czwartek, 2 kwietnia 2009

GNS3 - IPSec LAN2LAN LAB


Jest to proste laboratorium połączenia 2 routerów z wykorzystaniem IPSeca.
Za pomocą IPseca połączono 2 odległe sieci Lokalne lan z adresacjami 10.1.11.0/24 oraz 10.1.10.0/24.

Przyjęto następujące założenia do projektu:
W sieci oddziału sieć lokalna nadano adresację 10.1.11.0/24
W sieci lokalnej Centrali nadano adresację 10.1.10.0/24
Routery rOddzial oraz rCentrala posiadają następujące publiczne adresy IP
rOddzial – 83.16.251.98/29
rCentrala – 83.16.251.99/29
Cały ruch IP między siecią 10.1.11.0/24 a 10.1.10.0/24 jest dozwolony i szyfrowany
Cały ruch IP między siecią 10.1.10.0/24 a 10.1.11.0/24 jest dozwolony i szyfrowany
Poprawna konfiguracja urządzeń według przyjętych założeń wygląda następująco:
Router "PcCentrala"
PcCentrala#sh run
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PcCentrala
boot-start-marker
boot-end-marker
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
ip address 10.1.10.10 255.255.255.0
duplex auto
speed auto
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.10.254
line con 0
line aux 0
line vty 0 4
end

Router "PcOddzial"

PcOddzial#sh running-config
Building configuration...
Current configuration : 462 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PcOddzial
boot-start-marker
boot-end-marker
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
ip address 10.1.11.10 255.255.255.0
duplex auto
speed auto
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.11.254
line con 0
line aux 0
line vty 0 4
end

Router "rCentrala"

rCentrala#sh running-config
Building configuration...
Current configuration : 1489 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname rCentrala
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
memory-size iomem 5
ip cef
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp key Mykey address 83.16.251.98 no-xauth
crypto ipsec transform-set SETstrong esp-3des esp-sha-hmac
crypto map toOddzial 15 ipsec-isakmp
set peer 83.16.251.98
set transform-set SETstrong
match address cryptomap_11
interface FastEthernet0/0
ip address 10.1.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map clearDF
duplex auto
speed auto
interface FastEthernet1/0
ip address 83.16.251.99 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map toOddzial
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
ip nat inside source route-map clearDF interface FastEthernet1/0 overload
ip access-list extended NotInCryptomap_11
deny ip 10.1.10.0 0.0.0.255 10.1.11.0 0.0.0.255
permit icmp 10.1.10.0 0.0.0.255 any
deny ip any any
ip access-list extended cryptomap_11
permit ip 10.1.10.0 0.0.0.255 10.1.11.0 0.0.0.255
route-map clearDF permit 15
match ip address nat NotInCryptomap_11
set ip df 0
control-plane
line con 0
line aux 0
line vty 0 4
end
Router "rOddzial"
rOddzial#sh running-config
Building configuration...
Current configuration : 1486 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname rOddzial
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
memory-size iomem 5
ip cef
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp key Mykey address 83.16.251.99 no-xauth
crypto ipsec transform-set SETstrong esp-3des esp-sha-hmac
crypto map toCentrala 15 ipsec-isakmp
set peer 83.16.251.99
set transform-set SETstrong
match address cryptomap_10
interface FastEthernet0/0
ip address 10.1.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map clearDF
duplex auto
speed auto
interface FastEthernet1/0
ip address 83.16.251.98 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map toCentrala
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
ip nat inside source route-map clearDF interface FastEthernet1/0 overload
ip access-list extended NotInCryptomap_10
deny ip 10.1.11.0 0.0.0.255 10.1.10.0 0.0.0.255
permit icmp 10.1.11.0 0.0.0.255 any
deny ip any any
ip access-list extended cryptomap_10
permit ip 10.1.11.0 0.0.0.255 10.1.10.0 0.0.0.255
route-map clearDF permit 15
match ip address NotInCryptomap_10
set ip df 0
control-plane
line con 0
line aux 0
line vty 0 4
end
Autor: o
Etykiety: ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)