View
219
Download
0
Category
Preview:
Citation preview
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 1/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 1
ISCW LABMục lục
Lab 3.1 Configuring SDM on a Router ...................................................................................... 2Lab 3.2 Configuring a Basic GRE Tunnel ............................................................................... 26
Lab 3.3 Configuring Wireshark and SPAN .............................................................................. 31
Lab 3.4 Configuring Site-to-Site IPsec VPNs with SDM ........................................................ 36
Lab 3.5 Configuring Site-to-Site IPsec VPNs with the IOS CLI ............................................. 59
Lab 3.6 Configuring a Secure GRE Tunnel with SDM ............................................................ 74
Lab 3.7 Configuring a Secure GRE Tunnel with the IOS CLI................................................. 96
Lab 3.8 Configuring IPsec VTIs ............................................................................................ 101
Lab 3.9 Configuring Easy VPN with SDM ............................................................................ 109
Lab 3.10 Configuring Easy VPN with the IOS CLI ............................................................... 129
Lab 4.1 Configuring Frame Mode MPLS .............................................................................. 137
Lab 5.1 Using SDM One-Step Lockdown ............................................................................. 146
Lab 5.2 Securing a Router with Cisco AutoSecure ................................................................ 153
Lab 5.3 Disabling Unneeded Services .................................................................................... 158
Lab 5.4 Enhancing Router Security ........................................................................................ 160
Lab 5.5 Configuring Logging ................................................................................................. 167
Lab 5.6a Configuring AAA and TACACS+ .......................................................................... 171
Lab 5.6b Configuring AAA and RADIUS ............................................................................. 180
Lab 5.6c Configuring AAA Using Local Authentication ...................................................... 183
Lab 5.7 Configuring Role-Based CLI Views ......................................................................... 185
Lab 5.8 Configuring NTP ....................................................................................................... 189
Lab 6.1 Configuring a Cisco IOS Firewall Using SDM......................................................... 193
Lab 6.2 Configuring CBAC ................................................................................................... 209
Lab 6.3 Configuring IPS with SDM ....................................................................................... 213
Lab 6.4 Configuring IPS with CLI ......................................................................................... 231
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 2/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 2
Lab 3.1 Configuring SDM on a Router
1. MUÏC TIEÂU:Chuaån bò cho router caøi ñaët SDMCaøi ñaët SDM treân PCCaøi ñaët SDM treân router.
2. CAÁU HÌNH:Step 1: Xoùa caáu hình cuû cuûa router vaø Switch. Khôûi ñoäng laïi thieát bò.
Step 2: Caáu hình router ñeå hoã trôï SDM:
R1(config)# username ciscosdm privilege 15 password 0 ciscosdm R1(config)# ip http serverR1(config)# ip http secure-server% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]*Jan 14 20:19:45.310: %SSH-5-ENABLED: SSH 1.99 has been enabled*Jan 14 20:19:46.406: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue"write memory" to save new certificateR1(config)# ip http authentication local R1(config)# line vty 0 4R1(config-line)# login localR1(config-line)# transport input telnet ssh
Step 3: Gaùn ñòa chæ IP nhö hình veõ:
Gaùn IP cho router:
R1(config)# interface fastethernet0/0R1(config-if)# ip address 192.168.10.1 255.255.255.0R1(config-if)# no shutdown
Gaùn IP cho PC:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 3/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 3
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 4/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 4
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 5/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 5
C:\Documents and Settings\Administrator> ping 192.168.10.1Pinging 192.168.10.1 with 32 bytes of data:Reply from 192.168.10.1: bytes=32 time=1ms TTL=255Reply from 192.168.10.1: bytes=32 time<1ms TTL=255Reply from 192.168.10.1: bytes=32 time<1ms TTL=255Reply from 192.168.10.1: bytes=32 time<1ms TTL=255Ping statistics for 192.168.10.1:Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 1ms, Average = 0ms
Step 4: Giaûi neùn SDM treân PC:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 6/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 6
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 7/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 7
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 8/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 8
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 9/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 9
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 10/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 10
Step 5: Caøi ñaët SDM treân PC:Choïn setup.exe
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 11/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 11
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 12/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 12
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 13/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 13
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 14/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 14
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 15/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 15
Step 6: Chaïy SDM treân PC:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 16/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 16
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 17/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 17
Step 7: Caøi ñaët SDM treân router:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 18/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 18
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 19/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 19
Jan 14 16:15:26.367: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:15:30.943: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:15:36.227: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:15:39.211: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)
Jan 14 16:15:44.583: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 20/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 20
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 21/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 21
Jan 14 16:19:40.795: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:19:43.855: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:19:49.483: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:25:57.823: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:26:02.331: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:27:42.279: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:27:46.767: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:28:11.403: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:28:15.795: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:29:04.391: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)
R1# show flash:CompactFlash directory:File Length Name/status1 38523272 c2800nm-advipservicesk9-mz.124-9.T1.bin2 1038 home.shtml3 1823 sdmconfig-2811.cfg4 102400 home.tar5 491213 128MB.sdf6 1053184 common.tar7 4753408 sdm.tar8 1684577 securedesktop-ios-3.1.1.27-k9.pkg
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 22/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 22
9 398305 sslclient-win-1.1.0.154.pkg10 839680 es.tar[47849552 bytes used, 16375724 available, 64225276 total]62720K bytes of ATA CompactFlash (Read/Write)
Step 8: Chaïy SDM treân router:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 23/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 23
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 24/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 24
Step 9: Monitor interface treân SDM:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 25/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 25
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 26/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 26
Lab 3.2 Configuring a Basic GRE Tunnel
1. MUÏC TIEÂU:Caáu hình GRE tunnelCaáu hình EIGRP treân routerCaáu hình vaø kieåm tra routing treân GRE tunnel.
2. CAÁU HÌNH:
Step 1: Caáu hình IP nhö hình veõ:R1(config)# interface loopback 0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface serial 0/0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# clockrate 64000R1(config-if)# no shutdownR2(config)# interface serial 0/0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial 0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback 0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial 0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown
Caáu hình EIGRP AS 1:
R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 192.168.12.0
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 27/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 27
R2(config)# router eigrp 1R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 192.168.23.0
Step 3: Caáu hình GRE tunnel:
R1(config)# int tunnel0R1(config-if)# tunnel source serial0/0/0R1(config-if)# tunnel destination 192.168.23.3R1(config-if)# ip address 172.16.13.1 255.255.255.0R3(config)# int tunnel0R3(config-if)# tunnel source serial0/0/1R3(config-if)# tunnel destination 192.168.12.1
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 28/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 28
R3(config-if)# ip address 172.16.13.3 255.255.255.0
Step 4: Caáu hình Routing baèng EIGRP qua tunnel:
R1(config)# router eigrp 2R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R3(config)# router eigrp 2R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 29/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 29
Final ConfigurationsR1# show runhostname R1!
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 30/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 30
interface Tunnel0ip address 172.16.13.1 255.255.255.0tunnel source Serial0/0/0tunnel destination 192.168.23.3!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!end
R2# show runhostname R2!interface Serial0/0/0
ip address 192.168.12.2 255.255.255.0no shutdown !interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show runhostname R3!interface Loopback0
ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.13.3 255.255.255.0tunnel source Serial0/0/1tunnel destination 192.168.12.1!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0no shutdown!router eigrp 1network 192.168.23.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary
!end
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 31/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 31
Lab 3.3 Configuring Wireshark and SPAN
1. MUÏC TIEÂU:Caøi ñaët wireshark treân PCCaáu hình SPAN treân Switch:
2. CAÁU HÌNH:Step 1: Caáu hình router:
R1(config)# interface fastethernet0/0R1(config-if)# ip address 192.168.10.1 255.255.255.0R1(config-if)# no shutdownR1(config-if)# exitR1(config)# router eigrp 1R1(config-router)# network 192.168.10.0
Step 2: Caøi ñaët wireshark treân PC.Step 3: Caáu hình SPAN treân Switch:
ALS1(config)# monitor session 1 source interface fastethernet0/1 ALS1(config)# monitor session 1 destination interface fastethernet0/6
Step 4: Sniff packet duøng WinShark:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 32/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 32
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 33/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 33
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 34/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 34
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 35/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 35
Final ConfigurationsR1# show run!hostname R1!interface fastethernet0/0ip address 192.168.10.1 255.255.255.0
!router eigrp 1network 192.168.10.0!End
ALS1# show run!hostname ALS1!monitor session 1 source interface fastethernet0/1monitor session 1 destination interface fastethernet0/6!end
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 36/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 36
Lab 3.4 Configuring Site-to-Site IPsec VPNs with SDM
1. MUÏC TIEÂU:Caáu hình EIGRP treân router:Duøng SDM caáu hình VPN Ipsec Site-to-site
Kieåm tra hoïat ñoäng cuûa Ipsec.2. CAÁU HÌNH:Step 1: Caáu hình IP address nhö hình veõ:R1(config)# interface loopback0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2(config)# interface fastethernet0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback0
R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown
Step 2: Caáu hình EIGRP:R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 37/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 37
R1(config-router)# network 192.168.12.0R2(config)# router eigrp 1R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0R3(config-router)# network 192.168.23.0
Step 3: Keát noáu vaøo router baèng SDM:
Step 4: Caáu hình Ipsec VPN site-to-site:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 38/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 38
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 39/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 39
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 40/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 40
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 41/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 41
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 42/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 42
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 43/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 43
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 44/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 44
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 45/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 45
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 46/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 46
Step 5 taïo Generate Mirror... treân R3:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 47/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 47
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 48/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 48
R3# configure terminalR3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr aes 256R3(config-isakmp)# hash md5R3(config-isakmp)# group 5R3(config-isakmp)# lifetime 28800R3(config-isakmp)# exitR3(config)# crypto isakmp policy 1R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr 3desR3(config-isakmp)# hash sha
R3(config-isakmp)# group 2R3(config-isakmp)# lifetime 86400R3(config-isakmp)# exitR3(config)# crypto isakmp key cisco address 192.168.12.1
R3(config)# crypto IPsec transform-set cisco_lab_transform esp-sha-hmac espaes256R3(cfg-crypto-trans)# mode tunnelR3(cfg-crypto-trans)# exit
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 49/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 49
R3(config)# ip access list extended SDM_1R3(config-ext-nacl)# remark SDM_ACL Category=4R3(config-ext-nacl)# remark IPsec RuleR3(config-ext-nacl)# permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255R3(config-ext-nacl)# exitR3(config)# crypto map SDM_CMAP_1 1 IPsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# description Apply the crypto map on the peer router'sinterface having IP address 192.168.23.3 that connects to this router.R3(config-crypto-map)# set transform-set cisco_lab_transformR3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# match address SDM_1R3(config-crypto-map)# set security-association lifetime seconds 3600R3(config-crypto-map)# set security-association lifetime kilobytes 4608000R3(config-crypto-map)# exit R3(config)# interface serial 0/0/1R3(config-if)# crypto map SDM_CMAP_1*Jan 15 22:00:38.184: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step 6: Kieåm tra VPN duøng SDM:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 50/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 50
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 51/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 51
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 52/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 52
Step 7: Kieãm tra caáu hình VPN duøng CLI:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 53/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 53
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 54/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 54
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 55/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 55
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 56/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 56
Final ConfigurationsR1# show run!hostname R1!crypto pki trustpoint TP-self-signed-1455051929enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1455051929revocation-check nonersakeypair TP-self-signed-1455051929!crypto pki certificate chain TP-self-signed-1455051929certificate self-signed 01<OUTPUT OMITTED>8EAF0758 8E56E4F8 68C2872C 1BA64531 80ED01B7 84EB790C 43312206 575Cquitusername ciscosdm privilege 15 password 0 ciscosdm
!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256hash md5authentication pre-share
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 57/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 57
group 5lifetime 28800crypto isakmp key cisco address 192.168.23.3!crypto IPsec transform-set cisco_lab_transform esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 IPsec-isakmpdescription Tunnel to192.168.23.3set peer 192.168.23.3set transform-set cisco_lab_transformmatch address 101!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map SDM_CMAP_1no shutdown!router eigrp 1network 172.16.0.0network 192.168.12.0no auto-summary! ! !ip http serverip http authentication localip http secure-server!access-list 100 remark SDM_ACL Category=4access-list 100 remark IPsec Ruleaccess-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPsec Ruleaccess-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255!line vty 0 4login localtransport input telnet ssh!endR2# show run!hostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show run!hostname R3!enable secret 5 $1$gJqP$HsL/xMjpFvacHs7bWGvIK.!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256hash md5
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 58/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 58
authentication pre-sharegroup 5lifetime 28800crypto isakmp key cisco address 192.168.12.1!crypto IPsec transform-set cisco_lab_transform esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 IPsec-isakmpdescription # Apply the crypto map on the peer router's interface having IPaddress 192.168.23.3 that connects to this router.set peer 192.168.12.1set transform-set cisco_lab_transformmatch address SDM_1!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map SDM_CMAP_1 no shutdown!router eigrp 1network 172.16.0.0network 192.168.23.0no auto-summary!ip access-list extended SDM_1remark SDM_ACL Category=4remark IPsec Rulepermit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255!line vty 0 4password ciscologin!end
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 59/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 59
Lab 3.5 Configuring Site-to-Site IPsec VPNs with the IOS CLI
1. MUÏC TIEÂU:Caáu hình EIGRP treân routerCaáu hình VPN ipsec site-to-site dung CLIKieåm tra IPSEC.
2. CAÁU HÌNH:Step 1 : caáu hình IP nhö hình veõ:
R1(config)# interface loopback0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2(config)# interface fastethernet0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown
Step 2: Caáu hình EIGRP:
R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R1(config-router)# network 192.168.12.0R2(config)# router eigrp 1
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 60/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 60
R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0R3(config-router)# network 192.168.23.0
Step 3: Taïo IKE policy:R1(config)# crypto isakmp enable R1(config)# crypto isakmp policy 10R1(config-isakmp)# authentication pre-shareR1(config-isakmp)# encryption aes 256R1(config-isakmp)# hash shaR1(config-isakmp)# group 5R1(config-isakmp)# lifetime 3600
R3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encryption aes 256R3(config-isakmp)# hash shaR3(config-isakmp)# group 5R3(config-isakmp)# lifetime 3600
Step 4: Caáu hình PSK:
R1(config)# crypto isakmp key cisco address 192.168.23.3R3(config)# crypto isakmp key cisco address 192.168.12.1
Step 5: Caáu hình Ipsec transform set vaø life time:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 61/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 61
R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmacR1(cfg-crypto-trans)# exitR1(config)#
R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmacR3(cfg-crypto-trans)# exitR3(config)#
R1(config)# crypto ipsec security-association lifetime seconds 1800
R3(config)# crypto ipsec security-association lifetime seconds 1800
Step 6: Xaùc Ñònh interesting traffic:R1(config)# access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255R3(config)# access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
Step 7: Taïo vaø apply crypto map:
R1(config)# crypto map MYMAP 10 ipsec-isakmp R1(config-crypto-map)# match address 101 R1(config-crypto-map)# set peer 192.168.23.3R1(config-crypto-map)# set pfs group5R1(config-crypto-map)# set transform-set 50R1(config-crypto-map)# set security-association lifetime seconds 900
R3(config)# crypto map MYMAP 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# match address 101R3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# set pfs group5R3(config-crypto-map)# set transform-set 50R3(config-crypto-map)# set security-association lifetime seconds 900
R1(config)# interface fastethernet0/0R1(config-if)# crypto map MYMAP*Jan 17 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR3(config)# interface serial0/0/1R3(config-if)# crypto map MYMAP*Jan 17 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step 8: Kieåm tra IP sec hoïat ñoäng:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 62/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 62
Step 9 Kieåm tra hoïat ñoäng cuûa Ipsec:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 63/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 63
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 64/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 64
Step 10 Debug ipsec:
R1# debug crypto isakmpCrypto ISAKMP debugging is on
R1# debug crypto ipsecCrypto IPSEC debugging is on
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 65/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 65
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 66/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 66
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 67/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 67
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 68/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 68
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 69/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 69
R1# undebug all All possible debugging has been turned off
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 70/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 70
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 71/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 71
Final Configurations:R1# show run
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 72/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 72
!hostname R1!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.23.3!crypto ipsec security-association lifetime seconds 1800!crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map MYMAP 10 ipsec-isakmpset peer 192.168.23.3set security-association lifetime seconds 900set transform-set 50set pfs group5match address 101!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map MYMAPno shutdown!router eigrp 1network 172.16.0.0network 192.168.12.0no auto-summary!access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255!endR2# show run!hostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show run!hostname R3!enable secret 5 $1$LT7i$MY2NhpGjl5uL1zNAoR2tf.!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.12.1!crypto ipsec security-association lifetime seconds 1800!crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map MYMAP 10 ipsec-isakmpset peer 192.168.12.1
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 73/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 73
set security-association lifetime seconds 900set transform-set 50set pfs group5match address 101!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map MYMAPno shutdown!router eigrp 1network 172.16.0.0network 192.168.23.0no auto-summary!access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255!line vty 0 4password ciscologin!end
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 74/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 74
Lab 3.6 Configuring a Secure GRE Tunnel with SDM
1. MUÏC TIEÂU:Caáu hình EIGRP treân router:Duøng SDM ñeå secure GRE tunnel.
2. CAÁU HÌNH:Step 1: Caáu hình IP nhö hình veõ:R1# configure terminalR1(config)# interface loopback 0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet 0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2# configure terminalR2(config)# interface fastethernet 0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3# configure terminalR3(config)# interface loopback 0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown
Step 2: Caáu hình EIGRP AS 1 :
R1(config)# router eigrp 1
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 75/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 75
R1(config-router)# no auto-summaryR1(config-router)# network 192.168.12.0R2(config)# router eigrp 1R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 192.168.23.0
Step 3: Keát noái vaøo router duøng SDM:
Step 4: Caáu hình Ipsec VTI duøng SDM:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 76/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 76
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 77/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 77
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 78/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 78
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 79/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 79
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 80/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 80
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 81/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 81
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 82/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 82
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 83/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 83
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 84/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 84
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 85/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 85
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 86/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 86
Step 5: Generate a Mirror Configuration treân R3
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 87/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 87
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 88/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 88
R3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr aes 256R3(config-isakmp)# hash shaR3(config-isakmp)# group 5R3(config-isakmp)# lifetime 28800R3(config-isakmp)# exitR3(config)# crypto isakmp policy 1R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr 3desR3(config-isakmp)# hash shaR3(config-isakmp)# group 2
R3(config-isakmp)# lifetime 86400R3(config-isakmp)# exitR3(config)# crypto isakmp key cisco address 192.168.12.1R3(config)# crypto ipsec transform-set mytrans esp-sha-hmac esp-aes 256R3(cfg-crypto-trans)# mode tunnelR3(cfg-crypto-trans)# exitR3(config)# ip access-list extended SDM_1R3(config-ext-nacl)# remark SDM_ACL Category=4R3(config-ext-nacl)# permit gre host 192.168.23.3 host 192.168.12.1 R3(config-ext-nacl)# exit
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 89/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 89
R3(config)# crypto map SDM_CMAP_1 1 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# description Apply the crypto map on the peer router'sinterface having IP address 192.168.23.3 that connects to this router.R3(config-crypto-map)# set transform-set mytransR3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# match address SDM_1R3(config-crypto-map)# set security-association lifetime seconds 3600R3(config-crypto-map)# set security-association lifetime kilobytes 4608000R3(config-crypto-map)# exit
R1# show run | interface tunnel 0Building configuration...Current configuration : 190 bytes!interface Tunnel0ip address 172.16.13.1 255.255.255.0ip mtu 1420tunnel source FastEthernet0/0tunnel destination 192.168.23.3tunnel path-mtu-discoverycrypto map SDM_CMAP_1end
R3(config)# interface Tunnel 0R3(config-if)# ip address 172.16.13.3 255.255.255.0R3(config-if)# ip mtu 1420R3(config-if)# tunnel source Serial0/0/1R3(config-if)# tunnel destination 192.168.12.1R3(config-if)# tunnel path-mtu-discoveryR3(config-if)# crypto map SDM_CMAP_1
R3(config)# interface serial 0/0/1R3(config-if)# crypto map SDM_CMAP_1
R3(config)# router eigrp 2R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0
Step 6: Kieåm tra caáu hình tunnel baèng SDM:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 90/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 90
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 91/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 91
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 92/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 92
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 93/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 93
Final ConfigurationsR1# show runhostname R1!crypto pki trustpoint TP-self-signed-1455051929enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1455051929revocation-check nonersakeypair TP-self-signed-1455051929!crypto pki certificate chain TP-self-signed-1455051929
certificate self-signed 013082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 0405003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 31343535 30353139 3239301E 170D3037 30313139 3030333730375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 3435353035313932 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100B2AE D3DF3BE4 D1323EDA B5A4EC54 2E3F3B46 20204095 3FA3FE01 0B3F5C84283D08A2 1023886D 6791AD57 DFFD39EE C453D2EF 0555041C A1B9CCCA 82216AABFBD731B8 465F3B57 4E7D76C3 54BE49F3 B82D0AF7 74005E9E 59736B5A 90D63697EABA4FE5 973B7F4A D0C2B77A 5B03A5C7 4376DE69 3B784063 726D0E9C 51065FEC
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 94/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 94
E4290203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603551D1104 06300482 02523130 1F060355 1D230418 30168014 976FC125 5539A58694800545 D6F943AD A89E2B22 301D0603 551D0E04 16041497 6FC12555 39A58694800545D6 F943ADA8 9E2B2230 0D06092A 864886F7 0D010104 05000381 81000E3E9C147BD6 EF49FD63 943C943A FD5773A4 559346F8 0F33886E 26A84C33 2FB0AC36 FF5F849E 782BAB73 D94FFEAB 7BE8F8E1 E72238F9 A70A7709 8854878F 53105BB23996E9E2 CD907377 101D3E5C 62A7CC8B 3C268997 CCF09774 909EE66A F09A9D3EBBB99FC4 96E50636 1CEC52CB 9A45E8DB 7317DE15 06350825 9ECCD529 B3A7quitusername ciscosdm privilege 15 password 0 ciscosdm!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 28800crypto isakmp key cisco address 192.168.23.3! !crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 ipsec-isakmpdescription Tunnel to192.168.23.3set peer 192.168.23.3set transform-set mytransmatch address 100!interface Tunnel0ip address 172.16.13.1 255.255.255.0ip mtu 1420tunnel source FastEthernet0/0tunnel destination 192.168.23.3tunnel path-mtu-discoverycrypto map SDM_CMAP_1!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map SDM_CMAP_1no shut!router eigrp 1network 192.168.12.0no auto-summary!router eigrp 2network 172.16.13.0 0.0.0.255network 172.16.0.0no auto-summary!ip http serverip http authentication localip http secure-server!access-list 100 remark SDM_ACL Category=4access-list 100 permit gre host 192.168.12.1 host 192.168.23.3!line vty 0 4login localtransport input telnet sshend R2# show runhostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shut!
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 95/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 95
interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shut!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show runhostname R3!enable secret 5 $1$xbvr$6YNBOCZFuWyM3UTmlHK03.!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 28800crypto isakmp key cisco address 192.168.12.1! !crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 ipsec-isakmpdescription Apply the crypto map on the peer router's interface having IPaddress 192.168.23.3 that connects to this router.set peer 192.168.12.1set transform-set mytransmatch address SDM_1!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.13.3 255.255.255.0ip mtu 1420tunnel source Serial0/0/1tunnel destination 192.168.12.1tunnel path-mtu-discoverycrypto map SDM_CMAP_1!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map SDM_CMAP_1no shut! router eigrp 1network 192.168.23.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!ip access-list extended SDM_1remark SDM_ACL Category=4permit gre host 192.168.23.3 host 192.168.12.1!line vty 0 4password ccieloginend
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 96/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 96
Lab 3.7 Configuring a Secure GRE Tunnel with the IOS CLI
1. MUÏC TIEÂU:Caáu hình EIGRP treân routerTaïo GRE tunnel giöõa 2 routerDuøng Ipsec ñeå secure GRE tunnel
2. CAÁU HÌNH:Step 1: Caáu hình ñòa chæ IP nhö hình veõ:R1# configure terminalR1(config)# interface loopback0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2# configure terminalR2(config)# interface fastethernet0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3# configure terminalR3(config)# interface loopback0R3(config-if)# ip address 172.16.3.1 255.255.255.0
R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown
Step 2: Caáu hình EIGRP AS 1R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 192.168.12.0R2(config)# router eigrp 1R2(config-router)# no auto-summary
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 97/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 97
R2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 192.168.23.0Verify that R1 and R3 can see the remote transit network with show ip route
Step 3: Caáu hình GRE tunnel:R1(config)# interface tunnel 0R1(config-if)# ip address 172.16.13.1 255.255.255.0R1(config-if)# tunnel source fastethernet0/0R1(config-if)# tunnel destination 192.168.23.3R3(config)# interface tunnel0R3(config-if)# ip address 172.16.13.3 255.255.255.0R3(config-if)# tunnel source serial0/0/1R3(config-if)# tunnel destination 192.168.12.1
Step 4: Caáu hình EIGRP AS 2 qua interface tunnel:R1(config)# router eigrp 2R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R3(config)# router eigrp 2R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0
Step 5: Caáu hình IKE policy vaø peer:
R1(config)# crypto isakmp policy 10R1(config-isakmp)# authentication pre-shareR1(config-isakmp)# encryption aes 256R1(config-isakmp)# hash shaR1(config-isakmp)# group 5R1(config-isakmp)# lifetime 3600R3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encryption aes 256R3(config-isakmp)# hash shaR3(config-isakmp)# group 5R3(config-isakmp)# lifetime 3600
Step 6: Taïo PSKR1(config)# crypto isakmp key cisco address 192.168.23.3R3(config)# crypto isakmp key cisco address 192.168.12.1
Step 7: Taïo transform set:R1(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ahsha-hmacR1(cfg-crypto-trans)# exitR1(config)#
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 98/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 98
R3(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ahsha-hmacR3(cfg-crypto-trans)# exitR3(config)#
Step 8: Xaùc ñònh traffic cho Ipsec:
R1(config)# access-list 101 permit gre host 192.168.12.1 host 192.168.23.3
R3(config)# access-list 101 permit gre host 192.168.23.3 host 192.168.12.1
Step 9: Taïo crypto map:R1(config)# crypto map mymap 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R1(config-crypto-map)# match address 101R1(config-crypto-map)# set peer 192.168.23.3R1(config-crypto-map)# set transform-set mytransR1(config-crypto-map)# exitR1(config)# interface fastethernet 0/0R1(config-if)# crypto map mymap*Jan 22 07:01:30.147: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR3(config)# crypto map mymap 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# match address 101R3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# set transform-set mytransR3(config-crypto-map)# interface serial 0/0/1R3(config-if)# crypto map mymap*Jan 22 07:02:47.726: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step 10: kieåm tra IPSEC:
Final ConfigurationsR1# show run!
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 99/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 99
hostname R1!crypto isakmp policy 10authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.23.3!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map mymap 10 ipsec-isakmpset peer 192.168.23.3set transform-set mytransmatch address 101!interface Tunnel0ip address 172.16.13.1 255.255.255.0tunnel source FastEthernet0/0tunnel destination 192.168.23.3!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map mymapno shutdown!router eigrp 1network 192.168.12.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!access-list 101 permit gre host 192.168.12.1 host 192.168.23.3endR2# show runhostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary !endR3# show runhostname R3!enable secret 5 $1$kkTj$cIYDuP2yz3vA1ARGVwxd11!crypto isakmp policy 10authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.12.1!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map mymap 10 ipsec-isakmpset peer 192.168.12.1set transform-set mytransmatch address 101!
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 100/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 100
interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.13.3 255.255.255.0tunnel source Serial0/0/1tunnel destination 192.168.12.1!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map mymapno shutdown!router eigrp 1network 192.168.23.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!access-list 101 permit gre host 192.168.23.3 host 192.168.12.1!line vty 0 4password ciscologinend
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 101/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 101
Lab 3.8 Configuring IPsec VTIs
1. MUÏC TIEÂU:Caáu hình EIGRP treân router.Caáu hình IPSec virtual interfaceCaáu hình VTI ñeå backup.
2. CAÁU HÌNH:Step 1: Caáu hình ñòa chæ IP nhö hình veõ:HQ# configure terminalHQ(config)# interface loopback 0
HQ(config-if)# ip address 172.16.1.1 255.255.255.0HQ(config-if)# interface fastethernet 0/0HQ(config-if)# ip address 172.16.13.1 255.255.255.0HQ(config-if)# no shutdownHQ(config-if)# interface serial 0/0/0HQ(config-if)# ip address 192.168.12.1 255.255.255.0HQ(config-if)# clockrate 64000HQ(config-if)# no shutdownISP# configure terminalISP(config-if)# interface serial 0/0/0ISP(config-if)# ip address 192.168.12.2 255.255.255.0ISP(config-if)# no shutdownISP(config-if)# interface serial 0/0/1ISP(config-if)# ip address 192.168.23.2 255.255.255.0ISP(config-if)# clockrate 64000ISP(config-if)# no shutdownBRANCH# configure terminalBRANCH(config)# interface loopback 0
BRANCH(config-if)# ip address 172.16.3.1 255.255.255.0BRANCH(config-if)# interface fastethernet 0/0BRANCH(config-if)# ip address 172.16.13.3 255.255.255.0BRANCH(config-if)# no shutdownBRANCH(config-if)# interface serial 0/0/1BRANCH(config-if)# ip address 192.168.23.3 255.255.255.0BRANCH(config-if)# no shutdown
Step 2: Caáu hình EIGRP AS 1
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 102/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 102
HQ(config)# router eigrp 1HQ(config-router)# no auto-summaryHQ(config-router)# network 172.16.0.0
BRANCH(config)# router eigrp 1BRANCH(config-router)# no auto-summaryBRANCH(config-router)# network 172.16.0.0
Step 3: Caáu hình Static routing:HQ(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.2BRANCH(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.2
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 103/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 103
Step 4: Taïo IKE policy vaø Peers:HQ(config)# crypto isakmp policy 10HQ(config-isakmp)# authentication pre-shareHQ(config-isakmp)# encryption aes 256HQ(config-isakmp)# hash shaHQ(config-isakmp)# group 5HQ(config-isakmp)# lifetime 3600BRANCH(config)# crypto isakmp policy 10BRANCH(config-isakmp)# authentication pre-shareBRANCH(config-isakmp)# encryption aes 256BRANCH(config-isakmp)# hash shaBRANCH(config-isakmp)# group 5BRANCH(config-isakmp)# lifetime 3600
Step 5: Taïp transform set:HQ(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ahsha-hmacHQ(cfg-crypto-trans)# exitHQ(config)#BRANCH(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac
ah-sha-hmacBRANCH(cfg-crypto-trans)# exitBRANCH(config)#
Step 6: Taïo Ipsec Profile:HQ(config)# crypto ipsec profile myprof HQ(ipsec-profile)# set transform-set mytransBRANCH(config)# crypto ipsec profile myprofBRANCH(ipsec-profile)# set transform-set mytrans
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 104/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 104
Step 7: Taïo Ipsec VTI:HQ(config)# interface tunnel 0HQ(config-if)# ip address 172.16.113.1 255.255.255.0HQ(config-if)# tunnel source serial 0/0/0HQ(config-if)# tunnel destination 192.168.23.3HQ(config-if)# tunnel mode ipsec ipv4HQ(config-if)# tunnel protection ipsec profile myprof
BRANCH(config)# interface tunnel 0BRANCH(config-if)# ip address 172.16.113.3 255.255.255.0BRANCH(config-if)# tunnel source serial 0/0/1BRANCH(config-if)# tunnel destination 192.168.12.1BRANCH(config-if)# tunnel mode ipsec ipv4BRANCH(config-if)# tunnel protection ipsec profile myprof
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 105/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 105
Step 8: Kieåm tra EIGRP:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 106/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 106
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 107/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 107
Final Configurations
HQ# show run!hostname HQ!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.23.3!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto ipsec profile myprofset transform-set mytrans!interface Tunnel0ip address 172.16.113.1 255.255.255.0
tunnel source Serial0/0/0tunnel destination 192.168.23.3tunnel mode ipsec ipv4tunnel protection ipsec profile myprof!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 172.16.13.1 255.255.255.0
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 108/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 108
no shutdown!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 172.16.0.0no auto-summary!ip route 0.0.0.0 0.0.0.0 192.168.12.2 !endISP# show run!hostname ISP!interface Serial0/0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!endBRANCH# show runhostname BRANCH!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.12.1!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto ipsec profile myprofset transform-set mytrans!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.113.3 255.255.255.0tunnel source Serial0/0/1tunnel destination 192.168.12.1tunnel mode ipsec ipv4tunnel protection ipsec profile myprof!interface FastEthernet0/0ip address 172.16.13.3 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0no shutdown!router eigrp 1network 172.16.0.0no auto-summary!ip route 0.0.0.0 0.0.0.0 192.168.23.2!end
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 109/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 109
Lab 3.9 Configuring Easy VPN with SDM
1. MUÏC TIEÂU:Caáu 2hinh EIGRP treân router.Caáu hình Easy VPN duøng SDM
Caøi ñaët Cisco VPN Client vaøo PCKieåm tra hoïat ñoäng cuûa VPN baèng SDM.
2. CAÁU HÌNH:Step 1: caáu hình ñòa chæ IP:ISP# configure terminalISP(config)# interface fastethernet0/0ISP(config-if)# ip address 192.168.10.1 255.255.255.0ISP(config-if)# no shutdownISP(config-if)# interface serial 0/0/0ISP(config-if)# ip address 192.168.12.1 255.255.255.0ISP(config-if)# clockrate 64000ISP(config-if)# no shutdownHQ# configure terminalHQ(config)# interface loopback 0HQ(config-if)# ip address 172.16.2.1 255.255.255.0
HQ(config-if)# interface serial0/0/0HQ(config-if)# ip address 192.168.12.2 255.255.255.0HQ(config-if)# no shutdownHQ(config-if)# interface serial 0/0/1HQ(config-if)# ip address 172.16.23.2 255.255.255.0HQ(config-if)# clockrate 64000HQ(config-if)# no shutdownHQ2# configure terminalHQ2(config)# interface loopback 0HQ2(config-if)# ip address 172.16.3.1 255.255.255.0HQ2(config-if)# interface serial 0/0/1
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 110/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 110
HQ2(config-if)# ip address 172.16.23.3 255.255.255.0HQ2(config-if)# no shutdown
Step 2: Caáu hình EIGRP AS 1:
HQ(config)# router eigrp 1HQ(config-router)# no auto-summaryHQ(config-router)# network 172.16.0.0HQ2(config)# router eigrp 1HQ2(config-router)# no auto-summaryHQ2(config-router)# network 172.16.0.0
Step 3: Caáu hình Static default route:
HQ(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.1HQ(config)# router eigrp 1HQ(config-router)# redistribute static
Step 4: Keát noái vaøo HQ router baèng SDM:
Step 5: Caáu hình Easy VPN Server baèng SDM.
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 111/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 111
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 112/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 112
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 113/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 113
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 114/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 114
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 115/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 115
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 116/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 116
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 117/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 117
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 118/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 118
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 119/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 119
Step 6: Install Cisco VPN Client.Step 7: Kieåm tra keùt noái cuûa Client luùc chöa coù keát noái VPN.
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 120/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 120
Step 8: Keát noái baèng VPN Client:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 121/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 121
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 122/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 122
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 123/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 123
Step 9: Kieåm tra keát noái sau khi VPN thaønh coâng:
Step 10 Kieåm tra Easy VPN baèng SDM:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 124/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 124
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 125/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 125
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 126/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 126
Step 11 : Ngaét keát noái VPN Client:
Final ConfigurationsISP# show runhostname ISP!interface FastEthernet0/0ip address 192.168.10.1 255.255.255.0no shutdown!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdown
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 127/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 127
endHQ# show runhostname HQ!aaa new-model!aaa authentication login default localaaa authentication login sdm_vpn_xauth_ml_1 localaaa authorization exec default localaaa authorization network sdm_vpn_group_ml_1 local!aaa session-id common!crypto pki trustpoint TP-self-signed-3043721146enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-3043721146revocation-check nonersakeypair TP-self-signed-3043721146!crypto pki certificate chain TP-self-signed-3043721146certificate self-signed 013082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 0405003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 33303433 37323131 3436301E 170D3037 30313234 3034343732365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 3034333732313134 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100ADBE 1C08ACA4 0AF3D3FF 11F49933 1AC172FE 3D3D40A6 3AB342FF B952D3E20F203935 83E9C1C0 E0B14B0B C44EF57E A9D7252E F8052060 8D194C9F 84BA3BE4F004217A 09B4A9E7 EFBD0D8C BA420B55 6055B135 ED9A33E5 D4294415 BC453756
AB458059 4E6E23A4 159A87C1 E92F8AB3 E4C7BA5F 434C1BE0 9BF59A78 08961B55F0DD0203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603551D1104 06300482 02485130 1F060355 1D230418 30168014 5BCB0C4C C995CEA2F7E9667E DC80525B BB481946 301D0603 551D0E04 1604145B CB0C4CC9 95CEA2F7E9667EDC 80525BBB 48194630 0D06092A 864886F7 0D010104 05000381 81008FFA728302E8 CA86686E 5394BA3A C8260F99 75CA12D4 3B86EAF2 EE3F9AB5 E5D18FEAFC495B41 C716BEF5 82A0F21C 7D085C01 EEFE4302 BA666344 D0D51346 9BDB4AD094B91A93 FEB44001 E50D3BFF 9479456F D2658D25 8BE61405 2AA5229A 3AFF2096ECDD7C61 3EB564C8 9608CA67 2A3CC3D6 B7A5B918 863E901E E2ABBD0D 279Aquitusername ciscosdm privilege 15 password 0 ciscosdmusername ciscouser password 0 ciscouser!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp client configuration group ciscogroupkey ciscogrouppool SDM_POOL_1acl 100netmask 255.255.255.0!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac!crypto dynamic-map SDM_DYNMAP_1 1set security-association idle-time 28800set transform-set ESP-3DES-SHAreverse-route!crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1crypto map SDM_CMAP_1 client configuration address respondcrypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1!interface Loopback0ip address 172.16.2.1 255.255.255.0!interface Serial0/0/0ip address 192.168.12.2 255.255.255.0crypto map SDM_CMAP_1no shutdown!
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 128/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 128
interface Serial0/0/1ip address 172.16.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1redistribute staticnetwork 172.16.0.0no auto-summary!ip local pool SDM_POOL_1 172.16.1.100 172.16.1.200ip route 0.0.0.0 0.0.0.0 192.168.12.1!ip http serverip http authentication localip http secure-server!access-list 100 remark SDM_ACL Category=4access-list 100 permit ip 172.16.0.0 0.0.255.255 any!line vty 0 4transport input telnet sshendHQ2# show runhostname HQ2!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 172.16.23.3 255.255.255.0no shutdown!router eigrp 1network 172.16.0.0no auto-summaryend
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 129/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 129
Lab 3.10 Configuring Easy VPN with the IOS CLI
1. MUÏC TIEÂU:Caáu hình EIGRP treân router.Caáu hình Easy VPN ServerCaøi VPN client treân PCKeát noái VPN giöõa VPN client vaø VPN server.Kieåm tra hoïat ñoäng cuûa VPN
2. CAÁU HÌNH:Step 1: Caáu hình ñòa chæ IP:
ISP# configure terminalISP(config)# interface fastethernet 0/0ISP(config-if)# ip address 192.168.10.1 255.255.255.0ISP(config-if)# no shutdownISP(config-if)# interface serial 0/0/0ISP(config-if)# ip address 192.168.12.1 255.255.255.0ISP(config-if)# clockrate 64000ISP(config-if)# no shutdown
HQ# configure terminalHQ(config)# interface loopback 0HQ(config-if)# ip address 172.16.2.1 255.255.255.0HQ(config-if)# interface serial0/0/0HQ(config-if)# ip address 192.168.12.2 255.255.255.0HQ(config-if)# no shutdownHQ(config-if)# interface serial 0/0/1HQ(config-if)# ip address 172.16.23.2 255.255.255.0HQ(config-if)# clockrate 64000HQ(config-if)# no shutdownHQ2# configure terminal
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 130/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 130
HQ2(config)# interface loopback 0HQ2(config-if)# ip address 172.16.3.1 255.255.255.0HQ2(config-if)# interface serial 0/0/1HQ2(config-if)# ip address 172.16.23.3 255.255.255.0HQ2(config-if)# no shutdown
Step 2: Caáu hình EIGRP As 1:
HQ(config)# router eigrp 1HQ(config-router)# no auto-summaryHQ(config-router)# network 172.16.0.0HQ2(config)# router eigrp 1HQ2(config-router)# no auto-summaryHQ2(config-router)# network 172.16.0.0
Step 3: Caáu hìng Staic route:
HQ(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.1HQ(config)# router eigrp 1HQ(config-router)# redistribute static
Step 4: Baät AAA treân router HQ:
HQ(config)# username cisco password ciscoHQ(config)# aaa new-modelHQ(config)# aaa authentication login default local none
Step 5: Taïo IP pool:
HQ(config)# ip local pool VPNCLIENTS 172.16.2.100 172.16.2.200
Step 6: Caáu hình group authorization
HQ(config)# aaa authorization network VPNAUTH local
Step 7: Taïo IKE policy vaø group:
HQ(config)# crypto isakmp policy 10HQ(config-isakmp)# authentication pre-shareHQ(config-isakmp)# encryption aes 256HQ(config-isakmp)# group 2
HQ(config)# crypto isakmp client configuration group ciscogroup HQ(config-isakmp-group)# key ciscogroupHQ(config-isakmp-group)# pool VPNCLIENTSHQ(config-isakmp-group)# acl 100HQ(config-isakmp-group)# netmask 255.255.255.0 HQ(config)# access-list 100 permit ip 172.16.0.0 0.0.255.255 any
Step 9: Taïo Dynamic Map:HQ(config)# crypto dynamic-map mymap 10HQ(config-crypto-map)# set transform-set mytransHQ(config-crypto-map)# reverse-route
HQ(config)# crypto map mymap client configuration address respondHQ(config)# crypto map mymap isakmp authorization list VPNAUTHHQ(config)# crypto map mymap 10 ipsec-isakmp dynamic mymap HQ(config)#int serial0/0/0
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 131/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 131
HQ(config-if)#crypto map mymap
Step 10 baät IKE DPD vaø user authentication:
HQ(config)# crypto isakmp keepalive 30 5
HQ(config)# aaa authentication login VPNAUTH local
HQ(config)# username ciscouser password ciscouser
HQ(config)# crypto isakmp xauth timeout 60HQ(config)# crypto map mymap client authentication list VPNAUTH
Step 11: Caøi ñaët VPN Client:
Step 12: Kieåm tra VPN khi chöa thieár laäp keát noái VPN
Step 13: Taïo keát noái VPN:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 132/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 132
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 133/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 133
Step 14: Kieåm tra keát noái tôùi maùy beân trong:
Step 15: Kieåm tra hoïat ñoäng VPN duøng CLI:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 134/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 134
Final ConfigurationsISP# show runhostname ISP!interface FastEthernet0/0ip address 192.168.10.1 255.255.255.0no shutdown
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 135/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 135
!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdownendHQ# show runhostname HQ!aaa new-model!aaa authentication login default local noneaaa authentication login VPNAUTH localaaa authorization network VPNAUTH local!username cisco password 0 ciscousername ciscouser password 0 ciscouser!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 2crypto isakmp keepalive 30 5crypto isakmp xauth timeout 60!crypto isakmp client configuration group ciscogroupkey ciscogrouppool VPNCLIENTSacl 100netmask 255.255.255.0!crypto ipsec transform-set mytrans esp-3des esp-sha-hmac!crypto dynamic-map mymap 10set transform-set mytransreverse-route! crypto map mymap client authentication list VPNAUTHcrypto map mymap isakmp authorization list VPNAUTHcrypto map mymap client configuration address respondcrypto map mymap 10 ipsec-isakmp dynamic mymap!interface Loopback0ip address 172.16.2.1 255.255.255.0!interface Serial0/0/0ip address 192.168.12.2 255.255.255.0crypto map mymapno shutdown!interface Serial0/0/1ip address 172.16.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1redistribute staticnetwork 172.16.0.0no auto-summary!ip local pool VPNCLIENTS 172.16.2.100 172.16.2.200ip route 0.0.0.0 0.0.0.0 192.168.12.1!access-list 100 permit ip 172.16.0.0 0.0.255.255 anyendHQ2# show runhostname HQ2!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 172.16.23.3 255.255.255.0no shutdown
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 136/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 136
!router eigrp 1network 172.16.0.0no auto-summaryend
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 137/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 137
Lab 4.1 Configuring Frame Mode MPLS
1. MUÏC TIEÂU:Caáu hình EIGRP treân router.Caáu hình LDP treân router.Ñoåi kích thöôùc MTUKieåm tra MPLS
2. CAÁU HÌNH:Step 1: caáu hình IP nhö hình veõ:
R1(config)# interface loopback 0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet 0/0R1(config-if)# ip address 172.16.12.1 255.255.255.0R1(config-if)# no shutdownR2(config)# interface loopback 0R2(config-if)# ip address 172.16.2.1 255.255.255.0R2(config-if)# interface fastethernet 0/0R2(config-if)# ip address 172.16.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial 0/0/1R2(config-if)# ip address 172.16.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback 0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial 0/0/1
R3(config-if)# ip address 172.16.23.3 255.255.255.0R3(config-if)# no shutdown
Step 2 Caáu hìng EIGRP AS 1:R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R2(config)# router eigrp 1R2(config-router)# no auto-summary
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 138/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 138
R2(config-router)# network 172.16.0.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0
Step 3: Kieåm tra hoïat ñoäng cuûa CEF:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 139/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 139
Step 4 baät MPLS treân taát caû interface vaät lyù:
Step 5: Kieåm tra hoïat ñoäng cuûa MPLS:
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 140/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 140
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 141/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 141
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 142/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 142
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 143/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 143
Step 6: Ñoåi MTU size:
R1(config)# interface fastethernet 0/0R1(config-if)# mpls mtu 1508R2(config)# interface fastethernet0/0R2(config-if)# mpls mtu 1508
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 144/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
VSIC Education Corporation Trang 144
Final ConfigurationsR1# show run!hostname R1! interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 172.16.12.1 255.255.255.0mpls ipmpls mtu 1508no shutdown!router eigrp 1network 172.16.0.0no auto-summary
!endR2# show run!hostname R2!interface Loopback0ip address 172.16.2.1 255.255.255.0!interface FastEthernet0/0ip address 172.16.12.2 255.255.255.0mpls ipmpls mtu 1508no shutdown!interface Serial0/0/1ip address 172.16.23.2 255.255.255.0mpls ip
clock rate 64000no shutdown!router eigrp 1network 172.16.0.0no auto-summary!endR3# show run!hostname R3
8/13/2019 UTF-8''ISCW LAB P1
http://slidepdf.com/reader/full/utf-8iscw-lab-p1 145/145
Sách Lab ISCW Tài liệu thực hành dành cho học viên
!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 172.16.23.3 255.255.255.0mpls ipno shutdown!router eigrp 1network 172.16.0.0no auto-summary!end
Recommended