Scribd
Upload
159 views6 pages

Ranet Nat PDF

This document provides configuration steps for setting up an IPsec site-to-site VPN tunnel between two routers (Ranet-BR and the remote peer router) using pre-shared keys for authentication. The steps show configuring IPsec policies, transforming and protecting the tunnel interface, and verifying the established SA. Once configured, network connectivity is confirmed by a host on Ranet-BR's network pinging and accessing a web server on the remote network.

Uploaded by

emerson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
159 views6 pages

Ranet Nat PDF

This document provides configuration steps for setting up an IPsec site-to-site VPN tunnel between two routers (Ranet-BR and the remote peer router) using pre-shared keys for authentication. The steps show configuring IPsec policies, transforming and protecting the tunnel interface, and verifying the established SA. Once configured, network connectivity is confirmed by a host on Ranet-BR's network pinging and accessing a web server on the remote network.

Uploaded by

emerson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Packet Activity Document No.

:
ART-CNA-003-L48

CCNA LAB 4-8: Virtual Private Network (VPN) IPsec (Site-to-Site)

[ Ranet BR ( console)] :
( Desktop > Terminal > OK)
Ranet-BR>en
Ranet-BR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Ranet-BR(config)#int fa0/0
Ranet-BR(config-if)#no sh

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up


Ranet-BR(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Ranet-BR(config-if)#ip add 192.168.1.1 255.255.255.240
Ranet-BR(config-if)#ip nat inside
Ranet-BR(config-if)#int s0/0/0
Ranet-BR(config-if)#no sh

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up


Ranet-BR(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
Ranet-BR(config-if)#ip add 202.170.100.30 255.255.255.252
Ranet-BR(config-if)#ip nat outside
Ranet-BR(config-if)#exit
Ranet-BR(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0
Ranet-BR(config)#access-list 100 deny ip 192.168.1.0 0.0.0.15 192.168.0.0 0.0.0.255
Ranet-BR(config)#access-list 100 permit ip 192.168.1.0 0.0.0.15 any
Ranet-BR(config)#ip nat pool Ranet 202.170.100.9 202.170.100.14 netmask 255.255.255.248
Ranet-BR(config)#ip nat inside source list 100 pool Ranet overload
Ranet-BR(config)#crypto isakmp policy 101
Ranet-BR(config-isakmp)#encryption aes 128
Ranet-BR(config-isakmp)#hash sha

1
A R T I C L E
Ranet-BR(config-isakmp)#authentication pre-share Document No.:
Ranet-BR(config-isakmp)#group 5 ART-CNA-003-L48
Ranet-BR(config-isakmp)#lifetime 86400
Ranet-BR(config-isakmp)#exit
Ranet-BR(config)#crypto isakmp key ranetvpnpass address 202.170.100.130
Ranet-BR(config)#access-list 101 permit ip 192.168.1.0 0.0.0.15 192.168.0.0 0.0.0.255
Ranet-BR(config)#crypto ipsec transform-set Ranet esp-aes esp-sha-hmac
Ranet-BR(config)#crypto map Site-to-Site 101 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Ranet-BR(config-crypto-map)#set peer 202.170.100.130
Ranet-BR(config-crypto-map)#set transform-set Ranet
Ranet-BR(config-crypto-map)#match address 101
Ranet-BR(config-crypto-map)#exit
Ranet-BR(config)#int s0/0/0
Ranet-BR(config-if)#crypto map Site-to-Site
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Ranet-BR(config-if)#end
Ranet-BR#
%SYS-5-CONFIG_I: Configured from console by console
Ranet-BR#sh crypto isakmp policy

Global IKE policy


Protection suite of priority 101
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Ranet-BR#sh crypto ipsec sa

2
A R T I C L E
interface: Serial0/0/0 Document No.:
Crypto map tag: Site-to-Site, local addr 202.170.100.30 ART-CNA-003-L48

protected vrf: (none)


local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 202.170.100.130 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 202.170.100.30, remote crypto endpt.:202.170.100.130


path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Ranet-BR#copy run start


Destination filename [startup-config]?
Building configuration...
[OK]
Ranet-BR#

3
A R T I C L E
Document No.:
ART-CNA-003-L48
[ Ranet-Host] :
( Desktop > IP Configuration)
IP Address: 192.168.1.14
Subnet Mask: 255.255.255.240
Default Gateway: 192.168.1.1
DNS Server: 202.170.100.54
( Desktop > Command Prompt)
Packet Tracer PC Command Line 1.0
PC>ping 192.168.0.7

Pinging 192.168.0.7 with 32 bytes of data:

Request timed out.


Request timed out.
Reply from 192.168.0.7: bytes=32 time=32ms TTL=126
Reply from 192.168.0.7: bytes=32 time=31ms TTL=126

Ping statistics for 192.168.0.7:


Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 32ms, Average = 31ms

PC>
( Desktop > Web Browser)
URL: http://www.ranet.co.th
Output: RANET Co.,Ltd. - Ranet Co.,Ltd. We make iT easy! :)

[ Ranet BR ( console)] :
( Desktop > Terminal > OK)
Ranet-BR#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.170.100.9:1025 192.168.1.14:1025 202.170.100.54:53 202.170.100.54:53
tcp 202.170.100.9:1025 192.168.1.14:1025 202.170.100.70:80 202.170.100.70:80

4
A R T I C L E
Document No.:
Ranet-BR#sh crypto ipsec sa ART-CNA-003-L48

interface: Serial0/0/0
Crypto map tag: Site-to-Site, local addr 202.170.100.30

protected vrf: (none)


local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 202.170.100.130 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 202.170.100.30, remote crypto endpt.:202.170.100.130


path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x593A3356(1496986454)

inbound esp sas:


spi: 0x17D06856(399534166)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: FPGA:1, crypto map: Site-to-Site
sa timing: remaining key lifetime (k/sec): (4525504/3502)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

5
A R T I C L E
spi: 0x593A3356(1496986454) Document No.:
transform: esp-aes esp-sha-hmac , ART-CNA-003-L48
in use settings ={Tunnel, }
conn id: 2005, flow_id: FPGA:1, crypto map: Site-to-Site
sa timing: remaining key lifetime (k/sec): (4525504/3502)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Ranet-BR#

6
A R T I C L E

You might also like