Networking Madurai

Sunday, October 31, 2021

DMVPN Configuration || BGP || EIGRP || Step by step DMVPN Configuration on cisco IOS Routers

DMVPN

======

DMVPN (Dynamic Multipoint VPN) is a routing technique we can use to build a VPN network with multiple sites without having to statically configure all devices.

It's a “hub and spoke” network where the spokes will be able to communicate with each other directly without having to go through the hub.

DMVPN is a combination of 4 technologies:

========================================

mGRE -multipoint Gre

Dynamic Next Hop Resolution Protocol ( NHRP ) with Next Hop Server ( NHS )

IPsec tunnel protection

Routing

NHRP Messages

=============

NHRP Registration Request

NHRP Resolution Request

NHRP Redirect

Steps to configure .

==================

step:1

=======

configure BGP and advertsie all wan interfaces.

router bgp 5678

no synchronization

bgp log-neighbor-changes

network 45.10.10.0 mask 255.255.255.252

neighbor 45.10.10.2 remote-as 65001

no auto-summary

Step:2

======

configure phase1

crypto isakmp policy 1

encryption aes

authentication pre-share

group 5

crypto isakmp key 0 cisco address 0.0.0.0

step:3

=========

configure phase2

crypto ipsec transform-set t-set esp-aes esp-sha-hmac

mode transport

step:4

==========

create profile.

crypto ipsec profile DMVPN-PROF

set transform-set t-set

step:5

======

configure DMVPN on hub and spokes router ------> Tunnel

Hub

====

int tunnel 0

bandwidth 1000

ip address 88.88.88.1 255.255.255.0

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp holdtime 300

ip nhrp network-id 99

tunnel source g0/0

tunnel mode gre multipoint

tunnel key 100

tunnel protection ipsec profile DMVPN-PROF

exit

Spoke1

====

int tunnel 0

bandwidth 1000

ip address 88.88.88.2 255.255.255.0

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map 88.88.88.1 45.10.10.1

ip nhrp map multicast 45.10.10.1

ip nhrp holdtime 300

ip nhrp network-id 99

ip nhrp nhs 88.88.88.1

tunnel source g0/0

tunnel mode gre multipoint

tunnel key 100

tunnel protection ipsec profile DMVPN-PROF

exit

check the tunnel status.

step:6

=======

configure EIGRP on hub and spokes router ------> LAN

router eigrp 100

network 88.0.0.0

network 192.168.2.0

no auto-summa

exit

step:7

========

split horizon & nhs --->remove

int tunnel 0

no ip split-horizon eigrp 100

no ip next-hop-self eigrp 100

=======================================================================

HUB_INDIA

hostname HUB_INDIA

boot-start-marker

boot-end-marker

no aaa new-model

no ip icmp rate-limit unreachable

ip cef

no ip domain lookup

multilink bundle-name authenticated

Sunday, October 24, 2021

Fortigate HA : Configure High Availability || HA Config || CLI || Fortigate HA Configuration

Fortigate1

=========

config system ha

set group-name HA_CLUSTER

set mode a-p

set password 12345

set hbdev "port1" 10 "port2" 10

set priority 200

set override enable

set override-wait-time 10

end

Fortigate 2

==========

config system ha

set group-name HA_CLUSTER

set mode a-p

set password 12345

set hbdev "port1" 10 "port2" 10

set priority 150

set override enable

set override-wait-time 10

end

commands

=========

show system ha

get system ha status

diagnose sys ha status

diagnose sys ha stats

diagnose sys ha checksum show

diagnose sys ha checksum cluster

execute ha manage 1 admin

to check license status cli

==================

diagnose autoupdate version

get sys fortiguard-service status

Saturday, October 16, 2021

Site-Site IPSEC Configuration ASA-CISCO

ASA Configuration

Configure the ASA Interfaces

=============================

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.200.1 255.255.255.0

no shutdown

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.100.10 255.255.255.0

no shutdown

Configure the IKEv1 Policy and Enable IKEv1 on the Outside Interface

====================================================================

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 enable outside

Configure the Tunnel Group (LAN-to-LAN Connection Profile)

===============================================================

tunnel-group 172.16.202.1 type ipsec-l2l

tunnel-group 172.16.202.1 ipsec-attributes

ikev1 pre-shared-key cisco123

Configure the ACL for the VPN Traffic of Interest

=====================================================

object-group network local-network

network-object 10.1.100.0 255.255.255.0

object-group network remote-network

network-object 172.16.101.0 255.255.255.0

access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network

Configure a NAT Exemption

==========================

nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup

Configure the IKEv1 Transform Set

=================================

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

Configure a Crypto Map and Apply it to an Interface

=====================================================

crypto map outside_map 10 match address asa-router-vpn

crypto map outside_map 10 set peer 172.16.202.1

crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA

crypto map outside_map interface outside

default route

=============

ip route 0.0.0.0 0.0.0.0 172.16.200.2

=====================================================================

CISCO Router Config

Configure the Interfaces

==============================

interface GigabitEthernet0/0

ip address 172.16.202.1 255.255.255.0

no shutdown

ip nat outside

interface GigabitEthernet2/0

ip address 172.16.101.10 255.255.255.0

no shutdown

ip nat inside

Configure the ISAKMP (IKEv1) Policy

======================================

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

Configure a Crypto ISAKMP Key

==============================

crypto isakmp key cisco123 address 172.16.200.1

Configure an ACL for VPN Traffic of Interest

==============================================

access-list 110 remark Interesting traffic access-list

access-list 110 permit ip 172.16.101.0 0.0.0.255 10.1.100.0 0.0.0.255

Configure a NAT Exemption

==========================

access-list 111 remark NAT exemption access-list

access-list 111 deny ip 172.16.101.0 0.0.0.255 10.1.100.0 0.0.0.255

access-list 111 permit ip 172.16.101.0 0.0.0.255 any

route-map nonat permit 10

match ip address 111

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

Configure a Transform Set

===========================

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

mode tunnel

Configure a Crypto Map and Apply it to an Interface

====================================================

crypto map outside_map 10 ipsec-isakmp

set peer 172.16.200.1

set transform-set ESP-AES-SHA

match address 110

interface GigabitEthernet0/0

crypto map outside_map

default route

=============

ip route 0.0.0.0 0.0.0.0 172.16.202.2

Friday, October 15, 2021

Fortinet: Configure Site to Site IPSec VPN Tunnel on a FortiGate Firewall CLI

HQ FW Configuration

=====================

config system interface

edit "port1"

set mode static

set ip 172.16.200.1 255.255.255.0

set allowaccess http https ping

set alias WAN

edit "port2"

set ip 10.1.100.10 255.255.255.0

set allowaccess ping https http

set alias LAN

end

config router static

edit 1

set gateway 172.16.200.2

set device "port1"

set dst 0.0.0.0 0.0.0.0

end

Configure the IPsec phase1-interface.

=====================================

config vpn ipsec phase1-interface

edit "TO_BRANCH"

set interface "port1"

set peertype any

set proposal des-md5 des-sha1

set remote-gw 172.16.202.1

set psksecret Sample

end

Configure the IPsec phase2-interface.

=====================================

config vpn ipsec phase2-interface

edit "TO_BRANCH"

set phase1name "TO_BRANCH"

set proposal des-md5

set auto-negotiate enable

end

static route for subnet Reacahbility

====================================

config router static

edit 2

set dst 172.16.101.0 255.255.255.0

set device "TO_BRANCH"

edit 3

set dst 172.16.101.0 255.255.255.0

set blackhole enable

set distance 254

end

Add objects

===========

config firewall address

edit 172.16.101.0

set subnet 172.16.101.0/24

end

config firewall address

edit 10.1.100.0

set subnet 10.1.100.0/24

end

Policy

======

config firewall policy

edit 1

set name "internet"

set srcintf "any"

set dstintf "any"

set srcaddr "any"

set dstaddr "any"

set action accept

set schedule "always"

set service "ALL"

edit 2

set name "inbound"

set srcintf "TO_BRANCH"

set dstintf "port2"

set srcaddr "172.16.101.0"

set dstaddr "10.1.100.0"

set action accept

set schedule "always"

set service "ALL"

edit 3

set name "outbound"

set srcintf "port2"

set dstintf "TO_BRANCH"

set srcaddr "10.1.100.0"

set dstaddr "172.16.101.0"

set action accept

set schedule "always"

set service "ALL"

end

Branch FW Configuration

====================

config system interface

edit "port1"

set mode static

set ip 172.16.202.1 255.255.255.0

set allowaccess http https ping

set alias WAN

end

config system interface

edit "port2"

set ip 172.16.101.10 255.255.255.0

set allowaccess ping

set alias LAN

end

config router static

edit 1

set gateway 172.16.202.2

set device "port1"

set dst 0.0.0.0 0.0.0.0

end

IPSEC VPN Config

================

Configure the IPsec phase1-interface.

====================================

config vpn ipsec phase1-interface

edit "TO_HQ"

set interface "port1"

set peertype any

set proposal des-md5 des-sha1

set remote-gw 172.16.200.1

set psksecret Sample

end

Configure the IPsec phase2-interface

====================================

config vpn ipsec phase2-interface

edit "TO_HQ"

set phase1name "TO_HQ"

set proposal des-md5

set auto-negotiate enable

end

static route for subnet

=======================

config router static

edit 2

set dst 10.1.100.0 255.255.255.0

set device "TO_HQ"

edit 3

set dst 10.1.100.0 255.255.255.0

set blackhole enable

set distance 254

end

Add objects

===========

config firewall address

edit 172.16.101.0

set subnet 172.16.101.0/24

end

config firewall address

edit 10.1.100.0

set subnet 10.1.100.0/24

end

Policy

======

config firewall policy

edit 1

set name "internet"

set srcintf "any"

set dstintf "any"

set srcaddr "any"

set dstaddr "any"

set action accept

set schedule "always"

set service "ALL"

edit 2

set name "inbound"

set srcintf "TO_HQ"

set dstintf "port2"

set srcaddr "10.1.100.0"

set dstaddr "172.16.101.0"

set action accept

set schedule "always"

set service "ALL"

edit 3

set name "outbound"

set srcintf "port2"

set dstintf "TO_HQ"

set srcaddr "172.16.101.0"

set dstaddr "10.1.100.0"

set action accept

set schedule "always"

set service "ALL"

end

Networking Madurai

Sunday, October 31, 2021

DMVPN Configuration || BGP || EIGRP || Step by step DMVPN Configuration on cisco IOS Routers

Sunday, October 24, 2021

Fortigate HA : Configure High Availability || HA Config || CLI || Fortigate HA Configuration

Saturday, October 16, 2021

Site-Site IPSEC Configuration ASA-CISCO

Friday, October 15, 2021

Fortinet: Configure Site to Site IPSec VPN Tunnel on a FortiGate Firewall CLI

Thursday, September 16, 2021

ASR 920 basic health check up

Cisco Networking : Internet Service Providers Metro Ethernet Ring ( production)

Virtual Interview : HCL Chennai ( Interview Questions ) Network Engineer L2

DMVPN Configuration || BGP || EIGRP || Step by step DMVPN Configuration on cisco IOS Routers

Report Abuse