Project name: ccna-vpn-0001-ezvpn
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#cry R1(config)#crypto isakm R1(config)#crypto isakmp pro R1(config)#crypto isakmp profile V-profile % A profile is deemed incomplete until it has match identity statements R1(conf-isa-prof)#cli R1(conf-isa-prof)#client confi R1(conf-isa-prof)#client configuration add R1(conf-isa-prof)#client configuration address ? initiate Push the network address to the client respond Respond to network address requests from the client R1(conf-isa-prof)#client configuration address res R1(conf-isa-prof)#clie R1(conf-isa-prof)#client confi R1(conf-isa-prof)#client configuration add R1(conf-isa-prof)#client configuration address re R1(conf-isa-prof)#client configuration address respond R1(conf-isa-prof)#clie R1(conf-isa-prof)#client confi R1(conf-isa-prof)#client configuration ad R1(conf-isa-prof)#client configuration address initi R1(conf-isa-prof)#client configuration address initiate R1(conf-isa-prof)#do sh run | sec crypto isakmp profile crypto isakmp profile V-profile R1(conf-isa-prof)#do sh run all | sec crypto isakmp profile crypto isakmp profile V-profile R1(conf-isa-prof)#do sh run all | begin crypto isakmp profile crypto isakmp profile V-profile ! This profile is incomplete (no match identity statement) description vrf client authentication list client pki authorization list isakmp authorization list client authentication username client authentication password client configuration address-pool local client pki authorization list client configuration address initiate client configuration address respond client configuration group accounting initiate mode aggressive virtual-template 0 crypto isakmp diagnose error 50 crypto ipsec optional retry 300 ! crypto ipsec security-association lifetime kilobytes 4608000 crypto ipsec security-association lifetime seconds 3600 no crypto ipsec security-association replay disable R1(conf-isa-prof)#do sh run | begin crypto isakmp profile crypto isakmp profile V-profile ! This profile is incomplete (no match identity statement) client configuration address initiate client configuration address respond ! ! crypto ipsec transform-set TS-IPSEC1 esp-3des esp-md5-hmac mode transport ! crypto ipsec profile PRO-DMVPN1 set transform-set TS-IPSEC1 ! ! ! ! ! ! ! interface Loopback0 ip address 100.0.0.1 255.255.255.255 ! interface Tunnel0 ip address 172.16.0.1 255.255.255.0 R1(conf-isa-prof)#
XAUTH
IKE Phase1 → XAUTH (4-way) → mode-config (2way) → IKE Phase2
IKE Agressive mode
configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit
configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#aaa new R2(config)#aaa new-model R2(config)#aaa R2(config)#aaa auth R2(config)#aaa authe R2(config)#aaa authentication lo R2(config)#aaa authentication login VPNAUTHE ? cache Use Cached-group enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R2(config)#aaa authentication login VPNAUTHE loca R2(config)#aaa authentication login VPNAUTHE local R2(config)#aaa author R2(config)#aaa authorization netw R2(config)#aaa authorization ? auth-proxy For Authentication Proxy Services cache For AAA cache configuration commands For exec (shell) commands. config-commands For configuration mode commands. configuration For downloading configurations from AAA server console For enabling console authorization credential-download For downloading EAP credential from Local/RADIUS/LDAP exec For starting an exec (shell). ipmobile For Mobile IP services. multicast For downloading Multicast configurations from an AAA server network For network services. (PPP, SLIP, ARAP) onep For ONEP authorization service policy-if For diameter policy interface application. prepaid For diameter prepaid services. radius-proxy For proxying radius packets reverse-access For reverse access connections subscriber-service For iEdge subscriber services (VPDN etc) template Enable template authorization R2(config)#aaa authorization netwo R2(config)#aaa authorization network VPNAUTHO local R2(config)#userna R2(config)#username ciscovpn password 0 cisco R2(config)#cryp R2(config)#crypto isak R2(config)#crypto isakmp po R2(config)#crypto isakmp policy 1 R2(config-isakmp)#ecn R2(config-isakmp)#en R2(config-isakmp)#encryption R2(config-isakmp)#encryption 3de R2(config-isakmp)#encryption 3des R2(config-isakmp)#ha R2(config-isakmp)#hash md R2(config-isakmp)#hash md5 R2(config-isakmp)#auth R2(config-isakmp)#authentication pre-share R2(config-isakmp)#group 2 R2(config-isakmp)#exit R2(config)#cryp R2(config)#crypto isak R2(config)#crypto isakmp cli R2(config)#crypto isakmp client co R2(config)#crypto isakmp client configuration gr R2(config)#crypto isakmp client configuration group VPNCLIENT R2(config-isakmp-group)#key R2(config-isakmp-group)#key cisco R2(config-isakmp-group)#dns 10.1.1.1 R2(config-isakmp-group)#win R2(config-isakmp-group)#wins 10.1.1.2 R2(config-isakmp-group)#domai R2(config-isakmp-group)#domain pg1x.net R2(config-isakmp-group)#poo R2(config-isakmp-group)#pool ezremote R2(config-isakmp-group)#save- R2(config-isakmp-group)#save-password ? <cr> R2(config-isakmp-group)#save-password R2(config-isakmp-group)#exit R2(config)#ip loca R2(config)#ip local p R2(config)#ip local poo R2(config)#ip local pool ezre R2(config)#ip local pool ezremo R2(config)#ip local pool ezremote 192.168.1.100 192.168.1.150 R2(config)#cryp R2(config)#crypto isak R2(config)#crypto isakmp pr R2(config)#crypto isakmp profile VPN-PROFILE % A profile is deemed incomplete until it has match identity statements R2(conf-isa-prof)#mat R2(conf-isa-prof)#match iden R2(conf-isa-prof)#match identity gr R2(conf-isa-prof)#match identity group VPNCLIENT R2(conf-isa-prof)#clie R2(conf-isa-prof)#client auth R2(conf-isa-prof)#client authentication lis R2(conf-isa-prof)#client authentication list VPNAUTHE R2(conf-isa-prof)#isakm R2(conf-isa-prof)#isakmp author R2(conf-isa-prof)#isakmp authorization li R2(conf-isa-prof)#isakmp authorization list VPNAUTHO R2(conf-isa-prof)#clie R2(conf-isa-prof)#client config R2(conf-isa-prof)#client configuration add R2(conf-isa-prof)#client configuration address re R2(conf-isa-prof)#client configuration address respond R2(conf-isa-prof)#exit R2(config)#cryp R2(config)#crypto ipse R2(config)#crypto ipsec tran R2(config)#crypto ipsec transform-set REMO-IPSEC esp-3d R2(config)#crypto ipsec transform-set REMO-IPSEC esp-3des esp-md R2(config)#crypto ipsec transform-set REMO-IPSEC esp-3des esp-md5-hmac R2(cfg-crypto-trans)#mo R2(cfg-crypto-trans)#mode tu R2(cfg-crypto-trans)#mode tunnel R2(cfg-crypto-trans)#exit R2(config)#cry R2(config)#crypto dyn R2(config)#crypto dynamic-map REMO ? <1-65535> Sequence to insert into dynamic-map entry R2(config)#crypto dynamic-map REMO 1 R2(config-crypto-map)#set tra R2(config-crypto-map)#set transform-set REMO-IPSEC R2(config-crypto-map)#set isakm R2(config-crypto-map)#set isakmp-profile VPN-PROFILE R2(config-crypto-map)#crypto R2(config-crypto-map)#exit R2(config)#cry R2(config)#crypto ma R2(config)#crypto map EZVPN 1 ipse R2(config)#crypto map EZVPN 1 ipsec-? ipsec-isakmp ipsec-manual R2(config)#crypto map EZVPN 1 ipsec-isak R2(config)#crypto map EZVPN 1 ipsec-isakmp dy R2(config)#crypto map EZVPN 1 ipsec-isakmp dynamic REMO R2(config)#inter R2(config)#interface Giga R2(config)#interface GigabitEthernet 0/1 R2(config-if)#cry R2(config-if)#crypto ma R2(config-if)#crypto map EZVPN R2(config-if)# *May 1 03:13:18.094: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#
R2(config)#username ciscovpn password cisco R2(config)#cry R2(config)#crypto ipse R2(config)#cry R2(config)#crypto isak R2(config)#crypto isakmp kee R2(config)#crypto isakmp keepalive 30 R2(config)#crypto isakmp keepalive 30 peri R2(config)#crypto isakmp keepalive 30 periodic R2(config)#ip acce R2(config)#ip access-list exten R2(config)#ip access-list extended A-security R2(config-ext-nacl)#permi R2(config-ext-nacl)#permit esp an R2(config-ext-nacl)#permit esp any hos R2(config-ext-nacl)#permit esp any host 100.1.1.1 R2(config-ext-nacl)#permi R2(config-ext-nacl)#permit udp an R2(config-ext-nacl)#permit udp any hos R2(config-ext-nacl)#permit udp any host 100.1.1.1 eq isak R2(config-ext-nacl)#permit udp any host 100.1.1.1 eq isakmp R2(config-ext-nacl)#exit R2(config)#int gig0/1 R2(config-if)#ip acc R2(config-if)#ip acce R2(config-if)#ip access-group A-security in R2(config-if)#exit R2(config)#username ciscovpn1 password cisco1 R2(config)#username ciscovpn2 password cisco2 R2(config)#username ciscovpn3 password cisco3 R2(config)#username ciscovpn4 password cisco4 R2(config)#username ciscovpn5 password cisco5 R2(config)#do sh run | i usernaem R2(config)#do sh run | i username username ciscovpn password 0 cisco username ciscovpn1 password 0 cisco1 username ciscovpn2 password 0 cisco2 username ciscovpn3 password 0 cisco3 username ciscovpn4 password 0 cisco4 username ciscovpn5 password 0 cisco5
Internet
Internet access from Remote w/ ACL
R2(config)#crypto isakmp client configuration group VPNCLIENT R2(config-isakmp-group)#ac R2(config-isakmp-group)#acl R2(config-isakmp-group)#acl ? <100-199> access-list number for split-tunneling WORD Access-list name R2(config-isakmp-group)#acl 102 R2(config-isakmp-group)#exit R2(config)#acc R2(config)#access-list 102 per R2(config)#$ 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 R2(config)#
Internet access via VPN Server
CBAC Context-Based Access Control
R2(config)#ip inspe R2(config)#ip inspect na R2(config)#ip inspect name CBAC tcp R2(config)#ip insp R2(config)#ip inspect nam R2(config)#ip inspect name CBAC udp R2(config)#ip ins R2(config)#ip inspect nam R2(config)#ip inspect name CBAC ftp R2(config)#int gig0/1 R2(config-if)#int gig0/0 R2(config-if)#ip nat inside -Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CCC6EAz 3CCC62Cz 3CCC5CBz 3A36694z 233EB23z 233E910z 2341812z 2358E3Cz - Process "Exec", CPU hog, PC 0x00153D7D -Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CE3952z 3CCC643z 3CCC5CBz 38CF640z 38C1EBCz 38C21F0z 38C9416z 38CE1D0z - Process "Exec", CPU hog, PC 0x00153D6B -Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CE3952z 3CCC643z 3CCC5CBz 38CF640z 38C1EBCz 38C21F0z 38C9416z 38CE1D0z - Process "Exec", CPU hog, PC 0x00153D6B R2(config-if)# *May 1 03:38:53.709: %SYS-3-CPUHOG: Task is running for (1998)msecs, more than (2000)msecs (0/0),process = Exec. *May 1 03:38:55.468: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up *May 1 03:38:57.477: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = Exec. *May 1 03:38:59.477: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (0/0),process = Exec. R2(config-if)#ip -Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CE389Ez 3CD0C7Ez 3CD19E8z 50D46FFz 380B77Ez 388A04Fz 388A1E2z 388A349z - Process "STILE PERIODIC TASK", CPU hog, PC 0x00153D85 *May 1 03:39:05.865: %SYS-3-CPUHOG: Task is running for (1997)msecs, more than (2000)msecs (0/0),process = STILE PERIODIC TASK. R2(config-if)#int gig0/1 R2(config-if)#ip nat outside R2(config-if)#ip ins R2(config-if)#ip inspect CBAC out R2(config-if)#ip nat insi R2(config-if)#ip nat inside sou R2(config-if)#ip nat inside souli R2(config-if)#ip nat inside sour R2(config-if)#exit R2(config)#ip nat ins R2(config)#ip nat inside sour R2(config)#ip nat inside source li R2(config)#ip nat inside source list 101 inter R2(config)#ip nat inside source list 101 interface gig0/1 R2(config)#ip nat inside source list 101 interface gig0/1 over R2(config)#ip nat inside source list 101 interface gig0/1 overload R2(config)#no ip nat inside source list 101 interface gig0/1 R2(config)#ip nat inside source list 101 interface gig0/1 overload R2(config)#acce R2(config)#access-list 101 de R2(config)#$ 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 R2(config)#$ 101 permit 192.168.0.0 0.0.0.255 an R2(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 % Incomplete command. R2(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 a R2(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 any R2(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 any R2(config)#