Posted by Chau Nguyen on January 1, 2009
In this lab I’m going to configure VPN tunnel between R1 & R2. But there is a Firewall with NAT-T between them.
!R1
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 15.1.2.2
crypto ipsec transform-set T_SET esp-3des esp-sha-hmac
access-list 102 per ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
crypto map MY_MAP 10 ipsec-isakmp
match address 102
set peer 15.1.2.2
set transform-set T_SET
int e0/0
crypto map MY_MAP
!R2
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 192.0.0.1
crypto ipsec transform-set T_SET esp-3des esp-sha-hmac
access-list 102 per ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
crypto map MY_MAP 10 ipsec-isakmp
match address 102
set peer 192.0.0.1
set transform-set T_SET
int e0/0
crypto map MY_MAP
!A
static (inside,outside) 192.0.0.1 15.1.1.1
access-list 103 per esp host 15.1.2.2 host 192.0.0.1
access-list 103 per udp host 15.1.2.2 host 192.0.0.1 eq 500
access-list 103 per udp host 15.1.2.2 host 192.0.0.1 eq 4500
access-group 103 in int outside
sysopt connection permit-vpn
Posted in Security | Leave a Comment »
Posted by Chau Nguyen on January 1, 2009
This Lab is a Site to Site VNP between which Outside Router initiate VPN tunnel with ASA to get a grant access to Inside Network.
!R2
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
crypto isakmp key cisco address 15.1.2.10
crypto ipsec transform-set T_SET esp-3des esp-sha-hmac
access-list 102 per ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
crypto map MY_MAP 10 ipsec-isakmp
match address 102
set peer 15.1.2.10
set transform-set T_SET
int e0/0
crypto map MY_MAP
!ASA
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
crypto isakmp key cisco address 15.1.2.2
crypto ipsec transform-set T_SET esp-3des esp-sha-hmac
access-list 102 per ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
crypto map MY_MAP 10 ipsec-isakmp
crypto map MY_MAP 10 match address 102
crypto map MY_MAP 10 set peer 15.1.2.2
crypto map MY_MAP 10 set transform-set T_SET
crypto map MY_MAP int outside
crypto isakmp enable outside
sysopt connection permit-vpn
Posted in Security | Leave a Comment »
Posted by Chau Nguyen on December 31, 2008
In this Lab, I’m going to configure the Site to Site VNP between two routers and an ASA in middle.
!R1
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 15.1.2.2
crypto ipsec transform-set T_SET esp-3des esp-sha-hmac
access-list 102 per ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
crypto map MY_MAP 10 ipsec-isakmp
match address 102
set peer 15.1.2.2
set transform-set T_SET
int e0/0
crypto map MY_MAP
!R2
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 15.1.1.1
crypto ipsec transform-set T_SET esp-3des esp-sha-hmac
access-list 102 per ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
crypto map MY_MAP 10 ipsec-isakmp
match address 102
set peer 15.1.1.1
set transform-set T_SET
int e0/0
crypto map MY_MAP
!ASA
access-list 103 per esp host 15.1.2.2 host 15.1.1.1
access-list 103 per udp host 15.1.2.2 host 15.1.1.1 eq 500
access-group 103 in int outside
sysopt connection permit-vpn
Posted in Security | Leave a Comment »
Posted by Chau Nguyen on December 15, 2008
Posted in Security | Leave a Comment »
Posted by Chau Nguyen on December 15, 2008
In this Lab, I will demonstate how to create two contexts, C-1 & C-2, in ASA/PIX. Each context, represent a Virtual Firewall. They are independent to each other. So, we can assign difference Administration to log-in and manage their Firewall policy (Virtual Firewall) in the way they want.
Posted in Security | Leave a Comment »
Posted by Chau Nguyen on November 21, 2008
When configuration on floating static route, we have to be aware what our configuration on frame relay interface. Because if we configured frame relay on the main interface (s2/0) or subinterface point to multipoint (s2/0.1 point-to-multipoint), then when the neighbor down our router cannot detect the neighbor down. If that is the case, then our router can not place frame relay protocol interface down. If the frame relay protocol interface not down, then the router can not remove any routes through frame relay out of routing table. The result our router can not use other path to go to because in our routing table there still installed the path through frame relay.
We have a couple way to solve frame relay problem:
- Tracking + SLA
- GRE or IPIP tunneling
- Configure frame relay under sub-interface with point-to-point option.
- Remove floating static route with other routing protocol such as OSPF, EIGRP, RIP…
Posted in Frame Relay | Leave a Comment »
Posted by Chau Nguyen on November 21, 2008
R4#
ip route 5.5.5.0 255.255.255.0 15.1.145.5 40
ip route 5.5.5.0 255.255.255.0 15.1.45.5 45
interface s2/0.1 point-to-point
ip address 15.1.145.4 255.255.255.0
frame-relay interface-dlci 405
backup interface s2/1
R5#
ip route 5.5.5.0 255.255.255.0 15.1.145.4 40
ip route 5.5.5.0 255.255.255.0 15.1.45.4 45
interface s2/0.1 point-to-point
ip address 15.1.145.5 255.255.255.0
frame-relay interface-dlci 504
backup interface s2/2
Posted in Frame Relay | Leave a Comment »
Posted by Chau Nguyen on November 21, 2008
R4#
ip route 5.5.5.0 255.255.255.0 15.1.145.5 40
ip route 5.5.5.0 255.255.255.0 15.1.45.5 45
interface tunnel 0
tunnel source 15.1.145.4
tunnel destination 15.1.145.5
tunnel mode gre
keepalive 1 3
backup interface s2/1
R5#
ip route 5.5.5.0 255.255.255.0 15.1.145.4 40
ip route 5.5.5.0 255.255.255.0 15.1.45.4 45
interface tunnel 0
tunnel source 15.1.145.5
tunnel destination 15.1.145.4
tunnel mode gre
keepalive 1 3
backup interface s2/2
Posted in Frame Relay | Leave a Comment »
Posted by Chau Nguyen on November 21, 2008
Tracking and SLA will be our tool-set to detect the neighbor up or down.
R4#
ip route 5.5.5.0 255.255.255.0 15.1.145.5 40 track 10
ip route 5.5.5.0 255.255.255.0 15.1.45.5 45
track 10 rtr 20
ip sla monitor 20
type echo protocol ipIcmpEcho 15.1.0.5
timeout 2000
frequency 3
ip sla monitor schedule 20 start-time now
Some command to verify
show track 10
show track brief
sh ip sla monitor statistic
sh ip sla monitor operation-state
Posted in 1, Frame Relay | Leave a Comment »
Posted by Chau Nguyen on November 20, 2008
Here is the configuration and a small script that can run SecureCRT from GNS3 console/telnet.
start C:\progra~1\SecureCRT\SecureCRT.EXE /script C:\progra~1\gns3\securecrt.vbs /arg %d /T /telnet %h %p
And here is the securecrt.vbs script you need to create
#$Language = “VBScript”
#$Interface = “1.0″
Sub main
crt.window.caption = crt.arguments(0)
End Sub
You can modify and add sleep to your configuration
start C:\progra~1\SecureCRT\SecureCRT.EXE /script C:\progra~1\gns3\securecrt.vbs /arg %d /T /telnet %h %p & sleep 1
You can grab the “sleep” resource kit utility from Microsoft website
http://www.microsoft.com/downloads/details.aspx?familyid=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
Posted in Dynamips | Leave a Comment »
