I’ve been getting up to speed on IPsec configuration by reading Cisco 15.1M&T online documentation and poring through dozens of online configuration examples. By-and-large, the configurations online make sense and have been invaluable at getting my own working configurations up and running.
However, there’s one Cisco sample configuration that I can’t make any sense of. It appears in “Security for VPNs with IPsec Configuration Guide — Cisco IOS Release 15.1MT”. That sample configuration is reprinted below and is also available online at this location:
http://www.ciscosystems.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-1mt/sec-cfg-vpn-ipsec.html#GUID-F11890DA-D492-4175-A54C-B829A88E18BA
Most configurations distinguish between the local LAN subnet, WAN subnet, remote subnet at the remote end of the tunnel, and a peer address associated with a remote router. Thus, you’d see four distinct subnets overall referred to in the configuration. However, in this particular Cisco example, it seems like the same 10.0.110.0/24 subnet is used for all four functions, which totally baffles me. For example, access-list 120 refers to the same source range and destination, so I can’t see how this would work. If anyone could comment on how this configuration works (or *if* it works), I’d greatly appreciate it. It’s the one configuration that I can’t make any sense of whatsoever.
Here are the four ways the same 10.0.110.0/24 subnet is utilized:
The LAN subnet defined by “ip address 10.0.110.1 255.255.255.0” in the FastEthernet0/1 interface.
The WAN subnet is defined by “ip address 10.0.110.2 255.255.255.0” in the Fast Ethernet0/0 interface.
The remote subnet at the end of the tunnel is defined by
“access-list 120 permit ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255”
The remote IPsec peer is referred to as “10.0.110.1” in the isakmp key and crypto map, which is on the same 10.0.110.0/24 subnet.
================================================================
crypto isakmp policy 10
encryption aes 256
authentication pre-share
lifetime 180
crypto isakmp key cisco123 address 10.0.110.1
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
mode transport
!
crypto map aesmap 10 ipsec-isakmp
set peer 10.0.110.1
set transform-set aesset
match address 120
!
!
!
voice call carrier capacity active
!
!
mta receive maximum-recipients 0
!
!
interface FastEthernet0/0
ip address 10.0.110.2 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map aesmap
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 10.0.110.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
ip nat inside source list 110 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.5.1.1
ip route 10.0.110.0 255.255.255.0 FastEthernet0/0
ip route 172.18.124.0 255.255.255.0 10.5.1.1
ip route 172.18.125.3 255.255.255.255 10.5.1.1
ip http server
!
!
access-list 110 deny ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255
access-list 110 permit ip 10.0.110.0 0.0.0.255 any
access-list 120 permit ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255
!
