Start From Here...

“Ilmu pengetahuan semakin banyak melahirkan keajaiban. Dongengan leluhur sampai malu tersipu. Tak perlu lagi orang bertapa bertahun untuk dapat bicara dengan seseorang di seberang lautan. Orang Jerman telah memasang kawat laut dari Inggris sampai India! Dan kawat semacam itu membiak berjuluran ke seluruh permukaan bumi. Seluruh dunia kini dapat mengawasi tingkah-laku seseorang. Dan orang dapat mengawasi tingkah-laku seluruh dunia" (Pramoedya Ananta Toer: Bumi Manusia, hal. 316, 1980).

Senin, 10 Oktober 2011

MPLS TE OSPF load share

Berikut MPLS TE dengan OSPF dan tunnel

hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel2
ip unnumbered Loopback0
no clns route-cache
tunnel destination 5.5.5.5
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name R1-R2-R5
tunnel mpls traffic-eng load-share 10
!
interface Tunnel3
ip unnumbered Loopback0
no clns route-cache
tunnel destination 5.5.5.5
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name R1-R3-R5
tunnel mpls traffic-eng load-share 20
!
interface Tunnel4
ip unnumbered Loopback0
no clns route-cache
tunnel destination 5.5.5.5
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name R1-R4-R5
tunnel mpls traffic-eng load-share 30
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
duplex half
no clns route-cache
!
interface Serial1/0
ip address 12.12.12.1 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/1
ip address 13.13.13.1 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/2
ip address 14.14.14.1 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
ip explicit-path name R1-R2-R5 enable
next-address 12.12.12.2
next-address 25.25.25.5
next-address 5.5.5.5
!
ip explicit-path name R1-R3-R5 enable
next-address 13.13.13.3
next-address 35.35.35.5
next-address 5.5.5.5
!
ip explicit-path name R1-R4-R5 enable
next-address 14.14.14.4
next-address 45.45.45.4
next-address 5.5.5.5
!
!
!
control-plane
!
!
dial-peer cor custom

R2 :
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 12.12.12.2 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/1
ip address 25.25.25.2 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
dial-peer cor custom

R3:

hostname R3
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 13.13.13.3 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/1
ip address 35.35.35.3 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
dial-peer cor custom

R4:

hostname R4
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 14.14.14.4 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/1
ip address 45.45.45.4 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
dial-peer cor custom

R5 :

hostname R5
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 25.25.25.5 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/1
ip address 35.35.35.5 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/2
ip address 45.45.45.5 255.255.255.0
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
no clns route-cache
ip rsvp bandwidth
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
dial-peer cor custom

Capt:

sh mpls traffic-eng tunnels

Name: R1_t2 (Tunnel2) Destination: 5.5.5.5
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 1, type explicit R1-R2-R5 (Basis for Setup, path weight 128)

Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 10
auto-bw: disabled
Active Path Option Parameters:
State: explicit path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled

InLabel : -
OutLabel : Serial1/0, 23
RSVP Signalling Info:
Src 1.1.1.1, Dst 5.5.5.5, Tun_Id 2, Tun_Instance 4
RSVP Path Info:
My Address: 12.12.12.1
Explicit Route: 12.12.12.2 25.25.25.5 5.5.5.5
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
History:
Tunnel:
Time since created: 1 hours, 48 minutes
Time since path change: 1 hours, 38 minutes
Number of LSP IDs (Tun_Instances) used: 4
Current LSP:
Uptime: 1 hours, 38 minutes
Prior LSP:
ID: path option 1 [3]
Removal Trigger: configuration changed

Name: R1_t3 (Tunnel3) Destination: 5.5.5.5
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 1, type explicit R1-R3-R5 (Basis for Setup, path weight 128)

Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 20
auto-bw: disabled
Active Path Option Parameters:
State: explicit path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled

InLabel : -
OutLabel : Serial1/1, 23
RSVP Signalling Info:
Src 1.1.1.1, Dst 5.5.5.5, Tun_Id 3, Tun_Instance 4
RSVP Path Info:
My Address: 13.13.13.1
Explicit Route: 13.13.13.3 35.35.35.5 5.5.5.5
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
History:
Tunnel:
Time since created: 1 hours, 48 minutes
Time since path change: 1 hours, 38 minutes
Number of LSP IDs (Tun_Instances) used: 4
Current LSP:
Uptime: 1 hours, 38 minutes
Prior LSP:
ID: path option 1 [3]
Removal Trigger: configuration changed

Name: R1_t4 (Tunnel4) Destination: 5.5.5.5
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 1, type explicit R1-R4-R5 (Basis for Setup, path weight 128)

Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 30
auto-bw: disabled
Active Path Option Parameters:
State: explicit path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled

InLabel : -
OutLabel : Serial1/2, 24
RSVP Signalling Info:
Src 1.1.1.1, Dst 5.5.5.5, Tun_Id 4, Tun_Instance 19
RSVP Path Info:
My Address: 14.14.14.1
Explicit Route: 14.14.14.4 45.45.45.5 5.5.5.5
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
History:
Tunnel:
Time since created: 1 hours, 48 minutes
Time since path change: 36 minutes, 42 seconds
Number of LSP IDs (Tun_Instances) used: 19
Current LSP:
Uptime: 36 minutes, 42 seconds
Prior LSP:
ID: path option 1 [4]
Removal Trigger: label reservation removed

MPLS TE

MPLS TE (Traffic Engineering)

Dah lama juga mau coba tapi gak kesampaian2 teyuss.
Dalam MPLS kita butuh memberdayakan link agar tidak terjadi penumpukan dan pemilihan rute terbaik dari satu source ke destination.

berikut TE di MPLS yg dapat mencontohkan TE sederhana yg dapat dan mudah di mengerti,
sengaja mengunakan ISIS nanti akan menggunakan OSPF buat lab ke 2 dan ini dynamic route ya..

PE1 :
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
interface Tunnel13
ip unnumbered Loopback1
no clns route-cache
tunnel destination 3.3.3.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 1 dynamic
!
interface Loopback0
ip address 150.1.1.1 255.255.255.255
no clns route-cache
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 12.12.12.1 255.255.255.0
ip router isis
speed auto
duplex auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
no clns route-cache
!
router isis
net 49.0123.0000.0000.0001.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
passive-interface Loopback1
mpls traffic-eng router-id Loopback1
mpls traffic-eng level-2
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
mpls ldp router-id Loopback0
!
control-plane
!
!
dial-peer cor custom

PE2 :

hostname PE2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
interface Loopback0
ip address 150.1.2.2 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 12.12.12.2 255.255.255.0
ip router isis
speed auto
duplex auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
no clns route-cache
!
interface FastEthernet2/0
ip address 23.23.23.2 255.255.255.0
ip router isis
speed auto
duplex auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
no clns route-cache
!
router isis
net 49.0123.0000.0000.0002.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
mpls traffic-eng router-id Loopback0
mpls traffic-eng level-2
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
mpls ldp router-id Loopback0
!
control-plane
!
!
dial-peer cor custom

PE3:

hostname PE3
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
no mpls traffic-eng auto-bw timers frequency 0
mpls label protocol ldp
call rsvp-sync
!
!
!
interface Loopback0
ip address 150.1.3.3 255.255.255.255
no clns route-cache
!
interface Loopback1
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet2/0
ip address 23.23.23.3 255.255.255.0
ip router isis
speed auto
duplex auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
no clns route-cache
!
router isis
net 49.0123.0000.0000.0003.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
passive-interface Loopback1
mpls traffic-eng router-id Loopback1
mpls traffic-eng level-2
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
mpls ldp router-id Loopback0
!
control-plane
!
!
dial-peer cor custom

TE di MPLS selalu menggunakan link-state dan RSVP. karena di link-state terdapat Type-Length-Values (TLVs); OSPF menggunakan type 10 Link-State Advertisements (Opaque LSAs).

PE1#sh mpls traffic-eng tunnels

Name: PE1_t13 (Tunnel13) Destination: 3.3.3.3
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 1, type dynamic (Basis for Setup, path weight 20)

Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: disabled LockDown: disabled Loadshare: 0 bw-based
auto-bw: disabled
Active Path Option Parameters:
State: dynamic path option 1 is active
BandwidthOverride: disabled LockDown: disabled Verbatim: disabled

InLabel : -
OutLabel : FastEthernet1/0, 21
RSVP Signalling Info:
Src 1.1.1.1, Dst 3.3.3.3, Tun_Id 13, Tun_Instance 32
RSVP Path Info:
My Address: 12.12.12.1
Explicit Route: 12.12.12.2 23.23.23.2 23.23.23.3 3.3.3.3
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
History:
Tunnel:
Time since created: 2 hours, 7 minutes
Time since path change: 31 minutes, 34 seconds
Number of LSP IDs (Tun_Instances) used: 32
Current LSP:
Uptime: 31 minutes, 34 seconds
Prior LSP:
ID: path option 1 [30]
Removal Trigger: configuration changed

Rabu, 05 Oktober 2011

LAB

Frame-Relay Back to Back
Tanpa Frame Relay Switch

R1 s1/0 ----Framerelay----s1/0 R2

hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 10.10.10.1 255.255.255.0
encapsulation frame-relay
no keepalive
serial restart-delay 0
frame-relay map ip 10.10.10.2 102 broadcast
no frame-relay inverse-arp IP 201
frame-relay local-dlci 201
no clns route-cache
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!

--------------------------------------------
--------------------------------------------

hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 10.10.10.2 255.255.255.0
encapsulation frame-relay
no keepalive
serial restart-delay 0
frame-relay map ip 10.10.10.1 201 broadcast
no frame-relay inverse-arp IP 102
frame-relay local-dlci 102
no clns route-cache
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!

Kamis, 29 September 2011

DMVPN

Penasaran dari dulu pengen coba DMVPN, akhirnya kesampaian dan bisa:

berikut DMVPN yang katanya didukukung penuh oleh cisco dan tidak oleh vendor lainya, boleh cek di google. hehe :P

dari topology diatas bisa kita lihat sebenarnya DMVPN itu terbagi atas apa itu yang disebut HUB dan SPOKE, HUB = HQ atau kantor pusat, sementara SPOKE = Kantor cabang.
hubungan keduanya dijalankan melalui tunnel multipoint (tunnel mode gre multipoint)
yang nantinya akan di encryp kembali dengan ipsec.

berikut untuk konfigurasi 1 router DMVPN HUB dan 3 SPOKE yang bertindak sebagai router edge cabang. Perlu di ketahui sebenarnya hubungan spoke ke spoke hanya membutuhkan hub sekali saja, selebihnya akan cros langsung dengan tunnel.

R1 :

R1#sh run
Building configuration...

Current configuration : 1386 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.15.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.15.1
ip route 192.168.30.1 255.255.255.255 192.168.0.3
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

R2 :

R2#sh run
Building configuration...

Current configuration : 1135 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.15.1 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
ip address 172.16.45.1 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.16.25.1 255.255.255.252
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
ip address 172.16.35.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
!
!
end

R3 :
R3#sh run
Building configuration...

Current configuration : 1451 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.20.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.25.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.25.1
!
!
end

R4 :

R4#sh run
Building configuration...

Current configuration : 1547 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
--More--
*Mar 1 00:48:59.331: %SYS-5-CONFIG_I: Configured from console by console
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.30.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source 172.16.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.35.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.35.1
ip route 192.168.10.2 255.255.255.255 Tunnel0
ip route 192.168.10.2 255.255.255.255 192.168.0.1
!
!
no ip http server
no ip http secure-server
---------------------------------------------------

mari lihat buktinya :P
R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 172.16.15.2 192.168.0.1 UP 00:32:01 S
1 172.16.25.2 192.168.0.2 UP never D
----------------------------------------------------------

R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.25.2 192.168.0.2 UP never D
1 172.16.35.2 192.168.0.3 UP never D
----------------------------------------------------------
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.15.2 172.16.25.2 QM_IDLE 1001 0 ACTIVE
172.16.15.2 172.16.35.2 QM_IDLE 1002 0 ACTIVE

R1#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.15.2

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.15.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.35.2/255.255.255.255/47/0)
current_peer 172.16.35.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 117, #pkts encrypt: 117, #pkts digest: 117
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.15.2, remote crypto endpt.: 172.16.35.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF048AEC0(4031295168)

Dan ingat pastikan semua di routing melalui tunnel interface atau ip tunnel neighboornya, dan show deh cryptonya. C U,,

Sabtu, 24 September 2011

Site-To-Site ASA (Tested)

Penasaran mau coba di GNS, Site to site ASA with NAT Control, so ini sudah gw coba sendiri dan running, dapat di jadikan tamplate standart sepertinya tinggal ganti2 aja ip access-list VPN Protect nya dan NAT0 nya.

Capture kedua ASA sbb:

so cekthisout :)

ASA 1 Capture Configuration:

ASA-kanan# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA-kanan
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 0
ip address 22.22.22.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any any
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 19.19.19.0 255.255.255.0 22.22.22.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy DfltGrpPolicy attributes
username admin password eY/fQXw7Ure8Qrz7 encrypted
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:b6b9f86d0b50ff1aeee2595ebe05c4bb
: end
-----------------------------------------------------------------------------------

ASA-kanan# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

-----------------------------------------------------------------------------------

ASA-kanan# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

access-list outside_1_cryptomap permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
local ident (addr/mask/prot/port): (19.19.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (11.11.11.0/255.255.255.0/0/0)
current_peer: 1.1.1.2

#pkts encaps: 384, #pkts encrypt: 384, #pkts digest: 384
#pkts decaps: 384, #pkts decrypt: 384, #pkts verify: 384
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 384, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F18D1423

inbound esp sas:
spi: 0x7C7E07AC (2088634284)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824966/28607)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF18D1423 (4052554787)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824966/28607)
IV size: 8 bytes
replay detection support: Y

ASA Kiri Capture Caonfiguration(Ada configuration remote Access yang sebelumnya, dan memang gw mau buat jalan dua mode, site-to-site dan Remote-Access IPSEC :

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any any
access-list outside_1_cryptomap extended permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto map OUTSIDE_MAP 1 match address outside_1_cryptomap
crypto map OUTSIDE_MAP 1 set pfs group1
crypto map OUTSIDE_MAP 1 set peer 1.1.1.1
crypto map OUTSIDE_MAP 1 set transform-set ESP-DES-SHA
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
banner value hati2 ya
dns-server value 19.19.19.19
vpn-tunnel-protocol IPSec
default-domain none
username admin password eY/fQXw7Ure8Qrz7 encrypted
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
vpn-group-policy REMOTE_SALES_POLICY
vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
address-pool REMOTE_SALES_POOL
default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
pre-shared-key *
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a5b1dbc88a6d5bd218b949f68c587dc9
: end

-------------------------------------------------------------------

ciscoasa# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

-------------------------------------------------------------------

ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 1, local addr: 1.1.1.2

access-list outside_1_cryptomap permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
local ident (addr/mask/prot/port): (11.11.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (19.19.19.0/255.255.255.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 470, #pkts encrypt: 470, #pkts digest: 470
#pkts decaps: 470, #pkts decrypt: 470, #pkts verify: 470
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 470, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7C7E07AC

inbound esp sas:
spi: 0xF18D1423 (4052554787)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 28672, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4274961/28523)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7C7E07AC (2088634284)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 28672, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4274961/28523)
IV size: 8 bytes
replay detection support: Y

Cloud terhubung ke VMware dan running 2003 include Cisco VPN Client, dan success bisa ping ke inside network ASA 2. :)

Jumat, 23 September 2011

Remote-Access with ASA to ASA in GNS (Tested)

Berikut yang bisa dijadikan Tamplate standar untuk segala topology.

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
banner value hati2 ya
dns-server value 19.19.19.19
vpn-tunnel-protocol IPSec
default-domain none
username admin password eY/fQXw7Ure8Qrz7 encrypted
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
vpn-group-policy REMOTE_SALES_POLICY
vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
address-pool REMOTE_SALES_POOL
default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a5b1dbc88a6d5bd218b949f68c587dc9
: end

ciscoasa# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 19.19.19.19
Type : user Role : responder
Rekey : no State : AM_ACTIVE

Kamis, 22 September 2011

ASA Remote Access (Tested)

Network dibelakang ASA (Inside) 11.11.11.0/24 (Router = 11.11.11.2)
Network ASA to Router R2 = 12.12.12.0/24 (Router = 12.12.12.2)
Client = 1.1.1.0/24

Goal = Client dengan network 1.1.1.0/24 bisa ping ke 11.11.11.2 dengan ipsec vpn client.

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 12.12.12.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.12.12.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=sales,CN=Users,DC=cisco,DC=co.id ExamplePolicy1
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (outside) host 1.1.1.3
ldap-base-dn DC=cisco,DC=co.id
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=administrator,OU=Users,DC=cisco,DC=co.id
server-type microsoft
ldap-attribute-map CISCOMAP
http server enable
http 1.1.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
banner value hati2 ya
dns-server value 1.1.1.3
vpn-tunnel-protocol IPSec
default-domain none
username admin password eY/fQXw7Ure8Qrz7 encrypted
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
vpn-group-policy REMOTE_SALES_POLICY
vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
address-pool REMOTE_SALES_POOL
default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:ee1dab5c76819a5748c47e27843d02a5
: end