cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1063
Views
0
Helpful
0
Replies
Highlighted
Beginner

Optimizing cisco 881 and VPN site-to-site

Greetings, ladies and gentlemen!

Wondered optimizing current network layout.

Now the company where I work about 17 branches used subnet 192.168.h.0 \ 24.

There is a dedicaded server room in which there is a router on softvarny vyatta. Each branch is cisco 881.

From cisco 881 set ipsec tunnel to the central router.

At the moment, some of the branches acl looks like a pile of 15 tunnels. Periodically at some point fall off some of the tunnels. Are there any best practice to set up a network of such schemes?

I enclose one of the router configuration:

show run

Building configuration...

Current configuration : 5813 bytes

!

! Last configuration change at 07:01:57 UTC Mon Dec 17 2012 by b1_adm

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname IT

!

boot-start-marker

boot system flash c880data-universalk9-mz.151-4.M.bin

boot-end-marker

!

!

enable secret 5 $1$U6Mc$eLtsfJH9TVbrCZOiXgo3M/

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.10.201 192.168.10.254

ip dhcp excluded-address 192.168.10.120

!

ip dhcp pool pool

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.12

dns-server 192.168.240.100

!

!

ip cef

no ip domain lookup

ip domain name office

no ipv6 cef

!

!

license udi pid CISCO881W-GN-E-K9 sn FCZ1539C4KL

!

!

username wifiap privilege 15 secret 5 *

username b1_adm privilege 15 secret 5 *

!

!

!

!

ip tcp synwait-time 5

!

!

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key 6 * address 89.223.*.*

!

!

crypto ipsec transform-set myset esp-aes esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 89.223.*.*

set transform-set myset

match address 102

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 82.112.*.* 255.255.255.248

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip route-cache same-interface

ip route-cache policy

duplex auto

speed auto

crypto map vpn

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip address 192.168.110.110 255.255.255.0

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.10.12 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan2

ip address 192.168.25.250 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface FastEthernet4 overload

ip nat inside source static udp 192.168.10.106 69 82.112.185.75 69 extendable

ip nat inside source static tcp 192.168.10.4 1723 82.112.185.75 1723 extendable

ip nat inside source static tcp 192.168.10.140 3306 82.112.185.75 3306 extendable

ip nat inside source static tcp 192.168.10.4 3389 82.112.185.75 3389 extendable

ip nat inside source static tcp 192.168.10.11 8081 82.112.185.75 8081 extendable

ip route 0.0.0.0 0.0.0.0 82.112.185.73

ip route 192.168.25.0 255.255.255.0 192.168.10.4

!

logging esm config

access-list 100 deny   udp any any eq bootpc

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 100 deny   ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 deny   udp any any eq bootps

access-list 102 deny   udp any any eq bootpc

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255

no cdp run

!

!

!

!

route-map vpn permit 10

match ip address 102

set interface FastEthernet4

!

!

line con 0

exec-timeout 30 30

privilege level 15

password 7 *

logging synchronous

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

privilege level 15

password 7 072871551A0B2B5241

login local

transport input all

!

end

Thanks in advance for your answers.

0 REPLIES 0