This document describes the IPSec configuration between the router and the Cisco firewall. The traffic between the headquarters and the branch office uses the private IP address, when the branch's local area network user accesses the Internet, needs to carry on the address conversion.
Network topology
Configuration
Define the traffic to the router:
Access-list IPSec permit IP 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
!---traffic to the router does not address conversion
Access-list Nonat Permit IP 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
IP address outside 172.17.63.213 255.255.255.240
IP address inside 10.1.1.1 255.255.255.0
Global (outside) 1 172.17.63.210
!---traffic to the router does not address conversion
Nat (inside) 0 access-list Nonat
Nat (inside) 1 10.1.1.0 255.255.255.0 0 0
Conduit permit ICMP any
Route outside 0.0.0.0 0.0.0.0 172.17.63.209 1
!---IPSEC Policy:
Sysopt Connection Permit-ipsec
Crypto IPSec Transform-set avalanche esp-des Esp-md5-hmac
Crypto IPSec security-association lifetime seconds 3600
Crypto map Forsberg IPSEC-ISAKMP
Crypto map Forsberg match address IPSec
Crypto map Forsberg set peer 172.17.63.230
Crypto map Forsberg set Transform-set avalanche
Crypto map Forsberg interface outside
!---IKE Policy:
ISAKMP enable outside
ISAKMP key westernfinal2000 address 172.17.63.230 netmask 255.255.255.255
ISAKMP Identity Address
ISAKMP Policy Authentication Pre-share
ISAKMP Policy Encryption des
ISAKMP Policy Hash MD5
ISAKMP Policy Group 1
: End
Branch Router
Hostname Branch_router