gainskills/Cisco_VPN.txt

## Cisco_VPN.txt
====================
Outside Router:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key vpnnatkey1 address 192.168.22.1
crypto isakmp key vpnpatkey1 address 192.168.33.1
!
!
crypto ipsec transform-set vpn esp-des esp-sha256-hmac
 mode tunnel
crypto ipsec transform-set vpnpat ah-sha256-hmac esp-des
 mode transport
!
!
!
crypto map vpnnat 10 ipsec-isakmp
 set peer 192.168.22.1
 set transform-set vpn
 set pfs group2
 match address vpnnattr
!
crypto map vpnpat 10 ipsec-isakmp
 set peer 192.168.33.1
 set transform-set vpnpat
 set pfs group2
 match address vpnpattr
!
!
!
!
!
interface Loopback4
 description vpndirect
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback5
 description vpnnat
 ip address 5.5.5.5 255.255.255.255
!
interface Loopback6
 description vpnpat
 ip address 6.6.6.6 255.255.255.255
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/4
 description vpndirect
 ip address 192.168.44.1 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/5
 description vpnnat
 ip address 192.168.55.1 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
 crypto map vpnnat
!
interface GigabitEthernet0/6
 description vpnpat
 ip address 192.168.66.1 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
 crypto map vpnpat
!
interface GigabitEthernet0/7
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 1.1.1.1 255.255.255.255 192.168.44.2
ip route 2.2.2.2 255.255.255.255 192.168.55.2
ip route 3.3.3.3 255.255.255.255 192.168.66.2
ip route 192.168.11.0 255.255.255.248 192.168.44.2
ip route 192.168.22.0 255.255.255.248 192.168.55.2
ip route 192.168.33.0 255.255.255.252 192.168.66.2
!
ip access-list extended vpnnattr
 permit ip host 5.5.5.5 host 2.2.2.2
ip access-list extended vpnpattr
 permit ip host 6.6.6.6 host 3.3.3.3
 permit ip host 192.168.66.1 host 192.168.33.1
!
!
===============================
Cisco ASA:
hostname ASA
domain-name test.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1
 nameif vpndirectout
 security-level 0
 ip address 192.168.11.2 255.255.255.252
!
interface Ethernet2
 nameif vpnnatout
 security-level 0
 ip address 192.168.22.2 255.255.255.248
!
interface Ethernet3
 nameif vpnpatout
 security-level 0
 ip address 192.168.33.2 255.255.255.252
!
interface Ethernet4
 nameif vpndirectin
 security-level 50
 ip address 192.168.44.2 255.255.255.252
!
interface Ethernet5
 nameif vpnnatin
 security-level 50
 ip address 192.168.55.2 255.255.255.252
!
interface Ethernet6
 nameif vpnpatin
 security-level 50
 ip address 192.168.66.2 255.255.255.252
!
interface Ethernet7
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
object network vpnnatvip
 host 192.168.22.3
object network vpnnatinip
 host 192.168.55.1
object network vpnpatinip
 host 192.168.66.1
object service vpnesp
 service esp
object service svicmp
 service icmp
object service udp4500
 service udp destination eq 4500
object service vpnisakmp
 service udp destination eq isakmp
object service udp500
 service udp destination eq isakmp
object-group service vpnservices
 service-object object vpnesp
 service-object object svicmp
 service-object object udp4500
 service-object object vpnisakmp
access-list vpnpatout2in extended permit object-group vpnservices host 192.168.33.1 host 192.168.66.1
access-list vpnnatout2in extended permit object-group vpnservices host 192.168.22.1 host 192.168.55.1
pager lines 24
mtu vpndirectout 1500
mtu vpnnatout 1500
mtu vpnpatout 1500
mtu vpndirectin 1500
mtu vpnnatin 1500
mtu vpnpatin 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (vpnnatin,vpnnatout) source static vpnnatinip vpnnatvip
nat (vpnpatin,vpnpatout) source static vpnpatinip interface service udp4500 udp4500
nat (vpnpatin,vpnpatout) source static vpnpatinip interface service vpnisakmp vpnisakmp
!
nat (vpnpatin,vpnpatout) after-auto source dynamic vpnpatinip interface
access-group vpnnatout2in in interface vpnnatout
access-group vpnpatout2in in interface vpnpatout


=============
Inside Router
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key vpnnatkey1 address 192.168.22.3
crypto isakmp key vpnpatkey1 address 192.168.33.2
!
!
crypto ipsec transform-set vpn esp-des esp-sha256-hmac
 mode tunnel
crypto ipsec transform-set vpnpat ah-sha256-hmac esp-des
 mode transport
!
!
!
crypto map vpnnat 10 ipsec-isakmp
 set peer 192.168.22.3
 set transform-set vpn
 set pfs group2
 match address vpnnattr
!
crypto map vpnpat 10 ipsec-isakmp
 set peer 192.168.33.2
 set transform-set vpnpat
 set pfs group2
 match address vpnpattr
!
!
!
!
!
interface Loopback1
 description vpndirect
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback2
 description vpnnat
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback3
 description natpat
 ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 description vpndirect
 ip address 192.168.11.1 255.255.252.0
!
interface Ethernet0/2
 description vpnnat
 ip address 192.168.22.1 255.255.255.248
 crypto map vpnnat
!
interface Ethernet0/3
 description vpnpat
 ip address 192.168.33.1 255.255.255.252
 crypto map vpnpat
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 4.4.4.4 255.255.255.255 192.168.11.2
ip route 5.5.5.5 255.255.255.255 192.168.22.2
ip route 6.6.6.6 255.255.255.255 192.168.33.2
ip route 192.168.44.0 255.255.255.252 192.168.11.2
!
ip access-list extended vpnnattr
 permit ip host 2.2.2.2 host 5.5.5.5
ip access-list extended vpnpattr
 permit ip host 3.3.3.3 host 6.6.6.6
!


========== Commands =========
show crypto ipsec sa
show crypto isakmp sa

debug crypto isakmp
	====================
	Outside Router:

	crypto isakmp policy 10
	encr 3des
	authentication pre-share
	group 2
	crypto isakmp key vpnnatkey1 address 192.168.22.1
	crypto isakmp key vpnpatkey1 address 192.168.33.1
	!
	!
	crypto ipsec transform-set vpn esp-des esp-sha256-hmac
	mode tunnel
	crypto ipsec transform-set vpnpat ah-sha256-hmac esp-des
	mode transport
	!
	!
	!
	crypto map vpnnat 10 ipsec-isakmp
	set peer 192.168.22.1
	set transform-set vpn
	set pfs group2
	match address vpnnattr
	!
	crypto map vpnpat 10 ipsec-isakmp
	set peer 192.168.33.1
	set transform-set vpnpat
	set pfs group2
	match address vpnpattr
	!
	!
	!
	!
	!
	interface Loopback4
	description vpndirect
	ip address 4.4.4.4 255.255.255.255
	!
	interface Loopback5
	description vpnnat
	ip address 5.5.5.5 255.255.255.255
	!
	interface Loopback6
	description vpnpat
	ip address 6.6.6.6 255.255.255.255
	!
	interface GigabitEthernet0/0
	no ip address
	shutdown
	duplex auto
	speed auto
	media-type rj45
	!
	interface GigabitEthernet0/1
	no ip address
	shutdown
	duplex auto
	speed auto
	media-type rj45
	!
	interface GigabitEthernet0/2
	no ip address
	shutdown
	duplex auto
	speed auto
	media-type rj45
	!
	interface GigabitEthernet0/3
	no ip address
	shutdown
	duplex auto
	speed auto
	media-type rj45
	!
	interface GigabitEthernet0/4
	description vpndirect
	ip address 192.168.44.1 255.255.255.252
	duplex auto
	speed auto
	media-type rj45
	!
	interface GigabitEthernet0/5
	description vpnnat
	ip address 192.168.55.1 255.255.255.252
	duplex auto
	speed auto
	media-type rj45
	crypto map vpnnat
	!
	interface GigabitEthernet0/6
	description vpnpat
	ip address 192.168.66.1 255.255.255.252
	duplex auto
	speed auto
	media-type rj45
	crypto map vpnpat
	!
	interface GigabitEthernet0/7
	no ip address
	shutdown
	duplex auto
	speed auto
	media-type rj45
	!
	ip forward-protocol nd
	!
	!
	no ip http server
	no ip http secure-server
	ip route 1.1.1.1 255.255.255.255 192.168.44.2
	ip route 2.2.2.2 255.255.255.255 192.168.55.2
	ip route 3.3.3.3 255.255.255.255 192.168.66.2
	ip route 192.168.11.0 255.255.255.248 192.168.44.2
	ip route 192.168.22.0 255.255.255.248 192.168.55.2
	ip route 192.168.33.0 255.255.255.252 192.168.66.2
	!
	ip access-list extended vpnnattr
	permit ip host 5.5.5.5 host 2.2.2.2
	ip access-list extended vpnpattr
	permit ip host 6.6.6.6 host 3.3.3.3
	permit ip host 192.168.66.1 host 192.168.33.1
	!
	!
	===============================
	Cisco ASA:
	hostname ASA
	domain-name test.com
	enable password 8Ry2YjIyt7RRXU24 encrypted
	passwd 2KFQnbNIdI.2KYOU encrypted
	names
	!
	interface Ethernet0
	shutdown
	no nameif
	no security-level
	no ip address
	!
	interface Ethernet1
	nameif vpndirectout
	security-level 0
	ip address 192.168.11.2 255.255.255.252
	!
	interface Ethernet2
	nameif vpnnatout
	security-level 0
	ip address 192.168.22.2 255.255.255.248
	!
	interface Ethernet3
	nameif vpnpatout
	security-level 0
	ip address 192.168.33.2 255.255.255.252
	!
	interface Ethernet4
	nameif vpndirectin
	security-level 50
	ip address 192.168.44.2 255.255.255.252
	!
	interface Ethernet5
	nameif vpnnatin
	security-level 50
	ip address 192.168.55.2 255.255.255.252
	!
	interface Ethernet6
	nameif vpnpatin
	security-level 50
	ip address 192.168.66.2 255.255.255.252
	!
	interface Ethernet7
	shutdown
	no nameif
	no security-level
	no ip address
	!
	ftp mode passive
	dns server-group DefaultDNS
	domain-name test.com
	object network vpnnatvip
	host 192.168.22.3
	object network vpnnatinip
	host 192.168.55.1
	object network vpnpatinip
	host 192.168.66.1
	object service vpnesp
	service esp
	object service svicmp
	service icmp
	object service udp4500
	service udp destination eq 4500
	object service vpnisakmp
	service udp destination eq isakmp
	object service udp500
	service udp destination eq isakmp
	object-group service vpnservices
	service-object object vpnesp
	service-object object svicmp
	service-object object udp4500
	service-object object vpnisakmp
	access-list vpnpatout2in extended permit object-group vpnservices host 192.168.33.1 host 192.168.66.1
	access-list vpnnatout2in extended permit object-group vpnservices host 192.168.22.1 host 192.168.55.1
	pager lines 24
	mtu vpndirectout 1500
	mtu vpnnatout 1500
	mtu vpnpatout 1500
	mtu vpndirectin 1500
	mtu vpnnatin 1500
	mtu vpnpatin 1500
	no failover
	icmp unreachable rate-limit 1 burst-size 1
	no asdm history enable
	arp timeout 14400
	nat (vpnnatin,vpnnatout) source static vpnnatinip vpnnatvip
	nat (vpnpatin,vpnpatout) source static vpnpatinip interface service udp4500 udp4500
	nat (vpnpatin,vpnpatout) source static vpnpatinip interface service vpnisakmp vpnisakmp
	!
	nat (vpnpatin,vpnpatout) after-auto source dynamic vpnpatinip interface
	access-group vpnnatout2in in interface vpnnatout
	access-group vpnpatout2in in interface vpnpatout


	=============
	Inside Router
	crypto isakmp policy 10
	encr 3des
	authentication pre-share
	group 2
	crypto isakmp key vpnnatkey1 address 192.168.22.3
	crypto isakmp key vpnpatkey1 address 192.168.33.2
	!
	!
	crypto ipsec transform-set vpn esp-des esp-sha256-hmac
	mode tunnel
	crypto ipsec transform-set vpnpat ah-sha256-hmac esp-des
	mode transport
	!
	!
	!
	crypto map vpnnat 10 ipsec-isakmp
	set peer 192.168.22.3
	set transform-set vpn
	set pfs group2
	match address vpnnattr
	!
	crypto map vpnpat 10 ipsec-isakmp
	set peer 192.168.33.2
	set transform-set vpnpat
	set pfs group2
	match address vpnpattr
	!
	!
	!
	!
	!
	interface Loopback1
	description vpndirect
	ip address 1.1.1.1 255.255.255.255
	!
	interface Loopback2
	description vpnnat
	ip address 2.2.2.2 255.255.255.255
	!
	interface Loopback3
	description natpat
	ip address 3.3.3.3 255.255.255.255
	!
	interface Ethernet0/0
	no ip address
	shutdown
	!
	interface Ethernet0/1
	description vpndirect
	ip address 192.168.11.1 255.255.252.0
	!
	interface Ethernet0/2
	description vpnnat
	ip address 192.168.22.1 255.255.255.248
	crypto map vpnnat
	!
	interface Ethernet0/3
	description vpnpat
	ip address 192.168.33.1 255.255.255.252
	crypto map vpnpat
	!
	ip forward-protocol nd
	!
	!
	no ip http server
	no ip http secure-server
	ip route 4.4.4.4 255.255.255.255 192.168.11.2
	ip route 5.5.5.5 255.255.255.255 192.168.22.2
	ip route 6.6.6.6 255.255.255.255 192.168.33.2
	ip route 192.168.44.0 255.255.255.252 192.168.11.2
	!
	ip access-list extended vpnnattr
	permit ip host 2.2.2.2 host 5.5.5.5
	ip access-list extended vpnpattr
	permit ip host 3.3.3.3 host 6.6.6.6
	!


	========== Commands =========
	show crypto ipsec sa
	show crypto isakmp sa

	debug crypto isakmp