HomeОбразованиеRelated VideosMore From: David Bombal

GNS3 Labs: IPsec VPN with NAT across BGP Internet routers: Answers Part 1

45 ratings | 2292 views
GNS3 Topology: https://goo.gl/p7p8pq Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. VPN Configuration: ====================================================== ! CONFIG FOR: C1 ! ! ====================================================== access-list 100 remark ****** Link to C2 ****** access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.1.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 8.8.11.2 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto map mymap 1 ipsec-isakmp description ****** Link to C2 ****** set peer 8.8.11.2 set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside !===================================================== ! CONFIG FOR: C2 ! ! ====================================================== access-list 100 remark ****** Link to C1 ****** access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 8.8.10.2 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto map mymap 2 ipsec-isakmp description ****** Link to C1 ****** set peer 8.8.10.2 set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside !========================================= Go here for more: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html
Html code for embedding videos on your blog
Text Comments (16)
David Bombal (10 months ago)
Expand the video description to see the VPN Configurations
Fafanding Camara (4 months ago)
Thank you very much David, the explanation is very clear and easy to understand. i just can't comprehend the route-map nonat portion of the configuration. can you please help me make that clear? Thank you
Fafanding Camara (4 months ago)
So if i am to set up a vpn and want to use private address for internal and public for my external, don't i need to implement NAT?
David Bombal (4 months ago)
Traffic going through the VPN should not be NAT'ed. That is what the nonat route-map does - allows us to specify which traffic should not be NAT'ed. Only traffic permitted by the ACL referenced by the route-map will be NAT'ed.
Adam Yahya (6 months ago)
For some reason I cannot ping C2 to ISP 3 on 8.8.11.2 and vice versa..both interfaces have the correct IP and mask configured and they are both up/up. I started a capture but everytime I ping I am seen an arp request asking for who has 8.8.11.1 and to tell 8.8.11.2..what am I doing wrong? I've even wiped out both gi0/1 configs on C2 and ISP3 and shut/noshut but still same issue.
David Bombal (5 months ago)
Please ask this in the GNS3 community here: https://gns3.com/community
Sébastien Hurtel (10 months ago)
Hi David, I'm new on cisco devices and your videos are fantastic to get use to IOS. For your information, it took me 2 days to understand that order matters in access-list... I was unable to understand why my ISAKMP negociation wasn't working. I had just put "deny" before "permit" in my conf file.
Naing Aung (10 months ago)
Very nice explanation. Mr. David
David Bombal (10 months ago)
Thank you so much!
Hermann Deutcho (10 months ago)
Thank You very Much David, Very Neat!
David Bombal (10 months ago)
GNS3 Academy sells courses individually. There is also a GNS3 labs based subscription course. DavidBombal.com includes all my products in a single monthly charge. You will also get access to more stuff in the near future. If in doubt, register on davidbombal.com.
Hermann Deutcho (10 months ago)
I am learning a lot with your courses and labs, but I am confused now on which direction to take, GNs3 academy or David Bombal website? which one will have the up-to-date courses??
David Bombal (10 months ago)
You're welcome Hermann!
med mustafa (10 months ago)
thank you very mutch mister David your are incredible
med mustafa (10 months ago)
plz give your facebook
David Bombal (10 months ago)
You're welcome! Thank you for watching.

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.