Description
1. Topology: The headquarters is fixed IP, and the branch is ADSL dial-up Internet access
2. Requirements: The branch must realize IPSec with the headquarters *** The headquarters is configured through dynamic map, and the branch can be configured statically.
Topology
3. Headquarters*** configuration:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
[Configure NAT, internal users can access the Internet]
access-list ***acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list ***acl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nonat
[Configure the interesting traffic of *** And, NAT bypass, so that VPN traffic does not go through NAT]
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set myset esp-des esp-md5-hmac
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key ccieh3c.com
[The red part is the system default group, dynamic L2L, which must be configured here]
crypto dynamic-map cisco 10 match address ***acl
crypto dynamic-map cisco 10 set transform-set myset
crypto dynamic-map cisco 10 set reverse-route
crypto map mp 10 ipsec-isakmp dynamic cisco
crypto map mp interface outside
crypto isakmp enable outside
4. Branch*** configuration
access-list *** extended permit ip 192.168.20.0 255.255.255.0 host 192.168.1.254
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 host 192.168.1.254
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
tunnel-group 120.1.1.1 type ipsec-l2l
tunnel-group 120.1.1.1 ipsec-attributes
pre-shared-key ccieh3c.taobao.com
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto isakmp key cisco address 100.1.1.1
crypto map mp 1 match address ***
crypto map mp 1 set peer 100.1.1.1
crypto map mp 1 set transform-set myset
crypto map mp interface outside
crypto isakmp enable outside
Implementation based on 8.4 and NAT bypass [only important configurations are given, most of which are consistent with 8.0]
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Description: Same as traditional 8.0, with an additional IKEV1 parameter. Because IKEV2 is supported after 8.4, it is distinguished.
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key ccieh3c.taobao.com
Note: The system default group must be used for dynamic L2L.
crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac
crypto dynamic-map dyl2l 1000 set ikev1 transform-set trans
crypto map l2l 1000 ipsec-isakmp dynamic dyl2l
crypto map l2l interface outside
Description: here must use dynamic map to call the conversion Set, and then associate the dynamic with a static map.
Configure the internal network to access the Internet NAT
object network inside
subnet 2.2.2.0 255.255.255.0
nat (inside,outside) dynamic interface
NAT bypass [Let the traffic of *** not be translated by NAT]
object network inside-***
subnet 192.168.1.0 255.255.255.0
object network outside-***1
subnet 192.168.20.0 255.255.255.0
object network outside-** *2
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) source static inside-*** inside-*** destination static outside-***1 outside-***1
nat (inside,outside) source static inside-*** inside-*** destination static outside-***2 outside-***2
This article is reproduced in the public account: Network Road Blog