|
Question : Cisco IKE/IPSEC Question
|
|
On the CISCO FAQ:
-------------------------------------------------------------------------
Configuring IPSec
Whether you use pre−shared keys or configure a CA, once you setup Internet Key Exchange IKE, you still
have to setup IPSec. Regardless of which IKE method we use, the configuration steps for IPSec are the same.
To configure IPSec, we need to:
Create extended ACL
Create IPSec transform(s) ·
Create crypto map ·
Apply crypto map to interface ·
Create Extended ACL
The command below is a very simple ACL that allows the routers to talk to one another (a Telnet from one
router to the next, for example).
dt3−45a(config)# access−list 101 permit ip host 192.168.10.38 host 192.168.10.66
A more realistic ACL looks like the command below. This command is an ordinary extended ACL, where
192.168.3.0 is a subnet behind the router in question, and 10.3.2.0 is a subnet somewhere behind the peer router. Remember that permit means encrypt and deny means don't encrypt.
dt3−45a(config)#access−list 101 permit ip 192.168.3.0 0.0.0.255 10.3.2.0 0.0.0.255
-------------------------------------------------------------------------
I have 2 Q..
1. Can I create an extended access list with only certain ports, so that only traffic on certain ports gets encrypted? I.E. Telnet, or Terminal Services(citrix)?
2. I have 1 or 2 GRE tunnels from One point on the internet to another on the internet. Can I encrypt the GRE traffic going over the tunnel to HQ, but allow Local NAT for the users at the branch office?
Thanks in advance.
|
Answer : Cisco IKE/IPSEC Question
|
|
If you setup a GRE tunnel, and put the crypto map on the tunnel, not on the serial interface, then you don't have to worry about nat or no-nat at all. A simple route statement directing traffic to the HQ site subnet to go through the GRE tunnel should be all you need.
i.e.
interface Tunnel0
ip address 192.168.100.1 255.255.255.0
no ip directed-broadcast
tunnel source FastEthernet0/0
tunnel destination 10.3.3.1
crypto map mymap
!
ip route 10.10.0.0 255.255.0.0 192.168.100.2
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b8.shtml
|
|
|
|
|
