Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

    Chào mọi người,

    Xin các sư huynh chỉ giúp !

    Cảm ơn nhiều.

  • #2
    Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

    Đây là một cấu hình từ CCO (not tested)

    1. Yêu cầu:

    - Một pool các Ip address để gán cho các VPN clients.
    - Một nhóm có tên "3000client" có preshare key là 'cisco123"

    2. Cấu hình:

    hostname HeadQuater

    !-- To enable extended authentication (Xauth) for user authentication,
    !-- enable the aaa authentication commands.
    !-- "Group local" specifies local user authentication.

    username pc1 password cisco123
    username 3000clients password cisco123

    aaa authentication login userauthen group local
    aaa authorization network groupauthor group local

    !-- Create an Internet Security Association and
    !-- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

    crypto isakmp policy 3
    encr des
    authentication pre-share
    group 2
    !-- Create the Phase 2 policy for actual data encryption.
    crypto ipsec transform-set myset esp-des esp-sha-hmac
    !
    !-- Create a dynamic map and
    !-- apply the transform set that was created above.

    crypto dynamic-map dynmap 10
    set transform-set myset
    !
    !-- Create the actual crypto map,
    !-- and apply the AAA lists that were created earlier.
    !--- Create a group that will be used to specify the WINS, DNS servers' address
    !--- to the client, along with the pre-shared key for authentication.

    crypto isakmp client configuration group 3000client
    key cisco123
    dns 192.168.100.100
    wins 192.168.100.100
    domain cisco.com
    pool ippool


    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap

    !

    interface serial0/0
    ip address 10.64.10.44 255.255.255.0
    crypto map clientmap


    !-- Create a pool of addresses to be assigned to the VPN Clients.

    ip local pool ippool 192.168.100.150 192.168.100.200
    ip route 0.0.0.0 0.0.0.0 10.64.10.43
    !

    Minh
    Đặng Quang Minh, CCIEx2#11897 (Enterprise Infrastructure, Wireless), DEVNET, CCSI#31417

    Email : dangquangminh@vnpro.org
    https://www.facebook.com/groups/vietprofessional/

    Comment


    • #3
      Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

      Linh:

      Cấu hình nguyên thủy của CCO.
      Đặng Quang Minh, CCIEx2#11897 (Enterprise Infrastructure, Wireless), DEVNET, CCSI#31417

      Email : dangquangminh@vnpro.org
      https://www.facebook.com/groups/vietprofessional/

      Comment


      • #4
        Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

        Chào mọi người,

        Với cấu hình anh Minh nói trên thì VPN Client login với username : 3000client password : cisco123.
        Mà hình như phải thêm :
        set peer 10.64.10.45
        match address 100
        access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

        Thân.

        Comment


        • #5
          Đây là cấu hình cho Branch Office

          hostname branch

          !--Tạo ISAKMP policy
          crypto isakmp policy 10
          hash md5
          authentication pre-share
          crypto isakmp key cisco123 address 10.64.10.44
          crypto ipsec transform-set myset esp-des esp-md5-hmac
          crypto map mymap 10 ipsec-isakmp
          set peer 10.64.10.44
          set transform-set myset
          match address 100

          interface s0/0
          ip address 10.64.10.45 255.255.255.0
          crypto map mymap

          access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

          Thân.

          Comment


          • #6
            Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

            Chào mọi người,

            Mô hình ở trên có thay đổi một chút cho giống với thực tế !!!

            Xin cảm ơn.

            Comment


            • #7
              Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

              Chào mọi người,

              Dưới đây là cấu hình đã được test chạy tốt với site-to-site transport mode.
              Nhưng vẫn còn problem với vpn client remote access !!!
              Xin các sư huynh chỉ giúp.


              Cau hinh host Headquarter

              hostname hq
              !
              !
              username cisco123 password 0 cisco123
              username 123cisco password 0 123cisco
              !
              crypto isakmp policy 5
              hash md5
              authentication pre-share
              crypto isakmp key cisco123 address 10.64.20.45
              crypto isakmp key 123cisco address 0.0.0.0
              crypto isakmp client configuration address-pool local test-pool
              !
              !
              crypto ipsec transform-set testset esp-des esp-md5-hmac
              mode transport
              !
              crypto dynamic-map test-dynamic 10
              set transform-set testset
              !
              crypto map test client configuration address initiate
              crypto map test client configuration address respond
              !
              crypto map test 5 ipsec-isakmp
              set peer 10.64.20.45
              set transform-set testset
              match address 115
              !
              crypto map test 10 ipsec-isakmp dynamic test-dynamic
              !
              interface FastEthernet0/0
              ip address 192.168.100.1 255.255.255.0
              no ip directed-broadcast
              ip nat inside
              duplex auto
              speed auto
              !
              interface Serial0/0
              ip address 10.64.10.44 255.255.255.0
              no ip directed-broadcast
              ip nat outside
              no fair-queue
              crypto map test
              !
              ip local pool test-pool 192.168.1.1 192.168.1.254
              ip nat inside source route-map nonat interface Serial0/0 overload
              ip classless
              ip route 0.0.0.0 0.0.0.0 10.64.10.43
              ip http server
              !
              access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
              access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
              access-list 110 permit ip 192.168.100.0 0.0.0.255 any
              access-list 115 deny ip any 192.168.100.0 0.0.0.255
              access-list 115 permit ip any any
              !
              route-map nonat permit 10
              match ip address 110



              Cau hinh host Internet

              hostname Internet
              !
              ip subnet-zero
              no ip domain-lookup
              !
              interface Ethernet0
              ip address 192.168.1.1 255.255.255.0
              interface Serial0
              ip address 10.64.20.42 255.255.255.0
              no fair-queue
              clockrate 64000
              !
              interface Serial1
              ip address 10.64.10.43 255.255.255.0
              clockrate 64000
              !
              ip classless
              ip route 10.64.10.0 255.255.255.0 Serial1
              ip route 10.64.20.0 255.255.255.0 Serial0
              no ip http server



              Cau hinh host Branch

              hostname Branch
              !
              !
              ip subnet-zero
              !
              !
              crypto isakmp policy 5
              hash md5
              authentication pre-share
              crypto isakmp key cisco123 address 10.64.10.44
              !
              !
              crypto ipsec transform-set testset esp-des esp-md5-hmac
              mode transport
              !
              crypto map test 5 ipsec-isakmp
              set peer 10.64.10.44
              set transform-set testset
              match address 115
              !
              !
              !
              interface Ethernet0
              ip address 192.168.200.1 255.255.255.0
              no ip directed-broadcast
              ip nat inside
              !
              interface Serial0
              ip address 10.64.20.45 255.255.255.0
              no ip directed-broadcast
              ip nat outside
              crypto map test
              !
              ip nat inside source route-map nonat interface Serial0 overload
              ip classless
              ip route 0.0.0.0 0.0.0.0 10.64.20.42
              !
              access-list 110 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
              access-list 115 deny ip any 192.168.200.0 0.0.0.255
              access-list 115 permit ip any any
              route-map nonat permit 10
              match ip address 110

              Comment


              • #8
                Anh Minh ơi, cho em hỏi một chút ạ.
                Giữa 2 cái dynmap ở phần dưới nó có liên quan gì với nhau không ạ. Và ngoài cách cấu hình dynamic-map thì có thể có cách khác không hả anh.
                Thanks anh ^_^!
                crypto dynamic-map dynmap 10
                set transform-set myset
                !
                !-- Create the actual crypto map,
                !-- and apply the AAA lists that were created earlier.
                !--- Create a group that will be used to specify the WINS, DNS servers' address
                !--- to the client, along with the pre-shared key for authentication.

                crypto isakmp client configuration group 3000client
                key cisco123
                dns 192.168.100.100
                wins 192.168.100.100
                domain cisco.com
                pool ippool


                crypto map clientmap client authentication list userauthen
                crypto map clientmap isakmp authorization list groupauthor
                crypto map clientmap client configuration address respond
                crypto map clientmap 10 ipsec-isakmp dynamic dynmap

                Comment

                Working...
                X