An example of how cisco implements dynamic vpn

Last Update:2018-05-29 Source: Internet

Author: User

Tags hmac domain lookup

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Recently, I have seen many vpn things and found that many manufacturers are paying attention to the implementation of Dynamic IP address-based vpn for small and medium-sized enterprises. Of course, cisco is no exception. In its ios12.3 (4) T, it began to support dynamic Address Resolution of vpnpeer. Now, in CiscoIOS12.3 (4) T, VPNpee is created based on the DNS name.

Recently, I have seen many vpn things and found that many manufacturers are paying attention to the implementation of Dynamic IP address-based vpn for small and medium-sized enterprises. Of course, cisco is no exception. In its ios 12.3 (4) T, it began to support dynamic address resolution vpn peer. Now, in Cisco IOS 12.3 (4) T, a VPN pee is created based on the DNS name.

Vpn has seen many things recently, and many manufacturers are paying attention to DynamicIP address of the vpn Implementation.

Of course, cisco is no exception. It is supported in its ios 12.3 (4) T. Dynamic.

Let's see Example

Now, the command for creating a VPN peer based on the DNS name is added to Cisco IOS 12.3 (4) T, with the help of xiwang (3322.org ),

Yes One DynamicIn the case of Site-to-Site VPN, you can change the configuration by yourself.

Headquarters: pix 525 adsl static IP address, internal IP address 168.98.0.0

Division: cisco 2621 adsl DynamicIp Address: internal ip address 168.98.1.0

Requirements, headquarters, branch, all VPN connections

Internet access is automatically established when the segment 168.98.1.0 accesses the CIDR Block 168.98.0.0 of the headquarters.

Headquarters Firewall Configuration:

: Saved

: Written by enable _

15 at 16:16:19. 510 UTC Sun J

Ul 25 2004

BIOS Version 6.3 (3)

Interface ethernet0 auto

Interface ethernet1 auto

Nameif ethernet0 outside security0

Nameif ethernet1 inside security100

Enable password 2KFQnbNIdI. 2 KYOU encrypted

Hostname pixfirewall

Domain-name localdomain

Fixup protocol dns maximum-length 512

Fixup protocol ftp 21

Fixup protocol h323 h225 1720

Fixup protocol h323 ras 1718-1719

Fixup protocol http 80

Fixup protocol rsh 514

Fixup protocol rtsp 554

Fixup protocol sip 5060

Fixup protocol sip udp 5060

Fixup protocol skinny 2000

Fixup protocol smtp 25

Fixup protocol sqlnet 1521

Fixup protocol tftp 69

Names

Object-group service http2 tcp

Port-object eq www

Port-object range 9080 9090

Access-list nonat permit ip 168.98.0.0 255.255.255.0 168.98.1.0 255.255.255.0

Pager lines 24

Mtu outgoing side 1500

Mtu inside 1500

Ip address outside a. B. c. d contains 255.255.128

Ip address inside 168.98.0.254 255.255.255.0

Ip audit info action alarm

Ip audit attack action alarm

No failover

Failover timeout 0:00:00

Failover poll 15

No failover ip address outside

No failover ip address inside

Pdm location 168.98.0.250 255.255.255.255 inside

Pdm location 168.98.1.0 255.255.255.0 outside

Pdm history enable

Arp timeout 14400

Global (outside) 1 interface

Nat (inside) 0 access-list nonat

Nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Conducting it permit icmp any

Conducting it permit tcp any object-group http2 any

Route outside 0.0.0.0 0.0.0.0 China Telecom gateway 1

Timeout xlate 3:00:00

Timeout conn 1:00:00

Half-closed 0:10:00 udp 0: 0

2: 00 rpc 0:10:00 h225 1:00:00

Timeout h323 0:05:00 mgcp 0:05:00 si

P 0:30:00 sip_media 0:02:00

Timeout uauth 0:05:00 absolute

Aaa-server TACACS + protocol tacacs +

Aaa-server RADIUS protocol radius

Aaa-server LOCAL protocol local

Http server enable

Http 168.98.0.250 255.255.255.255 inside

No snmp-server location

No snmp-server contact

Snmp-server community public

No snmp-server enable traps

Floodguard enable

Crypto ipsec transform-set router-se

T esp-des esp-md5-hmac

Crypto dynamic-map c

Isco 1 set transform-set rou

Ter-set

Crypto map dyn-map 1

0 ipsec-isakmp dynamic cisco

Crypto map dyn-map interface outside

Isakmp enable outside

Isakmp key cisco123 address 0.0.0.0

Netmask 0.0.0.0

Isakmp policy 10 authentication pre-share

Isakmp policy 10 encryption des

Isakmp policy 10 hash md5

Isakmp policy 10 group 1

Isakmp policy 10 lifetime 86400

Telnet 168.98.0.250

255.255.255 inside

Telnet timeout 5

Ssh timeout 5

Console timeout 0

Username pixuser pas

Sword 70BnAnxaMBm181Wa encry

Pted privilege 2

Terminal width 80

Cryptochecksum: a44fafd4f70dd9e548cd5

Fd61a6d20ff

: End

Vro configuration of the Branch:

!

Version 12.3:

Service timestamps debug datetime msec

Service timestamps log datetime msec

No service password-encryption

!

Hostname Router

!

Boot-start-marker

Boot-end-marker

!

Enable secret 5 $ s

PqPwW1GX. TXw8RGSHEvqa2.

!

No aaa new-model

Ip subnet-zero

!

!

!

!

No ip domain lookup

Ip audit Policy log

Ip: audit po max-events 100

Ip ssh break-string

Vpdn enable

!

Vpdn-group pppoe

Request-dialin

Protocol pppoe

!

No ftp-server write-enable

!

!

!

!

!

!

!

!

!

!

!

!

!

!

Crypto isakmp policy 1

Hash md5

Authentication pre-share

Crypto isakmp key cisco123 address

. B. c. d

!

!

Crypto ipsec transfo

Rm-set pix-set esp-des esp-m

D5-hmac

!

Crypto map pix 10 ipsec-isakmp

Set peer a. B. c. d

Set transform-set pix-set

Match address 101

!

!

!

!

!

!

!

Interface FastEthernet0/0

No ip address

Duplex auto

Speed auto

Pppoe enable

Pppoe-client dial-pool-number 1

!

Interface FastEthernet0/1

Ip address 168.98.1.254 255.255.255.0

Ip nat inside

Iptcp adjust-mss 1450

Duplex auto

Speed auto

!

Interface Dialer1

Ip address negotiated

Ip mtu 1492

Ip nat outside

Encapsulation ppp

Dialer pool 1

Dialer-group 1

Ppp pap sent-username ddd password 0 ddd

Crypto map pix

!

Ip nat inside source

Route-map nonat interface D

Ialer1 overload

Ip classless

Ip route 0.0.0.0 0.0.0.0 Dialer1

!

No ip http server

No ip http secure-server

!

!

Access-list 101 permit ip 168.98.1.0

0.0.0.255 168.98.0.0 0.0.0.255

Accesskeysecret 110 deny

Ip: 168.98.1.0 0.0.255 168

. 98.0.0 0.0.255

Access-list 110 permit ip 168.98.1.0

0.0.0.255 any

!

Route-map nonat permit 10

Matches ip address 110

!

!

!

Control-plane

!

!

!

!

!

!

!

!

!

Line con 0

Line aux 0

Line vty 0 4

Password cisco

Login

!

!

!

End

This is OneSite to site vpn ImplementationMany Chinese enterprises are also using software. ImplementationThese features also support mobile users.

In general, it is at the central point (the headquarters can also be DynamicIP address) Installation OneThe server version of the vpn software, and then install it on the remote lan OneVpn gateway. A mobile user installs a vpn mobile client.

But the speed is always OneThe bottleneck is measured by yourself.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More