Майне кляйне net of mine

SITE-to-SITE VPN
Tunnels нет
deny NAT from interested ACL

<HQ>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
encr 3des
hash md5
auth pre-share
group 5
lifetime 86400
</isakmp pol1>
<PSK>
0.0.0.0 ???
cry isakmp key CISCO address 10.0.1.2
cry isakmp key CISCO address 10.1.1.2
</PSK>
</ISAKMP>
<IPSEC>
   <ACL INSIDE>
IP access-list ext INSIDE
deny ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (50 matches)
deny ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255 (60 matches)
permit ip 192.169.1.0 0.0.0.255 any (1 match)
permit ip 192.169.2.0 0.0.0.255 any (2 matches)
permit ip 192.169.3.0 0.0.0.255 any (2 matches)
permit ip 192.169.4.0 0.0.0.255 any (1 match)
permit icmp 192.169.1.0 0.0.0.255 any
permit icmp 192.169.2.0 0.0.0.255 any
permit icmp 192.169.3.0 0.0.0.255 any
permit icmp 192.169.4.0 0.0.0.255 any
   </ACL INSIDE>
   <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255
   </ACL VPN-TRAFFIC>
   <TS: TS-SPOKEXX>
crypto ipsec transform-set TS-SPOKEXX esp-3des esp-md5-hmac
   </TS: TS-SPOKEXX>
   <Crypto MAP CM_SPOKEXX>
crypto map CM_SPOKEXX 10 ipsec-isakmp
set peer 10.0.1.2
set peer 10.1.1.2
set transform-set TS-SPOKEXX
match address VPN-TRAFFIC
   </Crypto MAP CM_SPOKEXX>
</IPSEC>
<IF OUT+CM>
int gi 0/0
crypto map CMAP CM_SPOKEXX
</IF OUT+CM>
</HQ>

<SPOKE-I>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
encr 3des
hash md5
auth pre-share
group 5
lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.2
</PSK>
</ISAKMP>
<IPSEC>
   <ACL INSIDE>
Extended IP access list INSIDE
deny ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255 (26 matches)
permit ip 192.168.1.0 0.0.0.255 any
permit icmp 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit icmp 192.168.2.0 0.0.0.255 any
   </ACL INSIDE>
   <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255
   </ACL VPN-TRAFFIC>
   <TS: TS-HQ>
crypto ipsec transform-set TS-HQ esp-3des esp-md5-hmac
   </TS: TS-HQ>
   <Crypto MAP CM_HQ>
crypto map CM_HQ 10 ipsec-isakmp
set peer 10.2.1.2
set transform-set TS-HQ
match address VPN-TRAFFIC
   </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
crypto map CM_HQ
</IF OUT+CM>
</HQ>

<SPOKE-II>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
encr 3des
hash md5
auth pre-share
group 5
lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.2
</PSK>
</ISAKMP>
<IPSEC>
   <ACL INSIDE>
IP access-list ext INSIDE
deny ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any (7 matches)
permit icmp 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit icmp 192.168.4.0 0.0.0.255 any
   </ACL INSIDE>
   <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
   </ACL VPN-TRAFFIC>
   <TS: TS-HQ>
crypto ipsec transform-set TS-HQ esp-3des esp-md5-hmac
   </TS: TS-HQ>
   <Crypto MAP CM_HQ>
crypto map CM_HQ 10 ipsec-isakmp
set peer 10.2.1.2
set transform-set TS-HQ
match address VPN-TRAFFIC
   </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
crypto map CM_HQ
</IF OUT+CM>
</HQ>

Майне кляйне net of mine

Ярлыки

Интересные ссылки

Обо мне