gre_ipsec_ospf.pdf
(
51 KB
)
Pobierz
Cisco − Configuring a GRE Tunnel over IPSec with OSPF
Table of Contents
Configuring a GRE Tunnel over IPSec with OSPF
.........................................................................................1
Document ID: 14381
................................................................................................................................1
Introduction..........................................................................................................................................................1
Prerequisites.........................................................................................................................................................1
Requirements..........................................................................................................................................1
Components Used...................................................................................................................................1
Conventions............................................................................................................................................2
Configure.............................................................................................................................................................2
Network Diagram
....................................................................................................................................2
Configurations........................................................................................................................................2
Verify...................................................................................................................................................................7
Troubleshoot........................................................................................................................................................7
Troubleshooting Commands...................................................................................................................8
NetPro Discussion Forums − Featured Conversations......................................................................................11
Related Information...........................................................................................................................................11
i
Configuring a GRE Tunnel over IPSec with OSPF
Document ID: 14381
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Configurations
Verify
Troubleshoot
Troubleshooting Commands
NetPro Discussion Forums − Featured Conversations
Related Information
Introduction
Normal IP Security (IPSec) configurations cannot transfer routing protocols, such as Enhanced Interior
Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF), or non−IP traffic, such as
Internetwork Packet Exchange (IPX) and AppleTalk. This document illustrates how to route between different
networks that use a routing protocol and non−IP traffic with IPSec. This example uses generic routing
encapsulation (GRE) in order to accomplish routing between the different networks.
Prerequisites
Requirements
Before you attempt this configuration, ensure that you meet these requirements:
•
Make sure that the tunnel works before you apply the crypto maps.
•
For information about possible Maximum Transmission Unit (MTU) issues, refer to Adjusting IP
MTU, TCP MSS, and PMTUD on Windows and Sun Systems.
Components Used
The information in this document is based on these software and hardware versions.
•
Cisco 3600 that runs Cisco IOS® Software Release 12.1(8)
•
Cisco 2600 that runs Cisco IOS Software Release 12.1(9)
•
PIX Firewall Software Release 5.3(2)
•
PIX Firewall Software Release 6.0(1)
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Cisco − Configuring a GRE Tunnel over IPSec with OSPF
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Configure
In this section, you are presented with the information used to configure the features described in this
document.
Note:
In order to find additional information on the commands used in this document, use the Command
Lookup Tool (
registered customers only
) .
Network Diagram
This document uses the network setup shown in this diagram.
Configurations
This document uses these configurations.
•
PIX Lion
•
PIX Tiger
•
Router Rodney
•
Router House
PIX Lion
PIX Version 6.0(1)
nameif gb−ethernet0 dmz1 security60
nameif gb−ethernet1 dmz2 security40
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Lion
domain−name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
Cisco − Configuring a GRE Tunnel over IPSec with OSPF
names
!−−− Traffic from inside network.
access−list nonat permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
interface gb−ethernet0 1000auto shutdown
interface gb−ethernet1 1000auto shutdown
interface ethernet0 auto
interface ethernet1 auto
mtu dmz1 1500
mtu dmz2 1500
mtu outside 1500
mtu inside 1500
ip address dmz1 127.0.0.1 255.255.255.255
ip address dmz2 127.0.0.1 255.255.255.255
ip address outside 10.64.10.16 255.255.255.224
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
!−−− Do not Network Address Translate (NAT) traffic.
nat (inside) 0 access−list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 10.64.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0
timeout uauth 0:05:00 absolute
aaa−server TACACS+ protocol tacacs+
aaa−server RADIUS protocol radius
no snmp−server location
no snmp−server contact
snmp−server community public
no snmp−server enable traps
floodguard enable
!−−− Trust IPSec traffic and avoid going through
!−−− access control lists (ACLs)/NAT.
sysopt connection permit−ipsec
no sysopt route dnat
!−−− IPSec configuration.
crypto
crypto
crypto
crypto
crypto
crypto
isakmp
ipsec transform−set pixset esp−des esp−md5−hmac
map pixmap 20 ipsec−isakmp
map pixmap 20 match address nonat
map pixmap 20 set peer 10.64.10.15
map pixmap 20 set transform−set pixset
map pixmap interface outside
enable outside
Cisco − Configuring a GRE Tunnel over IPSec with OSPF
!−−− IKE parameters.
isakmp key ******** address 10.64.10.15 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre−share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600
telnet timeout 5
ssh 64.104.205.124 255.255.255.255 outside
ssh timeout 5
terminal width 80
Cryptochecksum:d39b3d449563c7cd434b43f82f0f0a21
: end
PIX Tiger
PIX Version 5.3(2)
nameif gb−ethernet0 intf2 security10
nameif gb−ethernet1 intf3 security15
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Tiger
domain−name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access−list nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
logging console debugging
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface gb−ethernet0 1000auto shutdown
interface gb−ethernet1 1000auto shutdown
interface ethernet0 auto
interface ethernet1 auto
mtu intf2 1500
mtu intf3 1500
mtu outside 1500
mtu inside 1500
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address outside 10.64.10.15 255.255.255.224
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
Cisco − Configuring a GRE Tunnel over IPSec with OSPF
Plik z chomika:
musli_com
Inne pliki z tego folderu:
CISCO.DESGN.STUDENT.GUIDE.VERSION.1.1-DDU.pdf
(35228 KB)
CCSP Complete Study Guide.pdf
(25233 KB)
CCSP Complete Study Guide (Exams 642-501,642-511,642-521,642-531,642-541) [Sybex 2005].pdf
(25215 KB)
CISCO.ARCH.STUDENT.GUIDE.VERSION.1.1-DDU.pdf
(26581 KB)
Cisco.Press.IPsec.Virtual.Private.Network.Fundamentals.Jul.2006.chm
(18762 KB)
Inne foldery tego chomika:
CCDA
CCIE
CCNA
CCNP
CCVP
Zgłoś jeśli
naruszono regulamin