Scenario This scenario gives you the opportunity to configure three locations (New York, Los Angeles, and Atlanta) for a site-to-site fully meshed VPN. The configurations for the three locations are listed with specific items missing. By reviewing the network layout and each firewall configuration you will find the items that are missing from the individual firewall configurations.
VPN Configurations Clearly, the most detail-oriented and time-consuming portion of configuring VPNs is ensuring that both peers have matching configurations. This task usually becomes more complicated because you might have access to only one peer and are relying on someone else to configure the other end. A single discrepancy between the configurations can prevent the key exchange from completing or prevent encryption from occurring. It is best to compare the configurations on both peers before attempting the connection rather than trying to troubleshoot the VPN after an unsuccessful connection.In this scenario, you are working as a consultant and have been assigned the task of configuring a full-mesh VPN between corporate headquarters and two branch offices. Figure 11-7 shows the layout of each network and how the VPNs are to connect.
Figure 11-7. VPN Network Layout
The three locations have all provided their current PIX configurations, but each has a significant amount of information missing. It is your responsibility to complete each of the configurations and ensure that they are correct. Example 11-10 shows the configuration for the corporate headquarters in Los Angeles:Example 11-10. PIX Configuration for Los Angeles
1. : Saved 2. : 3. PIX Version 6.3(3) 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password HtmvK15kjhtlyfvcl encrypted 8. passwd Kkjhlkf1568Hke encrypted 9. hostname LosAngeles 10. domain-name www.Chapter11.com 11. fixup protocol ftp 21 12. fixup protocol http 80 13. fixup protocol h323 1720 14. fixup protocol rsh 514 15. fixup protocol smtp 25 16. fixup protocol sqlnet 1521 17. fixup protocol sip 5060 18. fixup protocol skinny 2000 19. names 20. access-list inbound permit icmp any host 192.168.1.10 21. access-list inbound permit tcp any host 192.168.1.10 eq www 22. access-list inbound permit tcp any host 192.168.1.10 eq 443 23. access-list inbound permit tcp any host 192.168.1.11 eq www 24. access-list inbound permit tcp any host 192.168.1.11 eq 443 25. access-list inbound permit tcp any host 192.168.1.12 eq www 26. access-list inbound permit tcp any host 192.168.1.12 eq 443 27. access-list inbound permit tcp any host 192.168.1.13 eq ftp 28. access-list inbound permit tcp any host 192.168.1.13 eq 443 29. access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp 30. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0 31. _____________________________________________________________________________ 32. _____________________________________________________________________________ 33. _____________________________________________________________________________ 34. pager lines 24 35. logging on 36. logging timestamp 37. interface ethernet0 auto 38. interface ethernet1 auto 39. interface ethernet2 auto 40. mtu outside 1500 41. mtu inside 1500 42. ip address outside 192.168.1.1 255.255.255.0 43. ip address inside 10.10.10.1 255.255.255.0 44. ip address DMZ 172.16.1.1 255.255.255.0 45. failover 46. failover timeout 0:00:00 47. failover poll 15 48. failover ip address outside 192.168.1.2 49. failover ip address inside 10.10.10.2 50. failover ip address DMZ 172.16.1.2 51. arp timeout 14400 52. global (outside) 1 192.168.1.20-250 53. nat (inside) 1 0.0.0.0 0.0.0.0 54. nat (inside) 0 access-list VPN 55. static (inside,DMZ) 10.10.10.240 10.10.10.240 netmask 255.255.255.255 0 0 56. static (DMZ,outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0 57. static (DMZ,outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0 58. static (DMZ,outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0 59. static (DMZ,outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0 60. access-group inbound in interface outside 61. access-group DMZ in interface DMZ 62. route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 63. timeout xlate 3:00:00 64. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 65. timeout uauth 0:05:00 absolute 66. aaa-server TACACS+ protocol tacacs+ 67. aaa-server RADIUS protocol radius 68. no snmp-server location 69. no snmp-server contact 70. snmp-server community public 71. no snmp-server enable traps 72. floodguard enable 73. sysopt connection permit-ipsec 74. no sysopt route dnat 75. crypto ipsec transform-set 76. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac 77. ____________________________________________________________________ 78. ____________________________________________________________________ 79. ____________________________________________________________________ 80. crypto map Chapter11 10 set transform-set Chapter11 81. crypto map Chapter11 20 ipsec-isakmp 82. _____________________________________________________________________ 83. _____________________________________________________________________ 84. _____________________________________________________________________ 85. crypto map Chapter11 interface outside 86. _____________________________________________________________________ 87. _____________________________________________________________________ 88. _____________________________________________________________________ 89. _____________________________________________________________________ 90. _____________________________________________________________________ 91. _____________________________________________________________________ 92. _____________________________________________________________________ 93. _____________________________________________________________________ 94. _____________________________________________________________________ 95. terminal width 80 96. Cryptochecksum:e0clmj3546549637cbsFds54132d5
Example 11-11 shows the configuration for the Boston branch office.Example 11-11. PIX Configuration for Boston
1. : Saved 2. : 3. PIX Version 6.3(3) 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password ksjfglkasglc encrypted 8. passwd kjngczftglkacytiur encrypted 9. hostname Boston 10. domain-name www.Chapter11.com 11. fixup protocol ftp 21 12. fixup protocol http 80 13. fixup protocol smtp 25 14. fixup protocol skinny 2000 15. names 16. access-list inbound permit icmp any host 192.168.2.10 17. access-list inbound permit tcp any host 192.168.2.10 eq www 18. access-list inbound permit tcp any host 192.168.2.10 eq 443 19. access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp 20. access-list___________________________________________________________________ 21. access-list___________________________________________________________________ 22. access-list___________________________________________________________________ 23. access-list___________________________________________________________________ 24. pager lines 24 25. logging on 26. logging timestamp 27. interface ethernet0 auto 28. interface ethernet1 auto 29. interface ethernet2 auto 30. mtu outside 1500 31. mtu inside 1500 32. ip address outside 192.168.2.1 255.255.255.0 33. ip address inside 10.10.2.1 255.255.255.0 34. ip address DMZ 172.16.2.1 255.255.255.0 35. arp timeout 14400 36. global (outside) 1 192.168.2.20-200 37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 38. nat (inside) 0 access-list VPN 39. static (inside,DMZ) 10.10.2.240 10.10.2.240 netmask 255.255.255.255 0 0 40. static (DMZ,outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0 41. access-group inbound in interface outside 42. access-group DMZ in interface DMZ 43. route outside 0.0.0.0 0.0.0.0 192.168.2.254 1 44. timeout xlate 3:00:00 45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 46. timeout uauth 0:05:00 absolute 47. aaa-server TACACS+ protocol tacacs+ 48. aaa-server RADIUS protocol radius 49. no snmp-server location 50. no snmp-server contact 51. snmp-server community public 52. no snmp-server enable traps 53. floodguard enable 54. ___________________________________________________________ 55. ___________________________________________________________ 56. ___________________________________________________________ 57. crypto map Chapter11 10 ipsec-isakmp 58. crypto map Chapter11 10 match address LosAngeles 59. _____________________________________________ 60. crypto map Chapter11 10 set transform-set Chapter11 61. crypto map Chapter11 20 ipsec-isakmp 62. crypto map Chapter11 20 match address Atlanta 63. crypto map Chapter11 20 set peer 192.168.3.1 64. _____________________________________________ 65. _____________________________________________ 66. isakmp enable outside 67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 68. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255 69. isakmp identity address 70. isakmp policy 20 authentication pre-share 71. _____________________________________________ 72. _____________________________________________ 73. _____________________________________________ 74. _____________________________________________ 75. terminal width 80 76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5
Example 11-12 shows the configuration for the Atlanta branch office.Example 11-12. PIX Configuration for Atlanta
1. : Saved 2. : 3. PIX Version 6.3(3) 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password ksjfglkasglc encrypted 8. passwd kjngczftglkacytiur encrypted 9. hostname Atlanta 10. domain-name www.Chapter11.com 11. fixup protocol ftp 21 12. fixup protocol http 80 13. fixup protocol smtp 25 14. fixup protocol skinny 2000 15. names 16. access-list inbound permit icmp any host 192.168.3.10 17. access-list inbound permit tcp any host 192.168.3.10 eq www 18. access-list inbound permit tcp any host 192.168.3.10 eq 443 19. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp 20. access-list________________________________________________________________ 21. access-list________________________________________________________________ 22. access-list________________________________________________________________ 23. access-list________________________________________________________________ 24. pager lines 24 25. logging on 26. logging timestamp 27. interface ethernet0 auto 28. interface ethernet1 auto 29. interface ethernet2 auto 30. mtu outside 1500 31. mtu inside 1500 32. ip address outside 192.168.3.1 255.255.255.0 33. ip address inside 10.10.3.1 255.255.255.0 34. ip address DMZ 172.16.3.1 255.255.255.0 35. arp timeout 14400 36. global (outside) 1 192.168.3.20-200 37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 38. nat (inside) 0 access-list VPN 39. static (inside,DMZ) 10.10.3.240 10.10.3.240 netmask 255.255.255.255 0 0 40. static (DMZ,outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0 41. access-group inbound in interface outside 42. access-group DMZ in interface DMZ 43. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1 44. timeout xlate 3:00:00 45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 46. timeout uauth 0:05:00 absolute 47. aaa-server TACACS+ protocol tacacs+ 48. aaa-server RADIUS protocol radius 49. no snmp-server location 50. no snmp-server contact 51. snmp-server community public 52. no snmp-server enable traps 53. floodguard enable 54. sysopt connection permit-ipsec 55. crypto ipsec transform-set_____________________________________________________ 56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac 57. crypto map Chapter11 10 ipsec-isakmp 58. crypto map_____________________________________________________________________ 59. crypto map_____________________________________________________________________ 60. crypto map Chapter11 10 set transform-set Chapter11____________________________ 61. crypto map_____________________________________________________________________ 62. crypto map_____________________________________________________________________ 63. crypto map_____________________________________________________________________ 64. crypto map Chapter11 20 set transform-set Chapter11____________________________ 65. crypto map_____________________________________________________________________ 66. isakmp_________________________________________________________________________ 67. isakmp key ********____________________________________________________________ 68. isakmp key_____________________________________________________________________ 69. isakmp identity address________________________________________________________ 70. isakmp policy 20_______________________________________________________________ 71. isakmp policy 20 encryption 3des 72. isakmp policy 20 hash md5 73. isakmp policy 20 group 2 74. isakmp policy 20 lifetime 86400 75. terminal width 80 76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5
Each line of the configuration is numbered, and certain lines have not been completed. Your job is to complete the lines and verify each configuration against the configuration of the VPN peer. The following sections give the blank lines for each configuration. The completed configurations are listed at the end of the chapter, along with a full description of each element from the configuration in Los Angeles. You will not find all the information needed to complete the configuration on a single firewall. Remember that the configurations must match on each end of the VPN.Los Angeles Configuration Fill in the missing lines in Example 11-10:Line 31:________________________________________________________________Line 32:________________________________________________________________Line 33:________________________________________________________________Line 77:________________________________________________________________Line 78:________________________________________________________________Line 79:_________________________________________________________________Line 82:_________________________________________________________________Line 83:_________________________________________________________________Line 84:_________________________________________________________________Line 86:________________________________________________________________Line 87:________________________________________________________________Line 88:________________________________________________________________Line 89:________________________________________________________________Line 90:________________________________________________________________Line 91:________________________________________________________________Line 92:________________________________________________________________Line 93:________________________________________________________________Line 94:________________________________________________________________
Boston Configuration Fill in the missing lines in Example 11-11:Line 20:________________________________________________________________Line 21:________________________________________________________________Line 22:________________________________________________________________Line 23:________________________________________________________________Line 54:________________________________________________________________Line 55:________________________________________________________________Line 56:________________________________________________________________Line 59:________________________________________________________________Line 64:________________________________________________________________Line 65:________________________________________________________________Line 71:________________________________________________________________Line 72:________________________________________________________________Line 73:________________________________________________________________Line 74:________________________________________________________________
Atlanta Configuration Fill in the missing lines in Example 11-12:Line 20:________________________________________________________________Line 21:________________________________________________________________Line 22:________________________________________________________________Line 23:________________________________________________________________Line 55:________________________________________________________________Line 58:________________________________________________________________Line 59:________________________________________________________________Line 61:________________________________________________________________Line 62:________________________________________________________________Line 63:________________________________________________________________Line 65:________________________________________________________________Line 66:________________________________________________________________Line 67:________________________________________________________________Line 68:________________________________________________________________Line 70:________________________________________________________________
Completed PIX Configurations To reduce confusion, it is a good idea to use a common naming convention when creating access lists, transforms, and crypto maps. Example 11-13 shows the completed configuration for the Los Angeles headquarters.Example 11-13. Completed Configuration for Los Angeles
1. : Saved 2. : 3. PIX Version 6.3(3) 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password HtmvK15kjhtlyfvcl encrypted 8. passwd Kkjhlkf1568Hke encrypted 9. hostname LosAngeles 10. domain-name www.Chapter11.com 11. fixup protocol ftp 21 12. fixup protocol http 80 13. fixup protocol h323 1720 14. fixup protocol rsh 514 15. fixup protocol smtp 25 16. fixup protocol sqlnet 1521 17. fixup protocol sip 5060 18. fixup protocol skinny 2000 19. names 20. access-list inbound permit icmp any host 192.168.1.10 21. access-list inbound permit tcp any host 192.168.1.10 eq www 22. access-list inbound permit tcp any host 192.168.1.10 eq 443 23. access-list inbound permit tcp any host 192.168.1.11 eq www 24. access-list inbound permit tcp any host 192.168.1.11 eq 443 25. access-list inbound permit tcp any host 192.168.1.12 eq www 26. access-list inbound permit tcp any host 192.168.1.12 eq 443 27. access-list inbound permit tcp any host 192.168.1.13 eq ftp 28. access-list inbound permit tcp any host 192.168.1.10 eq 443 29. access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp 30. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0 31. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0 32. access-list Boston permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0 33. access-list Atlanta permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0 34. pager lines 24 35. logging on 36. logging timestamp 37. interface ethernet0 auto 38. interface ethernet1 auto 39. interface ethernet2 auto 40. mtu outside 1500 41. mtu inside 1500 42. ip address outside 192.168.1.1 255.255.255.0 43. ip address inside 10.10.10.1 255.255.255.0 44. ip address DMZ 172.16.1.1 255.255.255.0 45. failover 46. failover timeout 0:00:00 47. failover poll 15 48. failover ip address outside 192.168.1.2 49. failover ip address inside 10.10.10.2 50. failover ip address DMZ 172.16.1.2 51. arp timeout 14400 52. global (outside) 1 192.168.1.20-192.168.1.250 53. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 54. nat (inside) 0 access-list VPN 55. static (inside,DMZ) 10.10.10.240 10.10.10.240 netmask 255.255.255.255 0 0 56. static (DMZ,outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0 57. static (DMZ,outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0 58. static (DMZ,outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0 59. static (DMZ,outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0 60. access-group inbound in interface outside 61. access-group DMZ in interface DMZ 62. route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 63. timeout xlate 3:00:00 64. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 65. timeout uauth 0:05:00 absolute 66. aaa-server TACACS+ protocol tacacs+ 67. aaa-server RADIUS protocol radius 68. no snmp-server location 69. no snmp-server contact 70. snmp-server community public 71. no snmp-server enable traps 72. floodguard enable 73. sysopt connection permit-ipsec 74. no sysopt route dnat 75. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac 76. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac 77. crypto map Chapter11 10 ipsec-isakmp 78. crypto map Chapter11 10 match address Boston 79. crypto map Chapter11 10 set peer 192.168.2.1 80. crypto map Chapter11 10 set transform-set Chapter11 81. crypto map Chapter11 20 ipsec-isakmp 82. crypto map Chapter11 20 match address Atlanta 83. crypto map Chapter11 20 set peer 192.168.3.1 84. crypto map Chapter11 20 set transform-set Chapter11 85. crypto map Chapter11 interface outside 86. isakmp enable outside 87. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255 88. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255 89. isakmp identity address 90. isakmp policy 20 authentication pre-share 91. isakmp policy 20 encryption 3des 92. isakmp policy 20 hash md5 93. isakmp policy 20 group 2 94. isakmp policy 20 lifetime 86400 95. terminal width 80 96. Cryptochecksum:e0clmj3546549637cbsFds54132d5
Example 11-14 shows the completed configuration for the Boston branch office.Example 11-14. Completed Configuration for Boston
1. : Saved 2. : 3. PIX Version 6.3(3) 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password ksjfglkasglc encrypted 8. passwd kjngczftglkacytiur encrypted 9. hostname Boston 10. domain-name www.Chapter11.com 11. fixup protocol ftp 21 12. fixup protocol http 80 13. fixup protocol smtp 25 14. fixup protocol skinny 2000 15. names 16. access-list inbound permit icmp any host 192.168.2.10 17. access-list inbound permit tcp any host 192.168.2.10 eq www 18. access-list inbound permit tcp any host 192.168.2.10 eq 443 19. access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp 20. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.10.0 255.255.255.0 21. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0 22. access-list LosAngeles permit ip 10.10.2.0 255.255.255.0 10.10.10.0 255.255.255.0 23. access-list Atlanta permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0 24. pager lines 24 25. logging on 26. logging timestamp 27. interface ethernet0 auto 28. interface ethernet1 auto 29. interface ethernet2 auto 30. mtu outside 1500 31. mtu inside 1500 32 ip address outside 192.168.2.1 255.255.255.0 33. ip address inside 10.10.2.1 255.255.255.0 34. ip address DMZ 172.16.2.1 255.255.255.0 35. arp timeout 14400 36. global (outside) 1 192.168.2.20-192.168.2.200 37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 38. nat (inside) 0 access-list VPN 39. static (inside,DMZ) 10.10.2.240 10.10.2.240 netmask 255.255.255.255 0 0 40. static (DMZ,outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0 41. access-group inbound in interface outside 42. access-group DMZ in interface DMZ 43. route outside 0.0.0.0 0.0.0.0 192.168.2.254 1 44. timeout xlate 3:00:00 45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 46. timeout uauth 0:05:00 absolute 47. aaa-server TACACS+ protocol tacacs+ 48. aaa-server RADIUS protocol radius 49. no snmp-server location 50. no snmp-server contact 51. snmp-server community public 52. no snmp-server enable traps 53. floodguard enable 54. sysopt connection permit-ipsec 55. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac 56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac 57. crypto map Chapter11 10 ipsec-isakmp 58. crypto map Chapter11 10 match address LosAngeles 59. crypto map Chapter11 10 set peer 192.168.1.1 60. crypto map Chapter11 10 set transform-set Chapter11 61. crypto map Chapter11 20 ipsec-isakmp 62. crypto map Chapter11 20 match address Atlanta 63. crypto map Chapter11 20 set peer 192.168.3.1 64. crypto map Chapter11 20 set transform-set Chapter11 65. crypto map Chapter11 interface outside 66. isakmp enable outside 67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 68. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255 69. isakmp identity address 70. isakmp policy 20 authentication pre-share 71. isakmp policy 20 encryption 3des 72. isakmp policy 20 hash md5 73. isakmp policy 20 group 2 74. isakmp policy 20 lifetime 86400 75. terminal width 80 76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5
Example 11-15 shows the completed configuration for the Atlanta branch office.Example 11-15. Completed Configuration for Atlanta
1. : Saved 2. : 3. PIX Version 6.3(3) 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password ksjfglkasglc encrypted 8. passwd kjngczftglkacytiur encrypted 9. hostname Atlanta 10. domain-name www.Chapter11.com 11. fixup protocol ftp 21 12. fixup protocol http 80 13. fixup protocol smtp 25 14. fixup protocol skinny 2000 15. names 16. access-list inbound permit icmp any host 192.168.3.10 17. access-list inbound permit tcp any host 192.168.3.10 eq www 18. access-list inbound permit tcp any host 192.168.3.10 eq 443 19. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp 20. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0 21. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.10.0 255.255.255.0 22. access-list LosAngeles permit ip 10.10.3.0 255.255.255.0 10.10.10.0 255.255.255.0 23. access-list Boston permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0 24. pager lines 24 25. logging on 26. logging timestamp 27. interface ethernet0 auto 28. interface ethernet1 auto 29. interface ethernet2 auto 30. mtu outside 1500 31. mtu inside 1500 32. ip address outside 192.168.3.1 255.255.255.0 33. ip address inside 10.10.3.1 255.255.255.0 34. ip address DMZ 172.16.3.1 255.255.255.0 35. arp timeout 14400 36. global (outside) 1 192.168.3.20-192.168.3.200 37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 38. nat (inside) 0 access-list VPN 39. static (inside,DMZ) 10.10.3.240 10.10.3.240 netmask 255.255.255.255 0 0 40. static (DMZ,outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0 41. access-group inbound in interface outside 42. access-group DMZ in interface DMZ 43. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1 44. timeout xlate 3:00:00 45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 46. timeout uauth 0:05:00 absolute 47. aaa-server TACACS+ protocol tacacs+ 48. aaa-server RADIUS protocol radius 49. no snmp-server location 50. no snmp-server contact 51. snmp-server community public 52. no snmp-server enable traps 53. floodguard enable 54. sysopt connection permit-ipsec 55. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac 56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac 57. crypto map Chapter11 10 ipsec-isakmp 58. crypto map Chapter11 10 match address LosAngeles 59. crypto map Chapter11 10 set peer 192.168.1.1 60. crypto map Chapter11 10 set transform-set Chapter11 61. crypto map Chapter11 20 ipsec-isakmp 62. crypto map Chapter11 20 match address Boston 63. crypto map Chapter11 20 set peer 192.168.2.1 64. crypto map Chapter11 20 set transform-set Chapter11 65. crypto map Chapter11 interface outside 66. isakmp enable outside 67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 68. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255 69. isakmp identity address 70. isakmp policy 20 authentication pre-share 71. isakmp policy 20 encryption 3des 72. isakmp policy 20 hash md5 73. isakmp policy 20 group 2 74. isakmp policy 20 lifetime 86400 75. terminal width 80 76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5
How the Configuration Lines Interact Figure 11-8 shows the completed configuration for Los Angeles, with a brief explanation for each entry. Note that each entry is connected to one or more other entries on the right. This diagram depicts how the lines of the configuration are dependent on each other. Keep this in mind when trying to troubleshoot a VPN configuration. It might help you to find which line is missing or incorrectly configured.
Figure 11-8. LA Configuration with Comments
  |