Iscw Manual

Cisco Certified Network Professional
ISCW
Lab Manual
Developed by : M.Irfan Ghauri

Ovais Iqbal
Etronics Solution Provider

C 32 / 1 Block-5, Copy rights 2007
Gulshan-e-Iqbal, Karachi. ESP Press
Ph #021-6034003
NO. LABS DESCRIPTION PAGE NO.
1 Site-to-Site VPN using CLI 2
2 Site-to-Site VPN using SDM 5
3 GRE over IPSec using CLI 17
4 GRE over IPSec using SDM 22
5 Establish Easy Vpn b/w Router and PC 35
6 Configure AutoSecure in Router using SDM 52
7 Configure One-step Lockdown using SDM 62
8 Configuring SNMP 65
9 Configuring NTP 75
10 Configuring Syslog Server 76
11 Configure SSH 78
12 Configure AAA server 81
13 Configuring Firewall Feature Set using SDM 88
14 Configure IPS 94
1
Lab # 1
Site-to-Site VPN using CLI

Objective
Establish Site-to-Site VPN between 2 VPN Gateways i.e Router A and Router B
using PRE-SHARED KEYS for authentication.
Diagram
Router A Router B
11.0.0.1 11.0.0.2
10.0.0.10 20.0.0.10
PC- A PC- B
20.0.0.1
10.0.0.1
Configuration
1) Bring up the connections and ping end to end (use static route to provide
connectivity between end devices).
2
2) Configure Router A as show below.
first enable isakmp
RouterA(config)# crypto isakmp enable ( optional )
Configure isakmp policy set for negotiation
RouterA(config)# crypto isakmp policy 10

RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# group 2
Configure pre-shared authentication key
RouterA(config)# crypto isakmp key cisco123 address 11.0.0.2
Configure cryto ACL to define which traffic to protect

RouterA(config)# access-list 111 permit ip 10.0.0.0 0.255.255.255 20.0.0.0
0.255.255.255
Configure IPSec transform-set
RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac
Configure Crypto-map
RouterA(config)# crypto map mymap 10 ipsec-isakmp

RouterA(config-crypto-map)# match address 111
RouterA(config-crypto-map)# set peer 11.0.0.2
RouterA(config-crypto-map)# set transform-set aset
Apply the crypto map to the WAN interface
RouterA(config)# int s 0
RouterA(config-if)# crypto map mymap
3
3) Configure Router B as show below.
first enable isakmp
RouterB(config)# crypto isakmp enable ( optional )
RouterB(config)# crypto isakmp policy 10

RouterB(config-isakmp)# authentication pre-share
RouterB(config-isakmp)# encryption des
RouterB(config-isakmp)# hash md5
RouterB(config-isakmp)# group 2
RouterB(config)# crypto isakmp key cisco123 address 11.0.0.1

RouterB(config)# access-list 111 permit ip host 20.0.0.0 0.255.255.255
10.0.0.0 0.255.255.255
RouterB(config)# crypto ipsec transform-set bset esp-des esp-md5-hmac
RouterB(config)# crypto map mymap 10 ipsec-isakmp

RouterB(config-crypto-map)# match address 111
RouterB(config-crypto-map)# set peer 11.0.0.1
RouterB(config-crypto-map)# set transform-set bset
RouterB(config)# int s 0
RouterB(config-if)# crypto map mymap
4
Lab # 2
Site-to-Site VPN using SDM
Objective
Establish Site-to-Site VPN between 2 VPN Gateways i.e Router A and Router B
using SDM.
Diagram
Router A Router B
11.0.0.1 11.0.0.2
10.0.0.10
PC- A
10.0.0.1
Configuration
1) Bring up the connections and ping end to end.
2) From PC-A open the browser and issue this command.
http://10.0.0.10
5
3) Now the following windows appears, Click on the configure tab above
6
4) Clicking on Configure tab opens the list of configuration options available,
select VPN from the left menu, now at left click on Create site to site vpn
radio button and then click on the launch the selected task button to launch the
wizard
7
5) Now the wizard will start, click on the step by step wizard radio button and
then click next
8
6) Now from the following window,
1. Select the interface that is connected to Router B.
2. Specify that the peer is using the static ip address.
3. Enter the ip address.
4. Enter the preshared key for authentication used in ISAKMP phase 1.
9
7) In this window, we have to define transform set for phase 1, click on the
Add button to define our own transform set.
8) In this window, define your own parameters for the transform set and then
click OK.
10
9) Now click Next.
10) Now in this window you may define transform set for IPSec or phase 2
negotiation
11
11) Now define the required parameters and click Ok.
12) Now we can see that user defined Transform set is now listed. Click Next to
continue.
12
13) Now define the traffic to be protected
14)
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
26)
27)
28)
29)
30)
31)
14) Now the following window appears indicating that the wizard is complete.
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
13
15) Click on the start button to test the tunnel connectivity.
14
16) If all configuration goes well then u should see the following screen..
Note: test the tunnl connectivity after u have configured

Router B for IPSec !!!!
Configure Router B as shown below.
first enable isakmp

15
RouterB(config)# access-list 111 permit ip host 11.0.0.2 host 11.0.0.1
Apply the crypto map to the Ethernet interface
RouterB(config)# int eth 0

16
Lab # 3
GRE over IPSec Using Cli

Objective
Establish GRE over IPSec b/w Router A and Router B and enable eigrp routing b/w
Router A and Router B.
Diagram
Router C
Router A Router B
11.0.0.2 12.0.0.1
11.0.0.1 12.0.0.2
10.0.0.10 20.0.0.10
15.0.0.1 15.0.0.2
PC- A PC- B
10.0.0.1 20.0.0.1
Configuration
1) Configure Router C as show below.
RouterC(config)# interface serial 0
RouterC(config-if)# ip address 11.0.0.2 255.0.0.0
RouterC(config-if)# no shutdown
RouterC(config-if)# clock rate 64000
RouterC(config-if)# end
17
RouterC(config)# interface serial 1
RouterC(config-if)# ip address 12.0.0.2 255.0.0.0
RouterC(config-if)# no shutdown
RouterC(config-if)# clock rate 64000
RouterC(config-if)# end
2) Configure RouterA as follows.
2-a) Configure static routing to define route for the peer Router
B i.e. network 12.0.0.0
RouterA(config)# ip route 12.0.0.0 255.0.0.0 11.0.0.2
2-b) Configure GRE tunnel on Router A
RouterA(config)# interface tunnel 0

RouterA(config-if)# ip address 15.0.0.1 255.0.0.0
RouterA(config-if)# no shutdown
RouterA(config-if)# tunnel source serial 0
RouterA(config-if)# tunnel destination 12.0.0.2 this ip should be the
global ip of peer
router
RouterA(config-if)# exit
3) Configure Router B as follows.
3-a) Configure static routing to define route for the peer Router
A i.e. network 11.0.0.0
RouterB(config)# ip route 11.0.0.0 255.0.0.0 12.0.0.1
3-b) Configure GRE tunnel on Router B
RouterB(config)# interface tunnel 0

RouterB(config-if)# ip address 15.0.0.2 255.0.0.0
RouterB(config-if)# no shutdown
RouterB(config-if)# tunnel source serial 0
RouterB(config-if)# tunnel destination 11.0.0.1 this ip should be the
global ip of peer
router
RouterB(config-if)# exit
18
Verification
To verify the tunnel formation, From router A ping 10.0.0.2 and from router B ping
10.0.0.1, if the ping is successful then tunnel is formed
Use this command also to verify the tunnel information
Show ip interface brief
NOW TO CONFIGURE IPSec b/w Router A and Router B
4) Configure Router A as follows.
first enable isakmp
RouterA(config)# crypto isakmp enable ( optional )
RouterA(config)# crypto isakmp key cisco123 address 12.0.0.2
RouterA(config)# crypto isakmp policy 10

RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# group 2

RouterA(config)# access-list 111 permit gre host 11.0.0.1 host 12.0.0.2
RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac
RouterA(config)# crypto map mymap 10 ipsec-isakmp

RouterA(config-crypto-map)# match address 111
RouterA(config-crypto-map)# set peer 12.0.0.2
RouterA(config-crypto-map)# set transform-set aset
19
RouterA(config)# int s 0
Apply the crypto map to the Tunnel interface
RouterA(config)# int tunnel 0

first enable isakmp


RouterB(config)# access-list 111 permit gre host 12.0.0.2 host 11.0.0.1

20
RouterB(config)# int s 0
RouterB(config)# int tunnel 0

Verification
Ping end to end from both Routers and experience the delay in ping return time !!!
Use this command to verify the VPN establishment
show crypto ipsec sa
6-a) Enable Eigrp on Router A
RouterA(config)# router eigrp 100

RouterA(config-router)# network 10.0.0.0
6-b) Enable Eigrp on Router B
RouterB(config)# router eigrp 100

RouterB(config-router)# network 20.0.0.0
21
Lab # 4
GRE over IPSec using SDM

Objective
Establish GRE over IPSec b/w Router A and Router B and enable eigrp routing b/w
Router A and Router B (using SDM )
Diagram
3560
Router A Router B
11.0.0.2 12.0.0.1
11.0.0.1 12.0.0.2
10.0.0.10 20.0.0.10
15.0.0.1 15.0.0.2
PC- B
PC- A
10.0.0.1 20.0.0.1
Configuration
1) Configure Switch-3560 as follows.

Switch-3560(config)# int fa 0/2
Switch-3560(config-if)# no switchport
Switch-3560(config-if)# ip address 11.0.0.2 255.0.0.0
Switch-3560(config-if)# no shutdown
Switch-3560(config-if)# exit
Switch-3560(config)# int fa 0/4
Switch-3560(config-if)# no switchport
Switch-3560(config-if)# ip address 12.0.0.1 255.0.0.0
Switch-3560(config-if)# no shutdown
Switch-3560(config-if)# exit
22
Enable ip routing on 3560 switch.
Switch-3560(config)# ip routing
2) Configure RouterA as follows.

Access RouterA SDM using browser on PC-A, issue following command on the
browser .
http://10.0.0.10
Now you should be able to start SDM.
23
2-1) This is the starting screen.
24
2-2) Select VPN from the left bar
1) Select the option create gre tunnel
2) Click to launch the wizard.
25
2-3) This is the welcome screen, click on next to continue.
2-4) Enter the required fields

1) Enter the interface that is connected to the peer.
2) Public ip of the peer router
3) Tunnels ip address
4) Subnet mask
Click Next to Continue.
26
2-5) Enter the preshared key and click Next to continue.
2-6) Click on the Add button to define your own transform set for IKE phase 1
27
2-7) Enter the required fields and click Ok.
2-8) Click on Next to continue.
28
2-9) Now click on Add to define our own transform set for IPSec negotiation.
2-10) Enter the required fields and then click ok.
29
2-11) Select the routing protocol to used, we have selected Eigrp.
12) Define the AS number to use, and then click Add to advertise the networks.
30
2-13) Enter the network number.
2-14) We have defined all the networks to be advertised. Click on next to

continue.
2-
31
2-15) This is the last screen of wizard, we can check our configuration on this
window, click on finish to continue.
3-a) Configure static routing to define route for the peer Router A
i.e. network 11.0.0.0
RouterB(config)# ip route 11.0.0.0 255.0.0.0 12.0.0.1
3-b) Configure GRE tunnel on Router B
RouterB(config)# interface tunnel 0

RouterB(config-if)# ip address 15.0.0.2 255.0.0.0
RouterB(config-if)# no shutdown
RouterB(config-if)# tunnel source serial 0
RouterB(config-if)# tunnel destination 11.0.0.1 this ip should be the
global ip of peer
router
RouterB(config-if)# exit
32
4) Configure Router B for IPSec as follows.
first enable isakmp

RouterB(config)# crypto isakmp key 0 cisco123 address 11.0.0.1

RouterB(config)# access-list 111 permit gre host 12.0.0.2 host 11.0.0.1
RouterB(config)# crypto map mymap 10 ipsec-iskamp

RouterB(config-crypto-map)# set pfs group1
Apply the crypto map to the Ethernet interface
RouterB(config)# int eth 0

RouterB(config)# int tunnel 0

33
Enable Eigrp Routing
RouterB(config)#router eigrp 100

RouterB(confg-router)# network 12.0.0.0
RouterB(confg-router)# network 15.0.0.0
Verification
To verify ping from both routers to each other tunnel and public interfaces
Issue the following command
show crypto ipsec sa
34
Lab # 5
EasyVPN b/w Router and PC
Objective
Establish Easy VPN b/w Router A (server) and PC-B ( client) .
Diagram
Router A
20.0.0.10
10.0.0.10
PC- A PC- B
20.0.0.1
10.0.0.1
Configuration
1) Bring up the connections.
2) Access RouterA SDM using browser on PC-A. issue the following command
on the browser
Http://10.0.0.10
3) Now follow the steps shown below
35
3-1)Before you can start the Easy VPN wizard first enable AAA.
36
3-2) Now click on the User Accounts Tab to create a User for AAA to be
enabled.
37
3-3)Enter the desired fields and click ok.
Note: Password is of users own choice !!
3-4) Now Enter the enable password as required then click OK.
38
3-5) Now the following window appears, indicating the successful creation of User
for AAA. Click Ok.
39
3-6) Now click on enable AAA, on the prompt click yes to enable AAA
successfully.
40
3-7) Enter the username/password created in step 6.
3-8) Now the following window indicates that AAA is successfully enabled..
41
3-9) Now the Wizard for easy vpn is started Click Next to continue.
3-10) Enter the interface being used for connecting to WAN from where the client
will communicate with RouterA, in this case it is fa0/0. We are using Pre-
shared key for authentication.
42
3-11) Click Add to configure our own transform set for IKE phase-1.
3-12) Enter the required fields for the transform set and then click OK.
43
3-13) Now click on Add to enter the transform set for IPSEC negotiation.
3-14) Enter the required Fields. And the click OK.
44
3-15) Click on the local radio button to specify that the verification of
username/password will be done locally.
45
3-16) Enable Xauth, so that after device authentication is complete, the user
authentication is performed, click Add User Credentials.
3-17) Now it asks to create a user, as we can see there is already a user present that
we created in step 6. Now we have to form so click Add.
46
3-18) Now enter the required fields, make sure the priviledge level is set to 1.
3-19) Now a new user is added to local database. Click Ok.
47
3-20) Now we are prompted for Group policy, click on Add to enter the group
policy.
48
3-21) Enter the required Fields and then click Ok.
49
3-22) Click on test Vpn connectivity to test the status.
3-23) If successful the following window appears.
Now we must install the easy Vpn client on PC-B
Follow the steps below..
Install the VPN client just like any simple windows utility.
After installing follow the steps to configure the VPN client.
50
1) Run the VPN client.. and click on NEW.
2) Enter the required Fields, make sure the group name and password
should match exactly as configured in step 24.
Now click Save.
51
Lab # 6
Auto Secure
Objective
Configure Autosecure feature in Router 2811 through SDM.
Diagram
Router 2811
Fa 0/0 10.0.0.10
PC-A
10.0.0.1
Configuration
1) Bring up the connectivity and ping from PC-A to Router Fa0/0.
2) Open browser and type following to launch the wizard.
http:// 10.0.0.10
This will start SDM.
52
3-1) Click on the perform security audit.
53
3-2) Click on Next to Continue.
3-3) Select the inside interface and then click Next.
54
3-4) This result will tell you about the security changes we need to make, click on
Close.
3-5) Click on Fix all to fix all the security holes or we can choose to fix the
individual settings by clicking only on the desired service check box. Click
on Next.
55
3-6) Enter the required fields. And then click Next to continue.
56
3-7) Click on Add to continue.
3-8) Enter the desired username and password and then click Ok to continue.
57
3-9) Now click on Next to continue.
58
3-10) Now Click on Add to define the ip used for login.
3-11) Enter the desired ip and then click Ok.
59
3-12) Now click on Next to Continue.
60
3-13) Click on Finish to continue.
3-14) Click OK to finish.
61
Lab # 7
One-Step Lockdown
Objective
Configure One-step Lockdown feature in Router 2811 through SDM.
Diagram
Router 2811
Fa 0/0 10.0.0.10
PC-A
10.0.0.1
Configuration
1) Bring up the connectivity and ping from PC-A to Router Fa0/0.
2) Open browser and type following to launch the wizard.
http:// 10.0.0.10
This will start SDM.
62
3-1) First Click on One-step lockdown and then click yes to perform the
lockdown.
63
3-2) Click on Deliver to send configuration to the router.
64
Lab # 8
SNMP
Objective
Configure Snmp for network management of devices on LAN/WAN.
Diagram
R1 R2
S S0
11.0.0.1 11.0.0.2
Eth
10.0.0.40
Fa 0/0 R3
10.0.0.100
PC-A
10.0.0.1
Configuration
1) Bring up the connectivity and ping from PC-A to R2.
65
2) Now install snmp server on Pc-A.
3) Now click on server to continue.
66
4) Click on Next to Continue.
67
5) Enter the ip address of PC-A and click on next to
continue.
6) Click on Next to start the installation.
68
7) This window shows that the software is installed successfully.
8) Under Config menu click on Discovery/Polling.
69
4- Click on Enable discovery and click on Restart.
5- Click on Add to enter new community strings.
70
6- Enter the strings in the Required fields. These strings will be configured on all
devices that we wish to manage.
12) Now configure the following on all routers so they can be managed by the
snmp server.
Router(config)# snmp-server host 10.0.0.1 cisco

Router(config)# snmp-server community test ro
Router(config)# snmp-server community test1 rw
71
13 ) Now we can see the graph of our topology building up
72
14) Right Click on any device for the necessary settings.
73
15) Enter the ro/rw attributes configured on this router.
16) Now double click on the router to manage it.
74
Lab # 9
NTP
Objective
Configure NTP between Server and Client.
Diagram
Source Intermediate
S0 S0 S1 S0
11.0.0.1 11.0.0.2 12.0.0.1 12.0.0.2
Configuration
1) Bring up the connectivity.

2) Confgure Server as follows
Server(config)# ntp master 5

Server(config)# ntp authentication-key 1 md5 cisco
Server(config)# ntp peer 11.0.0.2 key 1
3) Configure Intermediate as follows

Intermediate(config)# ntp authentication-key 1 md5 cisco
Intermediate(config)# ntp authentication-key 2 md5 ciscoclient
Intermediate(config)# ntp trusted-key 1
Intermediate(config)# ntp server 11.0.0.1
Intermediate(config)# int serial 1
Intermediate(config-if)# ntp broadcast
4) Configure Client as follows

Client(config)# ntp authentication-key 2 md5 ciscoclient
Client(config)# ntp trusted-key 2
Client(config)# int serial 0
Client(config-if)# ntp broadcast client
75
Lab # 10
SYSLOG SERVER
Objective
Configure Syslog server.
Diagram
Router A
Eth 0
10.0.0.10
10.0.0.1
PC-A
Configuration
2) Install the syslog server.
3) Configure Router A as follows
RouterA(config)#logging on
RouterA(config)#logging 10.0.0.1
RouterA(config)#logging trap 7
76
3-1) Now perform different commands on RouterA like shutting down an
interface and then issue a no shut command, and other commands that sends a trap
to syslog server.
77
Lab # 11
SSH
Objective
Configure Router to become the SSH server.
Diagram
Router 2811
Fa 0/0 10.0.0.10
PC-A
10.0.0.1
Configuration
2) Configure Router as follows.
78
RouterA#auto secure ssh
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: no
Configure SSH server? [yes]: yes

Enter the domain-name: cisco.com
This is the configuration generated:
ip domain-name cisco.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config

The name for the keys will be: RouterA.cisco.com
% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
RouterA#
*Mar 1 00:02:10.307: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 1 00:02:11.539: %AUTOSEC-5-ENABLED: AutoSecure is configured
on the device
79
Configure AAA for local authentication..
RouterA(config)#aaa new-model
RouterA(config)#aaa authentication login default local
RouterA(config)#username cisco password cisco
3) Now Run putty on PC-A, give the ip of Router and click open.
80
Lab # 12
AAA Server
Objective
Configure AAA server to perform user authentication and accounting.
Diagram
R2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10
ACS
server PC-B
10.0.0.1 20.0.0.1
Configuration
1) Bring up the connections and ping end to end.
2) Install ACS for windows.
3) Configure ACS as follows
81
3-1) Enter the user setup and enter the username. Click on Add/Edit to define the
password.
82
3-2) Enter the password.
83
3-3) Enter Network Configuration mode and click on Add entry.
84
3-4) Enter the required field as shown in the diagram. And then click on
submit+restart.
85
3-5) The following window appears if successful.
86
4) Now configure the router to query ACS if any user attempt to connect to it via
telnet.
R2811(config)#aaa new-model
R2811(config)#tacacs-server host 10.0.0.1 key cisco123
R2811(config)#aaa authentication login default group tacacs+
R2811(config)#enable password cisco
R2811(config)#aaa accounting exec default start-stop group tacacs+
5) Now from PC-B telnet to R2811, this time router will ask for
username/password which will be verified against ACS.
87
Lab # 13
Firewall Feature Set

Objective
Configure Firewall Feature Set using SDM.
Diagram
Router 2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10
10.0.0.1 20.0.0.1
PC-A PC-B
Configuration
2) Launch the SDM from PC-A. Open Internet Explorer and type following.
http://10.0.0.10
3) Configure Router A as follows.
88
3-1) Select Basic Firewall and then click on the launch the selected task.
89
3-3) Select the appropriate interfaces according to the topology diagram and
then click next to continue.
90
3-5) Enter the DNS server ip ( in this case since we dont have a dns server we
have entered loopback ip 127.0.0.1).
91
3-6) Click finish to continue.
3-7) Click ok to finish.
92
3-8) Check the status after clicking ok.
93
Lab # 14
IPS
Objective
Configure IPS using SDM.
Diagram
Router 2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10
10.0.0.1 20.0.0.1
PC-A PC-B
Configuration

2) Launch the SDM from PC-A. Open Internet Explorer and
type following.
http://10.0.0.10
94
3-1) Click on the launch the ips rule wizard.
95
3-4) Select the inbound and outbound interfaces and then click Next to
continue.
96
3-5) We are using the default signatures so click Next to continue.
3-6) Click on finish to continue.
97
3-7) Click close to proceed.
98
3-8) From this screen we can check which signatures are enabled/disabled.
99
3-9) Right click on any signature and select actions.
Etronics Solution Provider 100

3-10) Click on drop to specify required action to be taken.
3-11) Click on Apply Changes.

3-12) Click OK to continue.
3-13) Click Close to continue.


Iscw Manual

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Iscw Manual

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco Certified Network Professional

Developed by : M.Irfan Ghauri

Etronics Solution Provider

1 Site-to-Site VPN using CLI 2

2 Site-to-Site VPN using SDM 5

3 GRE over IPSec using CLI 17

4 GRE over IPSec using SDM 22

5 Establish Easy Vpn b/w Router and PC 35

6 Configure AutoSecure in Router using SDM 52

7 Configure One-step Lockdown using SDM 62

10 Configuring Syslog Server 76

12 Configure AAA server 81

13 Configuring Firewall Feature Set using SDM 88

Site-to-Site VPN using CLI

first enable isakmp

RouterA(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterA(config)# crypto isakmp policy 10

Configure pre-shared authentication key

RouterA(config)# crypto isakmp key cisco123 address 11.0.0.2

Configure cryto ACL to define which traffic to protect

Configure IPSec transform-set

RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac

RouterA(config)# crypto map mymap 10 ipsec-isakmp

Apply the crypto map to the WAN interface

first enable isakmp

RouterB(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterB(config)# crypto isakmp policy 10

Configure pre-shared authentication key

RouterB(config)# crypto isakmp key cisco123 address 11.0.0.1

Configure cryto ACL to define which traffic to protect

Configure IPSec transform-set

RouterB(config)# crypto ipsec transform-set bset esp-des esp-md5-hmac

RouterB(config)# crypto map mymap 10 ipsec-isakmp

Apply the crypto map to the WAN interface

Site-to-Site VPN using SDM

Note: test the tunnl connectivity after u have configured

Configure Router B as shown below.

first enable isakmp

RouterB(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterB(config)# crypto isakmp policy 10

Configure pre-shared authentication key

RouterB(config)# crypto isakmp key cisco123 address 11.0.0.1

Configure IPSec transform-set

RouterB(config)# crypto ipsec transform-set bset esp-des esp-md5-hmac

Apply the crypto map to the Ethernet interface

RouterB(config)# int eth 0

GRE over IPSec Using Cli

2) Configure RouterA as follows.

RouterA(config)# ip route 12.0.0.0 255.0.0.0 11.0.0.2

2-b) Configure GRE tunnel on Router A

RouterA(config)# interface tunnel 0

3) Configure Router B as follows.

RouterB(config)# ip route 11.0.0.0 255.0.0.0 12.0.0.1

3-b) Configure GRE tunnel on Router B

RouterB(config)# interface tunnel 0

Show ip interface brief

NOW TO CONFIGURE IPSec b/w Router A and Router B

4) Configure Router A as follows.

first enable isakmp

RouterA(config)# crypto isakmp enable ( optional )

Configure pre-shared authentication key