!         
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
mode tunnel
!
!
!
crypto dynamic-map EZVPN-MAP 1
set transform-set TS 
reverse-route
!
!
!
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
crypto map EZVPN-MAP client configuration address respond
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP 
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
description INTERNET
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
description VOICE
switchport trunk native vlan 20
switchport mode trunk
switchport voice vlan 10
no ip address
!
interface GigabitEthernet4
description VOICE
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description DMZ
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
description DATA
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
description DATA
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
bandwidth 1000000
no ip address
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
service-policy output PARENT
!
interface GigabitEthernet8.66
description INTERNET
encapsulation dot1Q 66
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
crypto map EZVPN-MAP
!
interface GigabitEthernet8.410
description VOICE
encapsulation dot1Q 410
ip vrf forwarding VOICE
ip address 172.16.4.6 255.255.255.252
!
interface GigabitEthernet8.420
description DATA
encapsulation dot1Q 420
ip vrf forwarding DATA
ip address 172.16.4.10 255.255.255.252
!
interface Wlan-GigabitEthernet8
description AP-CONNECT
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description DMZ
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
!
interface Vlan10
description VOICE
ip vrf forwarding VOICE
ip address 192.168.41.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description DATA
ip vrf forwarding DATA
ip address 192.168.42.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DATA
!
interface Vlan30
description GUEST
ip vrf forwarding DATA
ip address 192.168.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
!
router bgp 65004
bgp log-neighbor-changes
!
address-family ipv4 vrf DATA
  network 192.168.42.0
  neighbor 172.16.4.9 remote-as 3292
  neighbor 172.16.4.9 transport path-mtu-discovery
  neighbor 172.16.4.9 activate
  neighbor 172.16.4.9 soft-reconfiguration inbound
exit-address-family
!
address-family ipv4 vrf VOICE
  network 192.168.41.0
  neighbor 172.16.4.5 remote-as 3292
  neighbor 172.16.4.5 transport path-mtu-discovery
  neighbor 172.16.4.5 activate
  neighbor 172.16.4.5 soft-reconfiguration inbound
exit-address-family
!
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.120
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 overload
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf DATA overload
ip nat inside source list IP-TO-NAT interface GigabitEthernet8.66 vrf VOICE overload
ip route vrf DATA 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
ip route vrf VOICE 0.0.0.0 0.0.0.0 GigabitEthernet8.66 192.168.146.1 global
!         
ip access-list extended EZVPN-ACL
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended INT2self-ACL
permit udp any eq domain any gt 1023
ip access-list extended IP-TO-NAT
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.7.255 any
permit ip 192.168.48.0 0.0.1.255 any
!
!
!
control-plane
!
!
alias exec gotoap service-module wlan-ap 0 session
!
line con 0
no modem enable
length 45
width 142
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
exec-timeout 480 0
password Cisco
login
transport input all
!
scheduler allocate 20000 1000
ntp server 192.168.146.1
!

Links

Retrieved from "http://mars.merhot.dk/w/index.php?title=EasyVPN_Cisco_IOS&oldid=27840"