[ LiB ]Practical Exercise 14-4: IPSec Between Three Routers Using Private Addresses Practical Exercise 14-5: IPSec/GRE with NAT

Practical Exercise 14-4 Solution

The following is a step-by-step discussion of the Practical Exercise solution.

Task 1 Solution

IKE uses UDP port 500. The IPSec ESP and AH protocols use protocol numbers 50 and 51. You must ensure that any existing access lists you might already have configured do not block protocol 50, 51, and UDP port 500 traffic at any interface used by IPSec. In some cases you might need to reconfigure an existing access list to explicitly permit this traffic.

Task 2 Solution

Step 1. At the R1 console, provide all the configuration required to set the following IKE settings:

Define traffic to undergo NAT:




R1(config)#ip nat inside source route-map nonat interface Serial0 overload

Define an access list for NAT:




R1(config)#access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0
  0.0.0.255
R1(config)#access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.3.0
  0.0.0.255
R1(config)#access-list 150 permit ip 192.168.1.0 0.0.0.255 any

Define the NAT route map:




R1(config)#route-map nonat permit 10
R1(config-route-map)#match ip address 150

Define the NAT interfaces:




R1(config)#interface serial0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#interface ethernet0
R1(config-if)#ip nat inside

Step 2. At the R2 console, provide all the configuration required to set the following IKE settings:

Define traffic to undergo NAT:




R2(config)#ip nat inside source route-map nonat interface Serial0 overload

Define an access list for NAT:




R2(config)#access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0
  0.0.0.255
R2(config)#access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.3.0
  0.0.0.255
R2(config)#access-list 150 permit ip 192.168.2.0 0.0.0.255 any

Define the NAT route map:




R2(config)#route-map nonat permit 10
R2(config-route-map)#match ip address 150

Define the NAT interfaces:




R2(config)#interface serial0
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#interface ethernet0
R2(config-if)#ip nat inside

Step 3. At the R3 console, provide all the configuration required to set the following IKE settings:

Define traffic to undergo NAT:




R3(config)#ip nat inside source route-map nonat interface Serial0 overload

Define an access list for NAT:




R3(config)#access-list 150 deny ip 192.168.3.0 0.0.0.255 192.168.1.0
  0.0.0.255
R3(config)#access-list 150 deny ip 192.168.3.0 0.0.0.255 192.168.2.0
  0.0.0.255
R3(config)#access-list 150 permit ip 192.168.3.0 0.0.0.255 any

Define the NAT route map:




R3(config)#route-map nonat permit 10
R3(config-route-map)#match ip address 150

Define the NAT interfaces:




R3(config)#interface serial0
R3(config-if)#ip nat outside
R3(config-if)#exit
R3(config)#interface ethernet0
R3(config-if)#ip nat inside

Task 3 Solution

Step 1. At the R1 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R1(config)#crypto isakmp policy 4
R1(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R1(config)#crypto isakmp key cisco1234 address 100.228.202.154
R1(config)#crypto isakmp key cisco1234 address 200.154.17.130

Step 2. At the R2 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R2(config)#crypto isakmp policy 4
R2(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R2(config)#crypto isakmp key cisco1234 address 100.228.202.154
R2(config)#crypto isakmp key cisco1234 address 100.232.202.210

Step 3. At the R3 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R3(config)#crypto isakmp policy 4
R3(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R3(config)#crypto isakmp key cisco1234 address 100.232.202.210
R3(config)#crypto isakmp key cisco1234 address 200.154.17.130

Task 4 Solution

Step 1. At the R1 console, provide all the configuration required to set the following IPSec settings:

Define a crypto access list:




R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0
  0.0.0.255
R1(config)#access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.3.0
  0.0.0.255

Define an IPSec transform set:




R1(config)#crypto ipsec transform-set encrypt-des esp-des

Define the IPSec crypto map:




R1(config)#crypto map combined local-address serial0
R1(config)#crypto map combined 20 ipsec-isakmp
R1(config-crypto-m)#set peer 100.228.202.154
R1(config-crypto-m)#set transform-set encrypt-des
R1(config-crypto-m)#match address 106
R1(config-crypto-m)#exit
R1(config)#crypto map combined 30 ipsec-isakmp
R1(config-crypto-m)#set peer 200.154.17.130
R1(config-crypto-m)#set transform-set encrypt-des
R1(config-crypto-m)#match address 105

Associate the crypto map to the Ethernet 0 interface:




R1(config)#interface ethernet 0
R1(config-if)#crypto map combined

Step 2. At the R2 console, provide all the configuration required to set the following IPSec settings:

Define a crypto access list:




R2(config)#access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0
  0.0.0.255
R2(config)#access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.3.0
  0.0.0.255

Define an IPSec transform set:




R2(config)#crypto ipsec transform-set encrypt-des esp-des
R2(config)#crypto ipsec transform-set 1600_box esp-des

Define the IPSec crypto map:




R2(config)#crypto map combined local-address serial0
R2(config)#crypto map combined 7 ipsec-isakmp
R2(config-crypto-m)#set peer 100.232.202.210
R2(config-crypto-m)#set transform-set 1600_box
R2(config-crypto-m)#match address 105
R2(config-crypto-m)#exit
R2(config)#crypto map combined 8 ipsec-isakmp
R2(config-crypto-m)#set peer 100.228.202.154
R2(config-crypto-m)#set transform-set 1600_box
R2(config-crypto-m)#match address 106

Associate the crypto map to the Ethernet 0 interface:




R2(config)#interface ethernet 0
R2(config-if)#crypto map combined

Step 3. At the R3 console, provide all the configuration required to set the following IPSec settings:

Define a crypto access list:




R3(config)#access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.1.0
  0.0.0.255
R3(config)#access-list 106 permit ip 192.168.3.0 0.0.0.255 192.168.2.0
  0.0.0.255

Define an IPSec transform set:




R3(config)#crypto ipsec transform-set encrypt-des esp-des
R3(config)#crypto ipsec transform-set 1600_box esp-des

Define the IPSec crypto map:




R3(config)#crypto map combined local-address serial0
R3(config)#crypto map combined 7 ipsec-isakmp
R3(config-crypto-m)#set peer 100.232.202.210
R3(config-crypto-m)#set transform-set encrypt-des
R3(config-crypto-m)#match address 106
R3(config)#crypto map combined 8 ipsec-isakmp
R3(config-crypto-m)#set peer 200.154.17.130
R3(config-crypto-m)#set transform-set 1600_box
R3(config-crypto-m)#match address 105

Associate the crypto map to the Ethernet 0 interface:




R3(config)#interface ethernet 0
R3(config-if)#crypto map combined

[ LiB ]Practical Exercise 14-4: IPSec Between Three Routers Using Private Addresses Practical Exercise 14-5: IPSec/GRE with NAT