I had a challege for a site to site vpn scenario that might need some brainstorm from you guys.
So far i had a configuration pre-planned for this scenario but i'm not very sure if the tunnel i created will work as I haven't test it before with this scenario. I'll be going on the execution of this project next week and hope to get some brainstorm solution by u guys. Thanks in advance!
Network Diagram:
http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3
Challenge:
1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using crypto maps
2) IKE Phase I MainMode, des, lifetime 28000, md5, DH-Group1
IKE Phase II: des-esp, hmac-md5, tunnel mode
PSK: sitetositevpn
Here is my configuration for review:
crypto isakmp policy 10
encr des
authentication pre-share
group 1
hash md5
crypto isakmp key sitetositevpn address 210.x.x.66
!
crypto ipsec transform-set ciscoset esp-des esp-md5-hmac
!
crypto map infotelmap 10 ipsec-isakmp
set peer 210.x.x.66
set transform-set ciscoset
match address 111
!
!
interface Ethernet0
description LAN 3
ip address 10.20.20.1 255.255.255.0
ip nat inside
service-policy output servers-policy
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 210.x.20.x.255.255.252
no ip redirects <-- Disable ICMP
no ip unreachables <-- Disable ICMP host unreachable messages
no ip proxy-arp <-- disables IP directed broadcasts
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
ip nat inside source list 102 interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 0.0.0.0 0.x.0.x.190.60.66
no ip http secure-server
!
access-list 102 remark Traffic to NAT
access-list 102 permit ip 10.20.20.0 0.0.0.255 any
!
access-list 111 remark Site to Site VPN from LAN 3 to LAN 2 Network
access-list 111 permit ip 10.20.20.0 0.0.0.x.x.10.0 0.0.0.255
Regards,
Junhan
