Last active
May 31, 2018 08:34
-
-
Save gainskills/a3f88cae867972528040c1c3980a765e to your computer and use it in GitHub Desktop.
vpn
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
==================== | |
Outside Router: | |
crypto isakmp policy 10 | |
encr 3des | |
authentication pre-share | |
group 2 | |
crypto isakmp key vpnnatkey1 address 192.168.22.1 | |
crypto isakmp key vpnpatkey1 address 192.168.33.1 | |
! | |
! | |
crypto ipsec transform-set vpn esp-des esp-sha256-hmac | |
mode tunnel | |
crypto ipsec transform-set vpnpat ah-sha256-hmac esp-des | |
mode transport | |
! | |
! | |
! | |
crypto map vpnnat 10 ipsec-isakmp | |
set peer 192.168.22.1 | |
set transform-set vpn | |
set pfs group2 | |
match address vpnnattr | |
! | |
crypto map vpnpat 10 ipsec-isakmp | |
set peer 192.168.33.1 | |
set transform-set vpnpat | |
set pfs group2 | |
match address vpnpattr | |
! | |
! | |
! | |
! | |
! | |
interface Loopback4 | |
description vpndirect | |
ip address 4.4.4.4 255.255.255.255 | |
! | |
interface Loopback5 | |
description vpnnat | |
ip address 5.5.5.5 255.255.255.255 | |
! | |
interface Loopback6 | |
description vpnpat | |
ip address 6.6.6.6 255.255.255.255 | |
! | |
interface GigabitEthernet0/0 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
media-type rj45 | |
! | |
interface GigabitEthernet0/1 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
media-type rj45 | |
! | |
interface GigabitEthernet0/2 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
media-type rj45 | |
! | |
interface GigabitEthernet0/3 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
media-type rj45 | |
! | |
interface GigabitEthernet0/4 | |
description vpndirect | |
ip address 192.168.44.1 255.255.255.252 | |
duplex auto | |
speed auto | |
media-type rj45 | |
! | |
interface GigabitEthernet0/5 | |
description vpnnat | |
ip address 192.168.55.1 255.255.255.252 | |
duplex auto | |
speed auto | |
media-type rj45 | |
crypto map vpnnat | |
! | |
interface GigabitEthernet0/6 | |
description vpnpat | |
ip address 192.168.66.1 255.255.255.252 | |
duplex auto | |
speed auto | |
media-type rj45 | |
crypto map vpnpat | |
! | |
interface GigabitEthernet0/7 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
media-type rj45 | |
! | |
ip forward-protocol nd | |
! | |
! | |
no ip http server | |
no ip http secure-server | |
ip route 1.1.1.1 255.255.255.255 192.168.44.2 | |
ip route 2.2.2.2 255.255.255.255 192.168.55.2 | |
ip route 3.3.3.3 255.255.255.255 192.168.66.2 | |
ip route 192.168.11.0 255.255.255.248 192.168.44.2 | |
ip route 192.168.22.0 255.255.255.248 192.168.55.2 | |
ip route 192.168.33.0 255.255.255.252 192.168.66.2 | |
! | |
ip access-list extended vpnnattr | |
permit ip host 5.5.5.5 host 2.2.2.2 | |
ip access-list extended vpnpattr | |
permit ip host 6.6.6.6 host 3.3.3.3 | |
permit ip host 192.168.66.1 host 192.168.33.1 | |
! | |
! | |
=============================== | |
Cisco ASA: | |
hostname ASA | |
domain-name test.com | |
enable password 8Ry2YjIyt7RRXU24 encrypted | |
passwd 2KFQnbNIdI.2KYOU encrypted | |
names | |
! | |
interface Ethernet0 | |
shutdown | |
no nameif | |
no security-level | |
no ip address | |
! | |
interface Ethernet1 | |
nameif vpndirectout | |
security-level 0 | |
ip address 192.168.11.2 255.255.255.252 | |
! | |
interface Ethernet2 | |
nameif vpnnatout | |
security-level 0 | |
ip address 192.168.22.2 255.255.255.248 | |
! | |
interface Ethernet3 | |
nameif vpnpatout | |
security-level 0 | |
ip address 192.168.33.2 255.255.255.252 | |
! | |
interface Ethernet4 | |
nameif vpndirectin | |
security-level 50 | |
ip address 192.168.44.2 255.255.255.252 | |
! | |
interface Ethernet5 | |
nameif vpnnatin | |
security-level 50 | |
ip address 192.168.55.2 255.255.255.252 | |
! | |
interface Ethernet6 | |
nameif vpnpatin | |
security-level 50 | |
ip address 192.168.66.2 255.255.255.252 | |
! | |
interface Ethernet7 | |
shutdown | |
no nameif | |
no security-level | |
no ip address | |
! | |
ftp mode passive | |
dns server-group DefaultDNS | |
domain-name test.com | |
object network vpnnatvip | |
host 192.168.22.3 | |
object network vpnnatinip | |
host 192.168.55.1 | |
object network vpnpatinip | |
host 192.168.66.1 | |
object service vpnesp | |
service esp | |
object service svicmp | |
service icmp | |
object service udp4500 | |
service udp destination eq 4500 | |
object service vpnisakmp | |
service udp destination eq isakmp | |
object service udp500 | |
service udp destination eq isakmp | |
object-group service vpnservices | |
service-object object vpnesp | |
service-object object svicmp | |
service-object object udp4500 | |
service-object object vpnisakmp | |
access-list vpnpatout2in extended permit object-group vpnservices host 192.168.33.1 host 192.168.66.1 | |
access-list vpnnatout2in extended permit object-group vpnservices host 192.168.22.1 host 192.168.55.1 | |
pager lines 24 | |
mtu vpndirectout 1500 | |
mtu vpnnatout 1500 | |
mtu vpnpatout 1500 | |
mtu vpndirectin 1500 | |
mtu vpnnatin 1500 | |
mtu vpnpatin 1500 | |
no failover | |
icmp unreachable rate-limit 1 burst-size 1 | |
no asdm history enable | |
arp timeout 14400 | |
nat (vpnnatin,vpnnatout) source static vpnnatinip vpnnatvip | |
nat (vpnpatin,vpnpatout) source static vpnpatinip interface service udp4500 udp4500 | |
nat (vpnpatin,vpnpatout) source static vpnpatinip interface service vpnisakmp vpnisakmp | |
! | |
nat (vpnpatin,vpnpatout) after-auto source dynamic vpnpatinip interface | |
access-group vpnnatout2in in interface vpnnatout | |
access-group vpnpatout2in in interface vpnpatout | |
============= | |
Inside Router | |
crypto isakmp policy 10 | |
encr 3des | |
authentication pre-share | |
group 2 | |
crypto isakmp key vpnnatkey1 address 192.168.22.3 | |
crypto isakmp key vpnpatkey1 address 192.168.33.2 | |
! | |
! | |
crypto ipsec transform-set vpn esp-des esp-sha256-hmac | |
mode tunnel | |
crypto ipsec transform-set vpnpat ah-sha256-hmac esp-des | |
mode transport | |
! | |
! | |
! | |
crypto map vpnnat 10 ipsec-isakmp | |
set peer 192.168.22.3 | |
set transform-set vpn | |
set pfs group2 | |
match address vpnnattr | |
! | |
crypto map vpnpat 10 ipsec-isakmp | |
set peer 192.168.33.2 | |
set transform-set vpnpat | |
set pfs group2 | |
match address vpnpattr | |
! | |
! | |
! | |
! | |
! | |
interface Loopback1 | |
description vpndirect | |
ip address 1.1.1.1 255.255.255.255 | |
! | |
interface Loopback2 | |
description vpnnat | |
ip address 2.2.2.2 255.255.255.255 | |
! | |
interface Loopback3 | |
description natpat | |
ip address 3.3.3.3 255.255.255.255 | |
! | |
interface Ethernet0/0 | |
no ip address | |
shutdown | |
! | |
interface Ethernet0/1 | |
description vpndirect | |
ip address 192.168.11.1 255.255.252.0 | |
! | |
interface Ethernet0/2 | |
description vpnnat | |
ip address 192.168.22.1 255.255.255.248 | |
crypto map vpnnat | |
! | |
interface Ethernet0/3 | |
description vpnpat | |
ip address 192.168.33.1 255.255.255.252 | |
crypto map vpnpat | |
! | |
ip forward-protocol nd | |
! | |
! | |
no ip http server | |
no ip http secure-server | |
ip route 4.4.4.4 255.255.255.255 192.168.11.2 | |
ip route 5.5.5.5 255.255.255.255 192.168.22.2 | |
ip route 6.6.6.6 255.255.255.255 192.168.33.2 | |
ip route 192.168.44.0 255.255.255.252 192.168.11.2 | |
! | |
ip access-list extended vpnnattr | |
permit ip host 2.2.2.2 host 5.5.5.5 | |
ip access-list extended vpnpattr | |
permit ip host 3.3.3.3 host 6.6.6.6 | |
! | |
========== Commands ========= | |
show crypto ipsec sa | |
show crypto isakmp sa | |
debug crypto isakmp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment