Created
December 19, 2018 13:24
-
-
Save gainskills/29bcf7b9c8bf2a8121e3ae6c8fcbdda5 to your computer and use it in GitHub Desktop.
IPSec Over Palo Alto FW Static NAT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #---- R5 | |
| ! | |
| hostname LAN-R5 | |
| ! | |
| enable password kztest | |
| ! | |
| no ip domain lookup | |
| ip domain name kztest.com | |
| ! | |
| interface Loopback0 | |
| ip address 5.5.5.5 255.255.255.0 | |
| ! | |
| interface Ethernet0/0 | |
| ip address 10.0.56.5 255.255.255.0 | |
| ! | |
| interface Ethernet0/1 | |
| ip address 10.0.15.5 255.255.255.0 | |
| ! | |
| ip route 0.0.0.0 0.0.0.0 10.0.15.1 | |
| ip route 8.8.8.0 255.255.255.0 10.0.56.6 | |
| ! | |
| line con 0 | |
| exec-timeout 0 0 | |
| logging synchronous | |
| line aux 0 | |
| line vty 0 4 | |
| login local | |
| transport input ssh | |
| ! | |
| #--- R6 | |
| ! | |
| hostname LAN-R6 | |
| ! | |
| enable password kztest | |
| ! | |
| username kztest password 0 kztest | |
| ! | |
| no ip domain lookup | |
| ip domain name kz.com | |
| ! | |
| crypto isakmp policy 10 | |
| encr aes | |
| authentication pre-share | |
| group 2 | |
| crypto isakmp key kzvpnkey1 address 10.0.78.8 | |
| ! | |
| crypto ipsec transform-set kzvpnts1 esp-aes esp-sha-hmac | |
| mode tunnel | |
| ! | |
| crypto map kzPAnat 10 ipsec-isakmp | |
| set peer 10.0.78.8 | |
| set transform-set kzvpnts1 | |
| set pfs group2 | |
| match address kzvpnaddrs | |
| reverse-route | |
| ! | |
| interface Ethernet0/0 | |
| ip address 10.0.56.6 255.255.255.0 | |
| crypto map kzPAnat | |
| ! | |
| ip route 0.0.0.0 0.0.0.0 10.0.56.5 | |
| ! | |
| ip access-list extended kzvpnaddrs | |
| permit ip host 5.5.5.5 host 8.8.8.8 | |
| ! | |
| line con 0 | |
| exec-timeout 0 0 | |
| logging synchronous | |
| line aux 0 | |
| line vty 0 4 | |
| login local | |
| transport input ssh | |
| ! | |
| #--- R7 | |
| ! | |
| hostname Internet-R7 | |
| ! | |
| no ip domain lookup | |
| ! | |
| interface Ethernet0/0 | |
| ip address 10.0.78.7 255.255.255.0 | |
| ! | |
| line con 0 | |
| exec-timeout 0 0 | |
| logging synchronous | |
| ! | |
| #--- R8 | |
| ! | |
| hostname Internet-R8 | |
| ! | |
| enable password kztest | |
| ! | |
| no ip domain lookup | |
| ip domain name kz.com | |
| ! | |
| username kztest password 0 kztest | |
| ! | |
| crypto map kzPAnat 10 ipsec-isakmp | |
| set peer 10.0.17.3 | |
| set transform-set kzvpnts1 | |
| set pfs group2 | |
| match address vpn | |
| reverse-route | |
| ! | |
| interface Loopback0 | |
| ip address 8.8.8.8 255.255.255.0 | |
| ! | |
| interface Ethernet0/0 | |
| ip address 10.0.78.8 255.255.255.0 | |
| crypto map kzPAnat | |
| ! | |
| ip route 10.0.17.0 255.255.255.0 10.0.78.7 | |
| ! | |
| ip access-list extended vpn | |
| permit ip host 8.8.8.8 host 5.5.5.5 | |
| ! | |
| line con 0 | |
| exec-timeout 0 0 | |
| logging synchronous | |
| line aux 0 | |
| line vty 0 4 | |
| login local | |
| transport input ssh | |
| ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment