RM_Inside network의 windows xp 가 NY_R1의 20.1.1.1 로 vpn clinet program을 이용하여 접속한다(vpnclient-win-msi-5.0.07.0290-k9)
remote pc는 192.168.15.1 ~ .200 중의 ip 하나를 받아 실제 NY_R1에 붙어 있는 pc처럼 inside 및 DMZ 네트워크를 사용한다.
NY_R1
aaa new-model
aaa authentication login LOCAL_AUTHEN local
aaa authorization network LOCAL_AUTHOR local
aaa authentication login LOCAL_AUTHEN local
aaa authorization network LOCAL_AUTHOR local
username master password 0 cisco
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group EZGROUP
key cisco123
pool EZPOOL
acl EZSPLIT
netmask 255.255.255.0
crypto isakmp profile EZISAPROF
match identity group EZGROUP
client authentication list LOCAL_AUTHEN
isakmp authorization list LOCAL_AUTHOR
client configuration address respond
client configuration group EZGROUP
virtual-template 1
!
!
crypto ipsec transform-set EZSET esp-aes esp-sha-hmac
!
crypto ipsec profile EZPROFILE
set transform-set EZSET
set isakmp-profile EZISAPROF
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 20.1.1.1 255.255.255.192
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZPROFILE
!
router ospf 1
log-adjacency-changes
redistribute static subnets
network 20.1.1.0 0.0.0.15 area 0
default-information originate
!
ip local pool EZPOOL 192.168.15.1 192.168.15.200
ip forward-protocol nd
!
ip access-list extended EZSPLIT
permit ip 192.168.1.0 0.0.0.255 any
encr aes
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group EZGROUP
key cisco123
pool EZPOOL
acl EZSPLIT
netmask 255.255.255.0
crypto isakmp profile EZISAPROF
match identity group EZGROUP
client authentication list LOCAL_AUTHEN
isakmp authorization list LOCAL_AUTHOR
client configuration address respond
client configuration group EZGROUP
virtual-template 1
!
!
crypto ipsec transform-set EZSET esp-aes esp-sha-hmac
!
crypto ipsec profile EZPROFILE
set transform-set EZSET
set isakmp-profile EZISAPROF
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 20.1.1.1 255.255.255.192
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZPROFILE
!
router ospf 1
log-adjacency-changes
redistribute static subnets
network 20.1.1.0 0.0.0.15 area 0
default-information originate
!
ip local pool EZPOOL 192.168.15.1 192.168.15.200
ip forward-protocol nd
!
ip access-list extended EZSPLIT
permit ip 192.168.1.0 0.0.0.255 any
----------------------------------------------------
ISP
ISP
interface FastEthernet0/1
ip address 20.1.1.14 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 40.1.1.14 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 30.1.1.14 255.255.255.192
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 20.1.1.0 0.0.0.15 area 0
network 30.1.1.0 0.0.0.15 area 0
network 40.1.1.0 0.0.0.15 area 0
!
-----------------------------------------------------
Branch_A
ip address 20.1.1.14 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 40.1.1.14 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 30.1.1.14 255.255.255.192
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 20.1.1.0 0.0.0.15 area 0
network 30.1.1.0 0.0.0.15 area 0
network 40.1.1.0 0.0.0.15 area 0
!
-----------------------------------------------------
Branch_A
interface FastEthernet0/0
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 30.1.1.1 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 30.1.1.0 0.0.0.15 area 0
!
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 30.1.1.1 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 30.1.1.0 0.0.0.15 area 0
!
---------------------------------------------------------
RM
RM
interface FastEthernet0/0
ip address 192.168.100.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 40.1.1.1 255.255.255.192
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 40.1.1.0 0.0.0.15 area 0
network 192.168.100.0 0.0.0.255 area 0
ip address 192.168.100.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 40.1.1.1 255.255.255.192
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 40.1.1.0 0.0.0.15 area 0
network 192.168.100.0 0.0.0.255 area 0
----------------------------------------------------------
verify
*Jan 25 20:39:13.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
NY_R1#show crypto session
Crypto session current status
NY_R1#show crypto session
Crypto session current status
Interface: Virtual-Access2
Username: master
Profile: EZISAPROF
Group: EZGROUP
Assigned address: 192.168.15.3
Session status: UP-ACTIVE
Peer: 192.168.100.3 port 1129
IKE SA: local 20.1.1.1/500 remote 192.168.100.3/1129 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.15.3
Active SAs: 2, origin: crypto map
Username: master
Profile: EZISAPROF
Group: EZGROUP
Assigned address: 192.168.15.3
Session status: UP-ACTIVE
Peer: 192.168.100.3 port 1129
IKE SA: local 20.1.1.1/500 remote 192.168.100.3/1129 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.15.3
Active SAs: 2, origin: crypto map
Interface: FastEthernet1/0
Profile: EZISAPROF
Session status: DOWN-NEGOTIATING
Peer: 192.168.100.3 port 1116
IKE SA: local 20.1.1.1/500 remote 192.168.100.3/1116 Inactive
Profile: EZISAPROF
Session status: DOWN-NEGOTIATING
Peer: 192.168.100.3 port 1116
IKE SA: local 20.1.1.1/500 remote 192.168.100.3/1116 Inactive
NY_R1#
*Jan 25 20:39:27.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Jan 25 20:39:27.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
No comments:
Post a Comment