1. Home
    2. /
  2. Manuals
    3. /
  3. Cisco
    4. /
  4. 870-Series
    5. /
  5. 18
Page 86 / 196 Scroll up to view Page 81 - 85
7-8
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 7
Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
Configure a GRE Tunnel
Configure a GRE Tunnel
Perform these steps to configure a GRE tunnel, beginning in global configuration mode:
Step 2
crypto map
map-name
Example:
Router(config-if)#
crypto map
static-map
Router(config-if)#
Applies the crypto map to the interface.
See the
Cisco IOS Security Command Reference
for more detail about this command.
Step 3
exit
Example:
Router(config-if)#
exit
Router(config)#
Enters global configuration mode.
Command or Action
Purpose
Command or Action
Purpose
Step 1
interface
type number
Example:
Router(config)#
interface
tunnel 1
Router(config-if)#
Creates a tunnel interface and enters interface
configuration mode.
Step 2
ip address
subnet mask
Example:
Router(config-if)#
ip address
10.62.1.193
255.255.255.255
Router(config-if)#
Assigns an address to the tunnel.
Step 3
tunnel source
interface-type number
Example:
Router(config-if)#
tunnel source
fastethernet 0
Router(config-if)#
Specifies the source endpoint of the router for the
GRE tunnel.
Step 4
tunnel destination
default-gateway-ip-address
Example:
Router(config-if)#
tunnel destination
192.168.101.1
Router(config-if)#
Specifies the destination endpoint of the router for
the GRE tunnel.
Page 87 / 196
7-9
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 7
Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
Configuration Example
Configuration Example
The following configuration example shows a portion of the configuration file for a VPN using a GRE
tunnel scenario described in the preceding sections.
!
aaa new-model
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
aaa session-id common
!
username cisco password 0 cisco
!
interface tunnel 1
ip address 10.62.1.193 255.255.255.252
Step 5
crypto map
map-name
Example:
Router(config-if)#
crypto map
static-map
Router(config-if)#
Assigns a crypto map to the tunnel.
Note
Dynamic routing or static routes to the
tunnel interface must be configured to
establish connectivity between the sites.
See the
Cisco IOS Security Configuration
Guide
for details.
Step 6
exit
Example:
Router(config-if)#
exit
Router(config)#
Exits interface configuration mode, and returns to
global configuration mode.
Step 7
ip access-list {standard | extended}
access-list-name
Example:
Router(config)#
ip access-list extended
vpnstatic1
Router(config-acl)#
Enters ACL configuration mode for the named
ACL that is used by the crypto map.
Step 8
permit
protocol
source source-wildcard
destination destination-wildcard
Example:
Router(config-acl)#
permit
gre host
192.168.100.1 host 192.168.101.1
Router(config-acl)#
Specifies that only GRE traffic is permitted on the
outbound interface.
Step 9
exit
Example:
Router(config-acl)#
exit
Router(config)#
Returns to global configuration mode.
Command or Action
Purpose
Page 88 / 196
7-10
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 7
Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
Configuration Example
tunnel source fastethernet 0
tunnel destination interface 192.168.101.1
ip route 20.20.20.0 255.255.255.0 tunnel 1
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group rtr-remote
key secret-password
dns 10.50.10.1 10.60.10.1
domain company.com
pool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
! Defines the key association and authentication for IPSec tunnel.
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.1
!
!
! Defines encryption and transform set for the IPSec tunnel.
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
! Associates all crypto values and peering address for the IPSec tunnel.
crypto map to_corporate 1 ipsec-isakmp
set peer 200.1.1.1
set transform-set set1
match address 105
!
!
! VLAN 1 is the internal interface
interface vlan 1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip inspect firewall in ! Inspection examines outbound traffic.
crypto map static-map
no cdp enable
!
! FE4 is the outside or Internet-exposed interface
interface fastethernet 4
ip address 210.110.101.21 255.255.255.0
! acl 103 permits IPSec traffic from the corp. router as well as
! denies Internet-initiated traffic inbound.
ip access-group 103 in
ip nat outside
no cdp enable
crypto map to_corporate ! Applies the IPSec tunnel to the outside interface.
Page 89 / 196
7-11
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 7
Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
Configuration Example
!
! Utilize NAT overload in order to make best use of the
! single address provided by the ISP.
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 210.110.101.1
no ip http server
!
!
! acl 102 associated addresses used for NAT.
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
! acl 103 defines traffic allowed from the peer for the IPSec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.
access-list 103 permit icmp any any
access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.
! acl 105 matches addresses for the IPSec tunnel to or from the corporate network.
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
no cdp run
Page 90 / 196
7-12
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 7
Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
Configuration Example

Rate

4.5 / 5 based on 2 votes.

Popular Cisco Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top