Hi, here is an example how to configure IP-NAT, GRE, IPSEC. I've seen plenty of questions and this might be a good solution! (Mostly the use of commands that might remind u)
IP NAT
=============================================================================
Name of router that should be configured : *****DETAILS LIKE INTERFACES AND IP CAN BE DIFFERENT.
Ip route 0.0.0.0 0.0.0.0 serial0/0/0 (To the network outside, interface can be different)
interface FastEthernet0/0 (Inside network)
ip nat inside
interface Serial0/0/0 (Outside network)
ip nat outside
exit
access-list 101 permit ip 10.13.0.0 0.0.255.255 any (Ip range from the network inside)
ip nat inside source list 101 interface Serial0/0/0 overload
Check if NAT works from devices
GRE TUNNEL
===============================================================
Make a new tunnel between locations
- Router(config)#interface tunnel 1
Give tunnel an IP
Location X: Router x (config-if)#ip address 10.254.0.2 255.255.255.252
Location Y: Router Y (config-if)#ip address 10.254.0.1 255.255.255.252
Give the tunnel a source (Most of the time router inbetween the routers you are configuring)
Location X: Router(config-if)#tunnel source Serial0/0/0
Location Y: Router(config-if)#tunnel source Serial0/0/1
Enter the destination, this is NOT the IP of the tunnel at the other side. This is the IP of the physical interface at the other side.
Location X: Router(config-if)#tunnel destination 208.10.10.2
Location Y: Router(config-if)#tunnel destination 208.10.10.10
There must be IP routes to make sure network traffic goes to right places.
Location X
ip route 10.11.0.0 255.255.0.0 10.254.0.1 (Inside address, subet, End tunnel adress)
Location Y
Ip route 10.13.0.0 255.255.0.0 10.254.0.2
Test tunnel by tracert from a computer to another.
========================================================
GRE TUNNEL FOR THIRD NETWORK
Location X – Location Z
Do the same steps if there is an location Z But then with the other ip from the location Z
========================================================
acceslist ****** ip and interfaces may be different
Make sure ONLY serial interfaces may transfer GRE Traffic. This is able by accesslists
Location X
access-list 111 permit gre host 208.10.10.10 host 208.10.10.6
access-list 112 permit gre host 208.10.10.10 host 208.10.10.2
Location Y
access-list 112 permit gre host 208.10.10.2 host 208.10.10.10
Location Z
access-list 111 permit gre host 208.10.10.6 host 208.10.10.10
Test it by doing a tracert
========================================================
IPSEC ISAKMP
Router X: crypto isakmp policy 1
Router X: authentication pre-share
X – Y. (x-y)
router X & Y: Crypto isakmp enable
Router X : crypto isakmp key SURI-ROTT address 208.10.10.2 (fill in the ip from the interface At other side)
Router Y: crypto isakmp key SURI-ROTT address 208.10.10.10 (fill in the ip from the interface At other side)
Router X & Y: crypto ipsec transform-set IMPEX-SET esp-aes 256 esp-sha-hmac
Router X: crypto map VPN-MAP 20 ipsec-isakmp (Used 20 because it's a available number )
router X: match address 112
router X: set peer 208.10.10.2
router X: Set pfs group2
router X: Set transform-set IMPEX-SET
router X: exit
router Y: crypto map VPN-MAP 20 ipsec-isakmp (Used 20 because it's a available number )
router Y: match address 112
router Y: set peer 208.10.10.10
router Y: Set pfs group2
router Y: set transform-set IMPEX-SET
router Y: Exit
router X: crypto map VPN-MAP (In de serial interface)
router X & Y: Exit
send a tracert through the tunnel and use the following command if the tunnel works
show crypto isakmp sa
Connection between X and Y works now
===================================================================
Do the same proces between router X and Z but with different numbers
router X - Eindhoven. (SURI-END)
router X & Eindhoven: Crypto isakmp enable
router X: crypto isakmp key SURI-END address 208.10.10.6 (So you enter the ip of the physical interface from the other side)
router Z: crypto isakmp key SURI-EIND address 208.10.10.10 (So you enter the ip of the physical interface from the other side)
router X & Z: crypto ipsec transform-set IMPEX-SET esp-aes 256 esp-sha-hmac
router X: crypto map VPN-MAP 30 ipsec-isakmp (30 because 10 is already owned by the Rotterdam to
router Z connection, and 20 is occupied by Suriname - Rotterdam)
router X: match address 111
router X: set peer 208.10.10.6
router X: IMPEX-SET transform set set
router X: exit
router Z: crypto map VPN-MAP 30 ipsec-isakmp 30 ( because 10 is already owned by another connection)
router Z: match address 111
router Z: set of pear 208.10.10.10
router Z: IMPEX-SET transform set set
router Z: exit
router X& router Z: VPN-MAP crypto map (In the serial interface)
router X& router Z: Exit
Send a trace through the tunnel and check the operation with the following command in a router:
show crypto isakmp sa
router X- router Z connection is now ready