cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
784
Views
0
Helpful
2
Replies

Puzzled by Cisco IPsec sample configuration

bsierra
Level 1
Level 1

I’ve been getting up to speed on IPsec configuration by reading Cisco 15.1M&T online documentation and poring through dozens of online configuration examples.  By-and-large, the configurations online make sense and have been invaluable at getting my own working configurations up and running.

However, there’s one Cisco sample configuration that I can’t make any sense of.  It appears in “Security for VPNs with IPsec Configuration Guide — Cisco IOS Release 15.1MT”.  That sample configuration is reprinted below and is also available online at this location:

http://www.ciscosystems.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-1mt/sec-cfg-vpn-ipsec.html#GUID-F11890DA-D492-4175-A54C-B829A88E18BA

Most configurations distinguish between the local LAN subnet, WAN subnet, remote subnet at the remote end of the tunnel, and a peer address associated with a remote router.  Thus, you’d see four distinct subnets overall referred to in the configuration.  However, in this particular Cisco example, it seems like the same 10.0.110.0/24 subnet is used for all four functions, which totally baffles me.  For example, access-list 120 refers to the same source range and destination, so I can’t see how this would work.  If anyone could comment on how this configuration works (or *if* it works), I’d greatly appreciate it.  It’s the one configuration that I can’t make any sense of whatsoever.

Here are the four ways the same 10.0.110.0/24 subnet is utilized:

   The LAN subnet defined by “ip address 10.0.110.1 255.255.255.0” in the FastEthernet0/1 interface.

   The WAN subnet is defined by “ip address 10.0.110.2 255.255.255.0” in the Fast Ethernet0/0 interface.

   The remote subnet at the end of the tunnel is defined by

       “access-list 120 permit ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255”

   The remote IPsec peer is referred to as “10.0.110.1” in the isakmp key and crypto map, which is on the same 10.0.110.0/24 subnet.

================================================================

crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 lifetime 180
crypto isakmp key cisco123 address 10.0.110.1
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
 mode transport
!
crypto map aesmap 10 ipsec-isakmp
 set peer 10.0.110.1
 set transform-set aesset
 match address 120
!
!
!
voice call carrier capacity active
!
!
mta receive maximum-recipients 0
!
!
interface FastEthernet0/0
 ip address 10.0.110.2 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map aesmap
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.0.110.1 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
ip nat inside source list 110 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.5.1.1
ip route 10.0.110.0 255.255.255.0 FastEthernet0/0
ip route 172.18.124.0 255.255.255.0 10.5.1.1
ip route 172.18.125.3 255.255.255.255 10.5.1.1
ip http server
!
!
access-list 110 deny   ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255
access-list 110 permit ip 10.0.110.0 0.0.0.255 any
access-list 120 permit ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255
!
1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Looks like a documentation bug - typically IOS will not allow same subnet in same VRF.

If you have the time bring this to attention of TAC.

View solution in original post

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Looks like a documentation bug - typically IOS will not allow same subnet in same VRF.

If you have the time bring this to attention of TAC.

Thanks, Marcin.  I thought this configuration looked funny.  I’ll submit a TAC later today.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: