topic Re: Need a help on Cisco IPSec Configuration in Network Security

Need a help on Cisco IPSec Configuration

kerimaksoy — Tue, 21 Jun 2022 10:28:20 GMT

I am trying to do an exercise on the Cisco Packet Tracer which is:

and the config steps are:

I am just new at Computer Networks and Cisco, so I wanted to ask if I did the all configurations correct or I need to change something on my config?

My Packet Tracer Topology:

Router0 config:

Router0(config)#int fa0/1
Router0(config-if)#ip add 10.100.0.1 255.255.0.0
Router0(config-if)#no shut
Router0(config)#int fa0/0
Router0(config-if)#ip add 30.100.0.1 255.255.0.0
Router0(config-if)#no shut
Router0(config)#ip route 0.0.0.0 0.0.0.0 30.100.0.2
Router0(config)#access-list 100 permit ip 10.100.0.0 0.0.255.255 20.200.0.0 0.0.255.255
Router0(config)#crypto isakmp policy 10
Router0(config-isakmp)#encryption aes 256
Router0(config-isakmp)#authentication pre-share
Router0(config-isakmp)#group 5
Router0(config)#crypto isakmp key secretkey address 30.100.0.2
Router0(config)#crypto ipsec transform-set R0-R1 esp-aes 256 esp-sha-hmac
Router0(config)#crypto map IPSEC-MAP 10 ipsec-isakmp 
Router0(config-crypto-map)#set peer 30.100.0.2
Router0(config-crypto-map)#set pfs group5
Router0(config-crypto-map)#set security-association lifetime seconds 86400
Router0(config-crypto-map)#set transform-set R0-R1 
Router0(config-crypto-map)#match address 100
Router0(config)#int fa0/0
Router0(config-if)#crypto map IPSEC-MAP
Router0(config)#access-list 120 permit tcp 10.100.0.0 0.0.255.255 host 20.200.0.10 eq 80

Router1 Config:

Router1(config)#int fa0/0
Router1(config-if)#ip add 30.100.0.2 255.255.0.0
Router1(config-if)#no shut
Router1(config)#int fa0/1
Router1(config-if)#ip add 20.200.0.1 255.255.0.0
Router1(config-if)#no shut
Router1(config)#ip route 0.0.0.0 0.0.0.0 30.100.0.1
Router1(config)#access-list 100 permit ip 20.200.0.0 0.0.255.255 10.100.0.0 0.0.255.255
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 5
Router1(config)#crypto isakmp key secretkey address 30.100.0.1
Router1(config)#crypto ipsec transform-set R1-R0 esp-aes 256 esp-sha-hmac
Router1(config)#crypto map IPSEC-MAP 10 ipsec-isakmp 
Router1(config-crypto-map)#set peer 30.100.0.1
Router1(config-crypto-map)#set pfs group5
Router1(config-crypto-map)#set security-association lifetime seconds 86400
Router1(config-crypto-map)#set transform-set R1-R0 
Router1(config-crypto-map)#match address 100
Router1(config)#int fa0/0
Router1(config-if)#crypto map IPSEC-MAP

Re: Need a help on Cisco IPSec Configuration

MHM Cisco World — Tue, 21 Jun 2022 09:35:14 GMT

error in ACL of R0
Router0(config)#crypto isakmp policy 10
Router0(config-isakmp)#encryption aes 256
Router0(config-isakmp)#authentication pre-share
Router0(config-isakmp)#group 5
Router0(config)#crypto isakmp key secretkey address 30.100.0.2
Router0(config)#crypto ipsec transform-set R0-R1 esp-aes 256 esp-sha-hmac
Router0(config)#crypto map IPSEC-MAP 10 ipsec-isakmp 
Router0(config-crypto-map)#set peer 30.100.0.2
Router0(config-crypto-map)#set pfs group5
Router0(config-crypto-map)#set security-association lifetime seconds 86400
Router0(config-crypto-map)#set transform-set R0-R1 
Router0(config-crypto-map)#match address 100
Router0(config)#int fa0/0 
Router0(config-if)#ip add 30.100.1

Router0(config-if)#crypto map IPSEC-MAP

Router0(config)#access-list 120 permit tcp 10.100.0.0 0.0.255.255 host 20.100.0.10 eq 80

Re: Need a help on Cisco IPSec Configuration

balaji.bandi — Tue, 21 Jun 2022 09:36:42 GMT

high leve that should work - make sure on Router 0 the ACL should allow 10.x.xx network towards 20.x.x network

below one.

Router0(config)#access-list 120 permit tcp 30.100.0.0 0.0.255.255 host 10.100.0.10 eq 80

we take this as no NAT involved, so routing in place, so should work as expected, if any issue post what is the issues.

also refer example config and understand each steps :

https://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Re: Need a help on Cisco IPSec Configuration

kerimaksoy — Tue, 21 Jun 2022 10:17:34 GMT

I forget to write some of the commands of Router0 in the first time, So I edited them and change the last ACL as you said. Is that now fully correct configuration for my exercise?

But also now I figured that I don't have any interfaces or host with IP "20.100.0.10" which you wrote. Whydid you write that IP address?

Re: Need a help on Cisco IPSec Configuration

kerimaksoy — Tue, 21 Jun 2022 10:13:17 GMT

Thanks for your reply, I edited my configuration. Is that now fully correct configuration for my exercise?

Re: Need a help on Cisco IPSec Configuration

balaji.bandi — Tue, 21 Jun 2022 10:19:56 GMT

as per the task R2 and R3 ( not sure you have big network diagram) - so correct.

task says allow branch to h1 allow any, and only internet http to H1.

Re: Need a help on Cisco IPSec Configuration

MHM Cisco World — Tue, 21 Jun 2022 10:24:09 GMT

sorry for ACL but for the tunnel to be UP you need to pass traffic between the two site,
I correct the ACL 120 because it wrong and it can cause the traffic drop and not make tunnel UP

Re: Need a help on Cisco IPSec Configuration

kerimaksoy — Tue, 21 Jun 2022 10:30:05 GMT

Thank you so much for your help, So I just wanted to ask is the edited configuration now fully correct?

I can't be sure because its my first time to configure that many thing together 🙂

Re: Need a help on Cisco IPSec Configuration

kerimaksoy — Tue, 21 Jun 2022 10:32:42 GMT

Router0(config)#access-list 120 permit tcp 10.100.0.0 0.0.255.255 host 20.200.0.10 eq 80

with that command aren't we allow only internet http to H1?

for the allow any from branch to h1 I don't know the correct command so can you help me about it, please? 🙂

Re: Need a help on Cisco IPSec Configuration

MHM Cisco World — Tue, 21 Jun 2022 11:25:18 GMT

Can you share full edit config to make double check.

Re: Need a help on Cisco IPSec Configuration

balaji.bandi — Tue, 21 Jun 2022 11:38:11 GMT

i would suggest to read the document above posted and undertand the concept.(this is very important for learning part)

Re: Need a help on Cisco IPSec Configuration

kerimaksoy — Tue, 21 Jun 2022 11:50:15 GMT

Uhmm, I don't know how to share full edit config 😞

I edited my post with the last changes which you wrote to me, isn't that full edit?

Re: Need a help on Cisco IPSec Configuration

kerimaksoy — Tue, 21 Jun 2022 13:03:19 GMT

I read all of it so, just adding the following configuration will be enough?

Router1(config)# ip nat inside source list 100 interface fastethernet0/0 overload

Router1(config)# access-list 100 remark -=[Define NAT Service]=-

Router1(config)# access-list 100 deny ip 10.100.0.0 0.0.255.255 20.200.0.0 0.0.255.255

Router1(config)# access-list 100 permit ip 10.100.0.0 0.0.255.255 any

Router1(config)# access-list 100 remark

Router2(config)# ip nat inside source list 100 interface fastethernet0/0 overload

Router2(config)# access-list 100 remark -=[Define NAT Service]=-

Router2(config)# access-list 100 deny ip 20.200.0.0 0.0.255.255 10.100.0.0 0.0.255.255

Router2(config)# access-list 100 permit ip 20.200.0.0 0.0.255.255 any

Router2(config)# access-list 100 remark

Re: Need a help on Cisco IPSec Configuration

Rob Ingram — Tue, 21 Jun 2022 13:41:36 GMT

@kerimaksoy your ACL 120 is incorrect, the request is to permit traffic from the internet (30.100.0.0/16) to H1, not from the branch site. Traffic from the branch would be routed over the VPN tunnel you've configured, so would not hit the outside interface unencrypted.

You've also not configured the ACL on the outside interface.

Don't use ACL 100 for NAT, as that number is already in use for the crypto ACL. Use another number specifically for NAT or use a named ACL.