l2l

I. Overview: In the actual work can often see a strong SSL VPN can bypass deployment, and support routing mode and NAT mode: Router mode requires intranet to VPN assigned address pool address can be router; NAT mode, VPN Client access intranet host, intranet host sees address as VPN interface address, Therefore, the address intranet of the VPN address pool is not required to be routed. If you want to test the way Cisco devices are deployed, test l2l

I. Overview:I received A friend's question in my blog. After phone communication, I learned the approximate situation:. the headquarters has a leased line to partner B. the partner side is not convenient to add a back-to-point route. When the Headquarters accesses the partner, PATC is implemented. now, if you want to connect the branch L2L VPN to the headquarters and PAT to the partner, the traffic from the branch to the partner is routed to the loopb

external interface to activate IKEv1)Crypto ikev1 policy 1 IKEv1 first-stage policy)Authentication pre-shareEncryption desHash shaGroup 1Lifectime 86400Telnet timeout 5Ssh timeout 5Console timeout 0Threat-detection basic-threatThreat-detection statistics access-listNo threat-detection statistics tcp-interceptWebvpnAnyconnect-essenessenTunnel-group 202.100.1.1 type ipsec-l2l tunnel-group configuration)Tunnel-group 202.100.1.1 ipsec-attributesIkev1 pre

A. Test topology Note: A.branch Router gns iOS for c7200-adventerprisek9-mz.152-4.s, download address: http://down.51cto.com/data/607191 B.centerasa is using a ASA8.42 VMware virtual machine. Two. Basic Configuration A.branch Router

1. Topology: 2. Basic configuration: A.R1: Interface fastethernet0/0 IP address 202.100.1.1 255.255.255.0 No shut Interface Loopback0 IP address 10.1.1.1 255.255.255.0 IP Route 0.0.0.0 0.0.0.0 202.100.1.2 B.R2: Interface fastethernet0/0

I. Test topology: 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0100563F4-0.jpg "title =" tuopu. JPG "/> Ii. Basic Configuration: A. R1Interface Loopback0Ip address 192.168.1.1 255.255.255.0Interface FastEthernet0/0Ip

A. Test topology: Two. Basic configuration: A.r1 Interface Loopback0 IP address 192.168.1.1 255.255.255.0 Interface fastethernet0/0 IP address 10.1.1.1 255.255.255.0 No shut B.r2 Interface ethernet0/0 IP address 10.1.1.2 255.255.255.0

A. Test topology: Reference Link: http://blog.sina.com.cn/s/blog_52ddfea30100gf4r.html Http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vpn_ac_802_1x.html Two. Basic ideas: A. Branch offices Configure Site-to-site

1. Topology Map: Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml ASA does not support GRE, but can run OSPF using unicast and can be encapsulated by ESP. 2. Interface

inet { Address 172.16.1.2/24; } } } } Routing-options { Static { Route 0.0.0.0/0 next-hop 200.1.2.1; } } Protocols { Ospf { Area 0.0.0.0 { Interface ge-0/0/1.0; Interface st0.0; } } } Security { Ike { Proposal L2L-P1-Proposal { Authentication-method pre-shared-keys; Dh-group group2; Authentication-algorithm md5; Encryption-algorithm 3des-cbc; } Policy L2L-P1-Policy { Mode main; Proposals

: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6 5. VPN configuration: A. Guangzhou headquarters Firewall: ① First-stage strategy:Crypto isakmp policy 10 Authentication pre-share Encryption des Hash md5 Group 2tunnel-group 202.100.1.6 type ipsec-l2l Tunnel-group 202.100.1.6 ipsec-attributes Pre-shared-key cisco Tunnel-group 202.100.1.10 type ipsec-l2l Tunnel-group 202.100.1.10 ipsec-attributes Pre

(create a security map equivalent to the ipsec policy of H3C) crypto map mymap 2 set pfs group1 crypto map mymap 2 set peer 202.106.0.100 branch sub-department interconnection with Group Headquarters crypto map mymap 2 set transform-set firstset crypto map mymap 2 set phase1-mode aggressive group1 crypto map mymap 10 mat Ch address 102 crypto map mymap 10 set pfs group1 crypto map mymap 10 set peer 202.106.100.100 sub-departments of the Branch are interconnected with the headquarters of the bra

I. Overview: After testing ASA8.4 's twice NAT solves the problem of duplication of VPN addresses, and the Internet does not conflict with the internal host, so want to see if the lower version of the Asa/pix can solve the same problem, In the GNS simulation PIX8.0 test, let a person very disappointed, although the PIX can solve the problem of address overlap, but also make the network behind is unable to connect the public network, the reason is actually similar to the router, can not adjust t

ASA/PIX: Load balancing between two ISP-options VERSION 7 Is it possible to load balance between two ISP links? Does the ASA support PBR (Policy Based Routing )? Does the ASA support secondary IP address on interfaces? What other options do we have? SLA RouteTracking PBR on the router outside the firewall Allowing outbound via ISP1 and inbound via ISP2 Allowing internet access via ISP1 and L2L vpn via ISP2 Multiple context mode Is it possible to load

When Cisco routers are routed first, when Nat first may be known, inside is routed first, outside is first Nat.Well, for Cisco ASA, it is not the case, most of the first to find the route if the data from inside, in both cases Nat will first route to confirm the interface. Did the purpose NAT conversion Static NAT session exists Once you know this feature, let's look at the following two cases CISCO ASA does not have PBR function, but it can still do two-line shunt

as needed C. Characteristics of utilization: ---NAT before IPSec VPN ---Routers have two ways to configure NAT, a traditional IP Nat inside/outside mode, a NAT Virtual Interface (NVI) way, configure IP NAT enable under the interface, two ways can coexist simultaneously ---can successfully do NAT first need to exist routing, another must be from the IP Nat inside interface, from the IP Nat outside interface, or from an IP Nat enable interface to enter from another IP NAT enable interface out

Compare numbers version1 and version2.If version1 > version2 return 1, if version1 version2 return-1, otherwise ret Urn 0.Assume that the version strings is non-empty and contain only digits and the.Character.The.Character does not represent a decimal point and was used to separate number sequences.For instance,2.5is not "both and a half" or "half-to-version three", it is the fifth Second-level revision of the second first-level re Vision.Here are an example of version numbers ordering:0.1 Main

1. Test topology: 2. Configuration: A.R1: ! Interface Configuration Interface Loopback0 IP Address 1.1.1.1 255.255.255.0 Interface fastethernet0/0 IP address 10.1.1.1 255.255.255.0 No shut ! Routing Configuration IP Route 0.0.0.0 0.0.0.0 10.1.1.10 B.site1 Firewall: ! Interface Configuration Interface GigabitEthernet0 Nameif Inside Security-level 100 IP address 10.1.1.10 255.255.255.0 No shut Interface GigabitEthernet1 Nameif Outside Security-level 0 IP address 202.100.1.1

10000, Only client mode is supported.. Disabled by default, enabling method: crypto ISAKMP IPSec-over-TCP is used when IPSec over UDP is used in actual environments for non-conventional VPN communication or NAT-T. 2. NAT-T this method causes both parties to eventually use UDP 4500 port communication, Supports client and l2l. Disabled by default. Open Method: crypto ISAKMP nat-traversal 20. The default keepalives time is 20 seconds. 3. IPSec over UDP

: R1: R1 (config) # router ospf 110R1 (config-router) # net 1.1.1.0 0.0.255a 0R1 (config-router) # net 172.16.1.00.0.0.255 a 0 R3: R3 (config) # router ospf 110R3 (config-router) # net 3.3.3.0 0.0.0.255a 0R3 (config-router) # net 172.16.1.00.0.0.255 a 0 test: View OSPF neighbors: R1 # show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface3.3. 3.3 0 FULL/-00:00:38 172.16.1.2 Tunnel0Ping test: R1 # ping 3.3.3.3 source 1.1.1.1Type escape sequence to abort. sending 5, 100-byte ICMP E