1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CISCO VPN Config Using Multiple Crypto Maps

Discussion in 'Other Cisco Equipment' started by DocLarge, Aug 15, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    Here's another addition to our growing library on CISCO configs. As always, thanks to Eric.Stewart (a.k.a. "MSN") for assisting me on this as I make my way through the CISCO curriculum...
    ........................................................................................................

    Phase I

    crypto isakmp enable
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800 (default)
    crypto isakmp identity address (specifies use of remote WAN IP)
    crypto isakmp key 1234 address 22.23.24.25 (Remote WAN IP)
    crypto isakmp keepalive 3600 (max. default)
    crypto ipsec df-bit clear (helps guard against packet loss)

    crypto isakmp enable
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800 (default)
    crypto isakmp identity address (specifies use of remote WAN IP)
    crypto isakmp key 4321 address 25.24.23.22 (Remote WAN IP)
    crypto isakmp keepalive 3600 (max. default)
    crypto ipsec df-bit clear (helps guard against packet loss)


    Phase II

    crypto ipsec transform set cisco esp-3des esp-sha-hmac
    crypto ipsec transform set linksys esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800 (default)

    Now you need your access-lists. Let's assume 172.16.20.0 is your CISCO and 172.16.30.0 is the 1st vpn endpoint on the other side and 10.10.11.0 is your 2nd vpn endpoint:

    access-list 110 permit ip 172.16.20.0 0.0.0.255 172.16.30.0 0.0.0.255
    access-list 110 permit ip 172.16.20.0 0.0.0.255 10.10.11.0 0.0.0.255
    access-list 111 deny ip 172.16.20.0 0.0.0.255 172.16.30.0 0.0.0.255
    access-list 111 deny ip 172.16.20.0 0.0.0.255 10.10.11.0 0.0.0.255
    access-list 112 permit ip any any

    NOTE: Traffic you don't want to be NAT'd (a.k.a. "inspected") will be based on the "permit ip" statements; together with the "deny ip" statement, it should be interpreted to mean "let traffic pass through the tunnel (ACL-110)...but don't inspect it (ACL-111)." If I'm off on this translation, one of the more established CISCO dudes will chime in

    Phase III

    Now you need to name your "crypto map" policy which is used to define "particular vpn tunnels:"

    crypto map baseline 110 ipsec-isakmp (110 is merely a sequence; 111, 112, and so one can be used for additional tunnels)
    set peer 22.23.24.25 (Remote WAN Public IP)
    match address 110 (pertains to ACL 110 which is allowed)
    set transform-set cisco (name established above)
    set pfs group2
    set security-association lifetime 28800 (default)

    crypto map baseline 111 ipsec-isakmp
    set peer 25.24.23.22 (Remote WAN Public IP)
    match address 110 (pertains to ACL 110 which is allowed)
    set transform-set linksys (name established above)
    set pfs group2
    set security-association lifetime 28800 (default)

    Phase IV

    You'll use "route-map nonat" to specify which subnets will "not" be NAT'd as they pass through the vpn tunnel:

    route-map nonat permit 10
    match ip address 112 (refers to ACL-112 which will "not" inspect the traffic)

    Phase V

    Apply "PAT" overloading to allow access to the internet:

    ip nat inside source route-map nonat interface Fa4 overload

    Overload turns on private address translation which basically allows you to utilize your private ip ranges (Class A, B, C) behind one public IP address.

    Phase VI

    Finally, apply your cryptomap to your WAN interface:

    Int Fa4
    crypto map baseline

    I did this in phases to make it easier to interprete, otherwise you can just type everything all together in sequence if you choose to.

    Jay
     
Thread Status:
Not open for further replies.

Share This Page