Recently, I have seen many vpn things and found that many manufacturers are paying attention to the implementation of Dynamic IP address-based vpn for small and medium-sized enterprises. Of course, cisco is no exception. In its ios12.3 (4) T, it began to support dynamic Address Resolution of vpnpeer. Now, in CiscoIOS12.3 (4) T, VPNpee is created based on the DNS name.
Recently, I have seen many vpn things and found that many manufacturers are paying attention to the implementation of Dynamic IP address-based vpn for small and medium-sized enterprises. Of course, cisco is no exception. In its ios 12.3 (4) T, it began to support dynamic address resolution vpn peer. Now, in Cisco IOS 12.3 (4) T, a VPN pee is created based on the DNS name.
Vpn has seen many things recently, and many manufacturers are paying attention to
DynamicIP address of the vpn
Implementation.
Of course, cisco is no exception. It is supported in its ios 12.3 (4) T.
Dynamic.
Let's see
Example
Now, the command for creating a VPN peer based on the DNS name is added to Cisco IOS 12.3 (4) T, with the help of xiwang (3322.org ),
Yes
One
DynamicIn the case of Site-to-Site VPN, you can change the configuration by yourself.
Headquarters: pix 525 adsl static IP address, internal IP address 168.98.0.0
Division: cisco 2621 adsl
DynamicIp Address: internal ip address 168.98.1.0
Requirements, headquarters, branch, all VPN connections
Internet access is automatically established when the segment 168.98.1.0 accesses the CIDR Block 168.98.0.0 of the headquarters.
Headquarters Firewall Configuration:
: Saved
: Written by enable _
15 at 16:16:19. 510 UTC Sun J
Ul 25 2004
BIOS Version 6.3 (3)
Interface ethernet0 auto
Interface ethernet1 auto
Nameif ethernet0 outside security0
Nameif ethernet1 inside security100
Enable password 2KFQnbNIdI. 2 KYOU encrypted
Hostname pixfirewall
Domain-name localdomain
Fixup protocol dns maximum-length 512
Fixup protocol ftp 21
Fixup protocol h323 h225 1720
Fixup protocol h323 ras 1718-1719
Fixup protocol http 80
Fixup protocol rsh 514
Fixup protocol rtsp 554
Fixup protocol sip 5060
Fixup protocol sip udp 5060
Fixup protocol skinny 2000
Fixup protocol smtp 25
Fixup protocol sqlnet 1521
Fixup protocol tftp 69
Names
Object-group service http2 tcp
Port-object eq www
Port-object range 9080 9090
Access-list nonat permit ip 168.98.0.0 255.255.255.0 168.98.1.0 255.255.255.0
Pager lines 24
Mtu outgoing side 1500
Mtu inside 1500
Ip address outside a. B. c. d contains 255.255.128
Ip address inside 168.98.0.254 255.255.255.0
Ip audit info action alarm
Ip audit attack action alarm
No failover
Failover timeout 0:00:00
Failover poll 15
No failover ip address outside
No failover ip address inside
Pdm location 168.98.0.250 255.255.255.255 inside
Pdm location 168.98.1.0 255.255.255.0 outside
Pdm history enable
Arp timeout 14400
Global (outside) 1 interface
Nat (inside) 0 access-list nonat
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Conducting it permit icmp any
Conducting it permit tcp any object-group http2 any
Route outside 0.0.0.0 0.0.0.0 China Telecom gateway 1
Timeout xlate 3:00:00
Timeout conn 1:00:00
Half-closed 0:10:00 udp 0: 0
2: 00 rpc 0:10:00 h225 1:00:00
Timeout h323 0:05:00 mgcp 0:05:00 si
P 0:30:00 sip_media 0:02:00
Timeout uauth 0:05:00 absolute
Aaa-server TACACS + protocol tacacs +
Aaa-server RADIUS protocol radius
Aaa-server LOCAL protocol local
Http server enable
Http 168.98.0.250 255.255.255.255 inside
No snmp-server location
No snmp-server contact
Snmp-server community public
No snmp-server enable traps
Floodguard enable
Crypto ipsec transform-set router-se
T esp-des esp-md5-hmac
Crypto dynamic-map c
Isco 1 set transform-set rou
Ter-set
Crypto map dyn-map 1
0 ipsec-isakmp dynamic cisco
Crypto map dyn-map interface outside
Isakmp enable outside
Isakmp key cisco123 address 0.0.0.0
Netmask 0.0.0.0
Isakmp policy 10 authentication pre-share
Isakmp policy 10 encryption des
Isakmp policy 10 hash md5
Isakmp policy 10 group 1
Isakmp policy 10 lifetime 86400
Telnet 168.98.0.250
255.255.255 inside
Telnet timeout 5
Ssh timeout 5
Console timeout 0
Username pixuser pas
Sword 70BnAnxaMBm181Wa encry
Pted privilege 2
Terminal width 80
Cryptochecksum: a44fafd4f70dd9e548cd5
Fd61a6d20ff
: End
Vro configuration of the Branch:
!
Version 12.3:
Service timestamps debug datetime msec
Service timestamps log datetime msec
No service password-encryption
!
Hostname Router
!
Boot-start-marker
Boot-end-marker
!
Enable secret 5 $ s
PqPwW1GX. TXw8RGSHEvqa2.
!
No aaa new-model
Ip subnet-zero
!
!
!
!
No ip domain lookup
Ip audit Policy log
Ip: audit po max-events 100
Ip ssh break-string
Vpdn enable
!
Vpdn-group pppoe
Request-dialin
Protocol pppoe
!
No ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Crypto isakmp policy 1
Hash md5
Authentication pre-share
Crypto isakmp key cisco123 address
. B. c. d
!
!
Crypto ipsec transfo
Rm-set pix-set esp-des esp-m
D5-hmac
!
Crypto map pix 10 ipsec-isakmp
Set peer a. B. c. d
Set transform-set pix-set
Match address 101
!
!
!
!
!
!
!
Interface FastEthernet0/0
No ip address
Duplex auto
Speed auto
Pppoe enable
Pppoe-client dial-pool-number 1
!
Interface FastEthernet0/1
Ip address 168.98.1.254 255.255.255.0
Ip nat inside
Iptcp adjust-mss 1450
Duplex auto
Speed auto
!
Interface Dialer1
Ip address negotiated
Ip mtu 1492
Ip nat outside
Encapsulation ppp
Dialer pool 1
Dialer-group 1
Ppp pap sent-username ddd password 0 ddd
Crypto map pix
!
Ip nat inside source
Route-map nonat interface D
Ialer1 overload
Ip classless
Ip route 0.0.0.0 0.0.0.0 Dialer1
!
No ip http server
No ip http secure-server
!
!
Access-list 101 permit ip 168.98.1.0
0.0.0.255 168.98.0.0 0.0.0.255
Accesskeysecret 110 deny
Ip: 168.98.1.0 0.0.255 168
. 98.0.0 0.0.255
Access-list 110 permit ip 168.98.1.0
0.0.0.255 any
!
Route-map nonat permit 10
Matches ip address 110
!
!
!
Control-plane
!
!
!
!
!
!
!
!
!
Line con 0
Line aux 0
Line vty 0 4
Password cisco
Login
!
!
!
End
This is
OneSite to site vpn
ImplementationMany Chinese enterprises are also using software.
ImplementationThese features also support mobile users.
In general, it is at the central point (the headquarters can also be
DynamicIP address) Installation
OneThe server version of the vpn software, and then install it on the remote lan
OneVpn gateway. A mobile user installs a vpn mobile client.
But the speed is always
OneThe bottleneck is measured by yourself.