Here in this scenario three site are involved in VPN. Where GW is behind firewall. and other sites are c1 and c2 where cisco phone are located. With E.164 numbers configured 100 and 101. Dial peers are configured on R2 and R3. Telephony service is configured on R1 for two IP Phone can only communicate.
FW1 Configuration:
pixfirewall# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.10.10.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 20.20.20.2 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
nameif mgmt
security-level 50
ip address 192.168.46.2 255.255.255.0
management-only
!
ftp mode passive
clock timezone IN 5 30
access-list h323_access extended permit ip any host 10.10.10.3
access-list outside_1_cryptomap extended permit ip 20.20.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 20.20.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 20.20.20.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 20.20.20.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group h323_access in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route outside 192.168.1.0 255.255.255.0 10.10.10.1 1
route outside 192.168.2.0 255.255.255.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 mgmt
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.10.10.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 10.10.10.2
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.10.1 prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key *
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
pre-shared-key *
!
class-map default
match default-inspection-traffic
!
!
policy-map default
class default
inspect icmp
inspect skinny
inspect tftp
inspect ipsec-pass-thru
inspect icmp error
!
service-policy default global
prompt hostname context
Cryptochecksum:5843d46469c3d5aa800c57144586496a
: end
pixfirewall#
R1 configuration:
!
! Last configuration change at 12:34:22 IN Sat Nov 20 2010
! NVRAM config last updated at 12:56:25 IN Sat Nov 20 2010
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
clock timezone IN 5 30
!
!
ip cef
!
username rahilkhan privilege 15 password 0 cisco
!
!
!
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 20.20.20.2
!
!
!
!
!
!
!
control-plane
!
!
telephony-service
max-ephones 2
max-dn 2
ip source-address 20.20.20.1 port 2000
auto assign 1 to 2
create cnf-files version-stamp 7960 Nov 20 2010 12:34:07
max-conferences 8 gain -6
transfer-system full-consult
!
!
ephone-dn 1
number 100
!
!
ephone-dn 2
number 101
!
!
ephone 1
mac-address 001C.C088.0461
type CIPC
button 1:1
!
!
!
ephone 2
mac-address 000C.29C0.A452
type CIPC
button 1:2
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp clock-period 17179872
ntp server 10.10.10.1 prefer
!
end
R2 Configuration:
!
! Last configuration change at 12:56:21 IN Sat Nov 20 2010
! NVRAM config last updated at 12:56:22 IN Sat Nov 20 2010
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
memory-size iomem 5
clock timezone IN 5 30
!
!
ip cef
!
!
username rahilkhan privilege 15 password 0 cisco
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.10.10.2
crypto isakmp key cisco address 10.10.10.3
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.10.10.2
set peer 10.10.10.2
set transform-set ESP-3DES-SHA3
match address 104
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to10.10.10.3
set peer 10.10.10.3
set transform-set ESP-3DES-SHA
match address 100
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 192.168.1.7 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 20.20.20.0 255.255.255.0 10.10.10.3
ip route 192.168.2.0 255.255.255.0 10.10.10.2
!
!
ip nat source static udp 192.168.1.3 69 10.10.10.33 69 extendable
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit any
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
dial-peer voice 100 voip
destination-pattern 101
session target ipv4:10.10.10.2
codec g711alaw
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp master 2
ntp server 207.46.197.32 prefer
!
end
R3 Configuration:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
clock timezone IN 5 30
!
!
ip cef
!
!
username rahilkhan privilege 15 password 0 cisco
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.10.10.1
crypto isakmp key cisco address 10.10.10.3
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.10.10.1
set peer 10.10.10.1
set transform-set ESP-3DES-SHA3
match address 104
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to10.10.10.3
set peer 10.10.10.3
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 20.20.20.0 255.255.255.0 10.10.10.3
ip route 192.168.1.0 255.255.255.0 10.10.10.1
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit any
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.2.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 20.20.20.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
dial-peer voice 101 voip
destination-pattern 100
session target ipv4:10.10.10.1
codec g711alaw
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp clock-period 17179855
ntp server 10.10.10.1 prefer
!
end
No comments:
Post a Comment