Lab requirements:
1. Build an environment based on the topology. The business trip staff use a real PC to bridge a router and connect to the ISP;
2. Traveling staff can access VLAN2 on the Headquarters Intranet through PPTP and access the WEB server on the ISP;
3. A IPSEC-VPN is required between the departments of the total score to securely transmit the traffic through the ISP, among which VLAN3 to VLAN4 requires 3DES encryption, MD5 hash; AES encryption and SHA hashing are used between VLAN3 and VLAN5, and DES encryption and MD5 hashing are used for other traffic;
4. Ensure that the Intranet of the general branch can access the ISP.
Tutorial topology:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G524a-0.jpg "/>
Tutorial steps:
1. Enable PAT in the total score
GW1:
GW1 (config) # ip nat inside source list 110 interface Serial1/0 overload
GW1 (config) # access-list 110 deny ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255
GW1 (config) # access-list 110 permit ip 172.16.0.0 0.0.255.255 any
GW1 (config) # ip route 0.0.0.0 0.0.0.0 Serial1/0
GW1 (config) # interface Loopback0
GW1 (config-if) # ip address 172.16.3.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Loopback1
GW1 (config-if) # ip address 172.16.2.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Serial1/0
GW1 (config-if) # ip address 201.1.1.2 255.255.255.0
GW1 (config-if) # ip nat outside
GW2:
GW2 (config) # ip nat inside source list 110 interface Serial1/0 overload
GW2 (config) # access-list 110 deny ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255
GW2 (config) # access-list 110 permit ip 10.1.0.0 0.0.255.255 any
GW2 (config) # ip route 0.0.0.0 0.0.0.0 Serial1/0
GW2 (config) # interface Loopback0
GW2 (config-if) # ip address 10.1.4.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Loopback1
GW1 (config-if) # ip address 10.1.5.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Serial1/0
GW1 (config-if) # ip address 202.1.1.2 255.255.255.0
GW1 (config-if) # ip nat outside
Ping the server on the ISP:
R1 # ping 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.1, timeout is 2 seconds: Packet sent with a source address of 172.16.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 168/253/400 MS
2. Establish a IPSEC-VPN between the total departments
Define the traffic from VLAN3 to VLAN4:
GW1 (config) # access-list 101 permit ip 172.16.3.0 0.0.0.255 10.1.4.0 0.0.0.255
Define the traffic from VLAN3 to VLAN5:
GW1 (config) # access-list 102 permit ip 172.16.3.0 0.0.0.255 10.1.5.0 0.0.0.255
Define other traffic:
GW1 (config) # access-list 105 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255
IKE Phase 1:
GW1 (config) # crypto isakmp policy 1
GW1 (config-crypto) # authentication pre-share
GW1 (config-crypto) # encryption 3des
GW1 (config-crypto) # group 1
GW1 (config-crypto) # hash MD5
IKE Phase 2:
GW1 (config) # crypto isakmp key 0 cisco add 202.1.1.2
GW1 (config) # crypro ipsec transform-set sovand esp-md5-hamc esp-3des // MD5 hash, 3DES Encryption
GW1 (config) # crypro ipsec transform-set cisco esp-sha-hamc esp-aes // SHA hash, AES Encryption
GW1 (config) # crypro ipsec transform-set hjw esp-md5-hamc esp-des // MD5 hash, DES encryption
Define map:
GW1 (config) # crypto map ccnp 1 ipsec-isamap
GW1 (config-crypto) # match add 101 // traffic from VLAN3 to VLAN4
GW1 (config-crypto) # set peer 202.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set sovand // call the encryption algorithm GW1 (config) # int s0/1
GW1 (config-if) # crypto map ccnp // interface call MAP
GW1 (config) # crypto map ccnp 2 ipsec-isamap
GW1 (config-crypto) # match add 102 // traffic from VLAN3 to VLAN5
GW1 (config-crypto) # set peer 202.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set cisco // call the encryption algorithm
GW1 (config) # crypto map ccnp 3 ipsec-isamap
GW1 (config-crypto) # match add 105 // other traffic
GW1 (config-crypto) # set peer 202.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set hjw // call the encryption algorithm
Make the same configuration on GW2:
Define the traffic from VLAN4 to VLAN3:
GW2 (config) # access-list 101 permit ip 10.1.4.0 0.0.0.255 172.16.3.0 0.0.0.255
Define the traffic from VLAN5 to VLAN3:
GW2 (config) # access-list 102 permit ip 10.1.5.0 0.0.0.255 172.16.3.0 0.0.0.255
Define other traffic:
GW2 (config) # access-list 105 permit ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255
IKE Phase 1:
GW2 (config) # crypto isakmp policy 1
GW2 (config-crypto) # authentication pre-share
GW2 (config-crypto) # encryption 3des
GW2 (config-crypto) # group 1
GW2 (config-crypto) # hash MD5
IKE Phase 2:
GW2 (config) # crypto isakmp key 0 cisco add 201.1.1.2
GW2 (config) # crypro ipsec transform-set sovand esp-md5-hamc esp-3des // MD5 hash, 3DES Encryption
GW2 (config) # crypro ipsec transform-set cisco esp-sha-hamc esp-aes // SHA hash, AES Encryption
GW2 (config) # crypro ipsec transform-set hjw esp-md5-hamc esp-des // MD5 hash, DES encryption
Define map:
GW2 (config) # crypto map ccnp 1 ipsec-isamap
GW2 (config-crypto) # match add 101 // traffic from VLAN4 to VLAN3
GW2 (config-crypto) # set peer 201.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set sovand // call the encryption algorithm GW1 (config) # int s0/1
GW1 (config-if) # crypto map ccnp // interface call MAP
GW1 (config) # crypto map ccnp 2 ipsec-isamap
GW1 (config-crypto) # match add 102 // traffic from VLAN5 to VLAN3
GW1 (config-crypto) # set peer 201.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set cisco // call the encryption algorithm
GW1 (config) # crypto map ccnp 3 ipsec-isamap
GW1 (config-crypto) # match add 105 // other traffic
GW1 (config-crypto) # set peer 201.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set hjw // call the encryption algorithm to test whether the VPN can communicate with each other:
GW1 # ping 10.1.4.1 source 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.1, timeout is 2 seconds: Packet sent with a source address of 172.16.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 216/237/260 MS
GW1 # ping 10.1.5.1 source 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.1, timeout is 2 seconds: Packet sent with a source address of 172.16.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 168/253/400 MS
GW2 # ping 172.16.3.1 source 10.1.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/275/384 MS
GW2 # ping 172.16.3.1 source 10.1.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: Packet sent with a source address of 10.1.5.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/252/288 MS
GW2 # show crypto engine connections active
ID Interface
1 Serial1/0 IP-Address
202.1.1.2 State set Algorithm Encry
HMAC_MD5 + 3DES_56_C pt Decrypt
0
0
2001 Serial1/0 202.1.1.2 set 3DES + MD5 0 9
2002 Serial1/0 202.1.1.2 set 3DES + MD5 9 0
2003 Serial1/0 202.1.1.2 set AES + SHA 0 9
2004 Serial1/0 202.1.1.2 set AES + SHA 9 0
We can see from the above that GW2 received a total of 9 3DES + MD5 encryption and decryption packets, as well as 9 AES + SHA encryption and decryption packets.
3. Configure PPTP
GW1 (config) # vpdn enable
GW1 (config) # vpdn-group cisco
GW1 (config-vpdn) # accept-dialin
GW1 (config-vpdn-acc-in) # protocal pptp
GW1 (config-vpdn-acc-in) # virtual-template 1
GW1 (config) # int virtual-template 1
GW1 (config-if) # ip unnmbered s0/0
GW1 (config-if) # ppp authen ms-chap
GW1 (config-if) # ppp encrpy mppe auto // encryption key
GW1 (config-if) # peer default ip add pool sovand // create an address pool name
GW1 (config) # ip local pool sovand 172.16.100.1 172.16.100.255 // create an address pool
GW1 (config) # username hsf-2011 privilege 15 pass qwaszx
4. Create a VPN connection on the PC and simulate it with a virtual machine)
Create a virtual private network in windows:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G53c8-1.jpg "/>
Start VPN Dialing:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G53401-2.jpg "/>
View VPN status: |
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G51961-3.jpg "/>
Test VPN access to the Intranet and Internet:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G52241-4.jpg "/>
After testing, the VPN can access both the Intranet and the Internet.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G545M-5.jpg "/>
This article is from the "Searching" blog. For more information, contact the author!