cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1625
Views
0
Helpful
13
Replies

Need a help on Cisco IPSec Configuration

kerimaksoy
Level 1
Level 1

I am trying to do an exercise on the Cisco Packet Tracer which is: topo.png

and the config steps are:

steps.png

I am just new at Computer Networks and Cisco, so I wanted to ask if I did the all configurations correct or I need to change something on my config?

 

My Packet Tracer Topology:

packet.png

Router0 config:

Router0(config)#int fa0/1
Router0(config-if)#ip add 10.100.0.1 255.255.0.0
Router0(config-if)#no shut
Router0(config)#int fa0/0
Router0(config-if)#ip add 30.100.0.1 255.255.0.0
Router0(config-if)#no shut
Router0(config)#ip route 0.0.0.0 0.0.0.0 30.100.0.2
Router0(config)#access-list 100 permit ip 10.100.0.0 0.0.255.255 20.200.0.0 0.0.255.255
Router0(config)#crypto isakmp policy 10 Router0(config-isakmp)#encryption aes 256 Router0(config-isakmp)#authentication pre-share Router0(config-isakmp)#group 5 Router0(config)#crypto isakmp key secretkey address 30.100.0.2 Router0(config)#crypto ipsec transform-set R0-R1 esp-aes 256 esp-sha-hmac Router0(config)#crypto map IPSEC-MAP 10 ipsec-isakmp Router0(config-crypto-map)#set peer 30.100.0.2 Router0(config-crypto-map)#set pfs group5 Router0(config-crypto-map)#set security-association lifetime seconds 86400 Router0(config-crypto-map)#set transform-set R0-R1 Router0(config-crypto-map)#match address 100 Router0(config)#int fa0/0 Router0(config-if)#crypto map IPSEC-MAP Router0(config)#access-list 120 permit tcp 10.100.0.0 0.0.255.255 host 20.200.0.10 eq 80

Router1 Config:

Router1(config)#int fa0/0
Router1(config-if)#ip add 30.100.0.2 255.255.0.0
Router1(config-if)#no shut
Router1(config)#int fa0/1
Router1(config-if)#ip add 20.200.0.1 255.255.0.0
Router1(config-if)#no shut
Router1(config)#ip route 0.0.0.0 0.0.0.0 30.100.0.1
Router1(config)#access-list 100 permit ip 20.200.0.0 0.0.255.255 10.100.0.0 0.0.255.255
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 5
Router1(config)#crypto isakmp key secretkey address 30.100.0.1
Router1(config)#crypto ipsec transform-set R1-R0 esp-aes 256 esp-sha-hmac
Router1(config)#crypto map IPSEC-MAP 10 ipsec-isakmp 
Router1(config-crypto-map)#set peer 30.100.0.1
Router1(config-crypto-map)#set pfs group5
Router1(config-crypto-map)#set security-association lifetime seconds 86400
Router1(config-crypto-map)#set transform-set R1-R0 
Router1(config-crypto-map)#match address 100
Router1(config)#int fa0/0
Router1(config-if)#crypto map IPSEC-MAP

 

 

 

1 Accepted Solution

Accepted Solutions

error in ACL of R0
Router0(config)#crypto isakmp policy 10 Router0(config-isakmp)#encryption aes 256 Router0(config-isakmp)#authentication pre-share Router0(config-isakmp)#group 5 Router0(config)#crypto isakmp key secretkey address 30.100.0.2 Router0(config)#crypto ipsec transform-set R0-R1 esp-aes 256 esp-sha-hmac Router0(config)#crypto map IPSEC-MAP 10 ipsec-isakmp Router0(config-crypto-map)#set peer 30.100.0.2 Router0(config-crypto-map)#set pfs group5 Router0(config-crypto-map)#set security-association lifetime seconds 86400 Router0(config-crypto-map)#set transform-set R0-R1 Router0(config-crypto-map)#match address 100 Router0(config)#int fa0/0
Router0(config-if)#ip add 30.100.1
Router0(config-if)#crypto map IPSEC-MAP
Router0(config)#access-list 120 permit tcp 10.100.0.0 0.0.255.255 host 20.100.0.10 eq 80

 

View solution in original post

13 Replies 13

error in ACL of R0
Router0(config)#crypto isakmp policy 10 Router0(config-isakmp)#encryption aes 256 Router0(config-isakmp)#authentication pre-share Router0(config-isakmp)#group 5 Router0(config)#crypto isakmp key secretkey address 30.100.0.2 Router0(config)#crypto ipsec transform-set R0-R1 esp-aes 256 esp-sha-hmac Router0(config)#crypto map IPSEC-MAP 10 ipsec-isakmp Router0(config-crypto-map)#set peer 30.100.0.2 Router0(config-crypto-map)#set pfs group5 Router0(config-crypto-map)#set security-association lifetime seconds 86400 Router0(config-crypto-map)#set transform-set R0-R1 Router0(config-crypto-map)#match address 100 Router0(config)#int fa0/0
Router0(config-if)#ip add 30.100.1
Router0(config-if)#crypto map IPSEC-MAP
Router0(config)#access-list 120 permit tcp 10.100.0.0 0.0.255.255 host 20.100.0.10 eq 80

 

I forget to write some of the commands of Router0 in the first time, So I edited them and change the last ACL as you said. Is that now fully correct configuration for my exercise?

 

But also now I figured that I don't have any interfaces or host with IP "20.100.0.10" which you wrote. Whydid you write that IP address?

sorry for ACL but for the tunnel to be UP you need to pass traffic between the two site, 
I correct the ACL 120 because it wrong and it can cause the traffic drop and not make tunnel UP

Thank you so much for your help, So I just wanted to ask is the edited configuration now fully correct?

I can't be sure because its my first time to configure that many thing together

Can you share full edit config to make double check.

Uhmm, I don't know how to share full edit config

I edited my post with the last changes which you wrote to me, isn't that full edit?

balaji.bandi
Hall of Fame
Hall of Fame

high leve that should work - make sure on Router 0 the ACL should allow 10.x.xx network towards 20.x.x network

below one.

Router0(config)#access-list 120 permit tcp 30.100.0.0 0.0.255.255 host 10.100.0.10 eq 80

 

we take this as no NAT involved, so routing in place, so should work as expected, if any issue post what is the issues.

 

also refer example config and understand each steps :

 

https://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for your reply, I edited my configuration. Is that now fully correct configuration for my exercise?

as per the task R2 and R3 ( not sure you have big network diagram) - so correct.

task says allow branch to h1 allow any, and only internet http to H1.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Router0(config)#access-list 120 permit tcp 10.100.0.0 0.0.255.255 host 20.200.0.10 eq 80

 with that command aren't we allow only internet http to H1?

 

for the allow any from branch to h1 I don't know the correct command so can you help me about it, please?

i would suggest to read the document above posted and undertand the concept.(this is very important for learning part)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I read all of it so, just adding the following configuration will be enough?

 

Router1(config)# ip nat inside source list 100 interface fastethernet0/0 overload

Router1(config)# access-list 100 remark -=[Define NAT Service]=-
Router1(config)# access-list 100 deny ip 10.100.0.0 0.0.255.255 20.200.0.0 0.0.255.255
Router1(config)# access-list 100 permit ip 10.100.0.0 0.0.255.255 any
Router1(config)# access-list 100 remark
 

Router2(config)# ip nat inside source list 100 interface fastethernet0/0 overload

Router2(config)# access-list 100 remark -=[Define NAT Service]=-
Router2(config)# access-list 100 deny ip 20.200.0.0 0.0.255.255 10.100.0.0 0.0.255.255
Router2(config)# access-list 100 permit ip 20.200.0.0 0.0.255.255 any
Router2(config)# access-list 100 remark

@kerimaksoy your ACL 120 is incorrect, the request is to permit traffic from the internet (30.100.0.0/16) to H1, not from the branch site. Traffic from the branch would be routed over the VPN tunnel you've configured, so would not hit the outside interface unencrypted.

 

You've also not configured the ACL on the outside interface.

 

Don't use ACL 100 for NAT, as that number is already in use for the crypto ACL. Use another number specifically for NAT or use a named ACL.

Review Cisco Networking for a $25 gift card