Question

Cisco Router Configuration 831 (Tunnel versus ASA 5500, Access List, NAT)

Answer 1

In this tutorial we will develop some basic and not so basic configurations; taking into account that we already know how to access it with privileges of ENABLE with command knowledge. We will take as an example a Cisco 800 series equipment, to be more precise a Cisco 831 Router.

--Passwords
Router (config) #service password-encryption
Router (config) #hostname ************ (name we want)
Router (config) #enable secret ************ (enable password)

- Telnet passwords
Router (config) #line with 0
Router (config-line) #password ************ (desired password)
Router (config-line) #login local
Router (config) #line vty 0
Router (config-line) #password ************ (desired password)
Router (config-line) #login local

- DHCP Server Configuration
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 10.17.10.1 10.17.10.50
ip dhcp excluded-address 10.17.10.151 10.17.10.254
ip dhcp ping packets 0
ip dhcp pool GOOD_SAIRES
network 10.17.10.0 255.255.255.0
dns-server 10.16.0.10 10.16.0.8
default-router 10.17.10.254
netbios-name-server 10.16.0.10 10.16.0.8
domain-name rquagliano.com
read 8

--Quality of service
class-map match-all citrix
match access-group 110
class-map match-all voice
match precedence 5
class-map match-all low priority
match any
QOS policy-map
class voice
priority 25
class citrix
class low priority
bandwidth remaining percent 10
random-detect

- Crypto (configuration of a tunnel against the ASA)
crypto isakmp policy 1
encr 3des
pre-share authentication
group 5
crypto isakmp key PASSWORS_DEL_TUNEL address 200.71.236.2 (PEER)
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
crypto map map 20 ipsec-isakmp
set peer 200.71.236.2
set transform-set trans1
match address Name_ACCESSLIST
ip access-list extended ACCESSLIST_name
allow ip 10.17.1.0 0.0.0.255 10.16.0.0 0.0.255.255
allow ip 10.0.1.0 0.0.0.255 10.16.0.0 0.0.0.255
allow ip 10.0.1.0 0.0.0.255 10.17.0.0 0.0.255.255

- Interfaces
Ethernet0 interface
ip address 10.17.10.254 255.255.255.0
no logging event link-status
no cdp log mismatch duplex
no shutdown
Ethernet1 interface
ip address *********** 255.255.255.248
QOS service-policy output
auto duplex
crypto map map
no shutdown
FastEthernet1 interface
no shutdown
no keepalive

FastEthernet2 interface
no shutdown
no keepalive
FastEthernet3 interface
no shutdown
no keepalive
FastEthernet4 interface
no shutdown
no keepalive
ip classless
ip route 0.0.0.0 0.0.0.0 ***. ***. ***. **** (default gateway)
ip http server
ip http local authentication
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000

--Aaccess list
ip access-list standard administration
allow 200.71.235.128 0.0.0.15
allow 200.71.238.128 0.0.0.15
allow 10.1.8.0 0.0.0.255
allow 200.71.236.0 0.0.0.7
allow 10.16.0.0 0.0.0.255

--Access list for nateo and internet access
ip access-list extended nat-internet
deny ip 10.0.1.0 0.0.0.255 10.16.0.0 0.0.0.255
deny ip 10.0.1.0 0.0.0.255 10.17.0.0 0.0.255.255
deny ip 10.17.1.0 0.0.0.255 10.16.0.0 0.0.0.255
allow ip 10.0.1.0 0.0.0.255 any
allow ip 10.17.1.0 0.0.0.255 any

--Nat to go online
ip nat inside source list nat-internet interface FastEthernet4 overload

**** DO NOT FORGET THAT IF WE WANT TO DO NAT, WE SHOULD PLACE THE FOLLOWING ****
In the External Interface
ip nat outside
In the Internal Interface
ip nat inside

- Enabling SNMP
snmp-server community public RO
snmp-server enable tty traps


With these commands we can solve the configuration of a tunnel against an ASA 5500. In another tutorial we will explain the other leg of the configuration, the one on the ASA side.

---