Lesson 2 - Configuring Site-to-Site VPN + NAT Adjust

Discussion in 'Other Cisco Equipment' started by DocLarge, Jun 17, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    ! ================================================== =============
    ! Lesson 2 -- Configuring a Site-to-Site VPN to a Remote Site
    ! ================================================== =============
    ! (remember, The remote site will setup the same information, but in reverse,
    ! for this to work....
    ! Assume local network = 172.16.32.0/24, remote network = 192.168.0.0/24
    !----------------------------------
    ! Task 1: Configure Phase I Stuff
    !----------------------------------
    ! enable ISAKMP on your system
    crypto isakmp enable
    ! create an ISAKMP (Phase I) policy:
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    group 2
    hash sha
    lifetime 28800
    ! define how the VPN identifies itself (FQDN or IP address)
    crypto isakmp identity address
    ! define the preshared key back to the other VPN gateway (Breezy! in this case)
    crypto isakmp key <secretkey> address A.B.C.D
    !
    ! ----------------------------------
    ! Task 2: Configure Phase II Stuff
    ! ----------------------------------
    ! allow router to negotiate NAT-T
    crypto ipsec nat-transparency udp-encapsulation
    ! setup encryption cipher strength and hash
    crypto ipsec transform-set toBREEZY esp-aes esp-sha-hmac
    ! Configures global IPSec SA lifetime values used when negotiating IPSec security associations
    crypto ipsec security-association lifetime seconds 86400
    ! create an ACL which will define the traffic that will be protected by the VPN
    ! which in our case is source = 172.16.32.0/24 to destination = 192.168.0.0/24 (GuardTower to Breezy!)
    access-list 110 permit ip 172.16.32.0 0.0.0.255 192.168.0.0 0.0.0.255
    ! Define a crypto map which will define the security association to the other VPN gateway
    crypto map VPN-MAP 110 ipsec-isakmp
    match address 110
    set peer A.B.C.D
    set pfs group2
    set transform-set toBREEZY
    set security-association lifetime seconds 86400
    ! apply the crypto map to the outgoing interface
    ! and activate the IPSec policy...
    inteface fastethernet4
    crypto map VPN-MAP
    ! ==========================================
    ! Task 3: Adjust NAT Configuration (3 steps)
    ! ==========================================
    ! This configuration is for inside interface =BVI1, outside =FastEthernet4
    ! It assumes that there already is a basic PAT config on the router
    !
    ! Step 1
    ! ---------------------
    ! Now we'll change your NAT config to use a route-map to define which traffic will and will not
    ! be NAT'd. deny=don't NAT; permit=do NAT
    ! We'll create an access list that defines this rule:
    !
    access-list 199 deny ip 172.16.32.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 199 permit ip 172.16.32.0 0.0.0.255 any
    !
    ! Step 2
    ! ---------------------
    ! Create a route map which, when applied to the NAT config, will prevent the source=your net / dest'n=my net
    ! traffic from being NAT'd. The access-list 199 defines this pattern:
    !
    route-map nonat permit 10
    match ip address 199
    !
    ! Step 3
    ! -----------------------
    ! Finally, apply the route map "nonat" to the PAT config so the site-to-site traffic *will not* be NAT'd
    ! but all other traffic will
    ! 1st, get rid of the old ip nat overload command....
    no ip nat inside source list 10 interface FastEthernet4 overload
    ! now, in with the new.....
    ip nat inside source route-map nonat interface FastEthernet4 overload
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice