03-07-2012 10:38 AM - edited 02-21-2020 05:56 PM
I’ve been getting up to speed on IPsec configuration by reading Cisco 15.1M&T online documentation and poring through dozens of online configuration examples. By-and-large, the configurations online make sense and have been invaluable at getting my own working configurations up and running.
However, there’s one Cisco sample configuration that I can’t make any sense of. It appears in “Security for VPNs with IPsec Configuration Guide — Cisco IOS Release 15.1MT”. That sample configuration is reprinted below and is also available online at this location:
Most configurations distinguish between the local LAN subnet, WAN subnet, remote subnet at the remote end of the tunnel, and a peer address associated with a remote router. Thus, you’d see four distinct subnets overall referred to in the configuration. However, in this particular Cisco example, it seems like the same 10.0.110.0/24 subnet is used for all four functions, which totally baffles me. For example, access-list 120 refers to the same source range and destination, so I can’t see how this would work. If anyone could comment on how this configuration works (or *if* it works), I’d greatly appreciate it. It’s the one configuration that I can’t make any sense of whatsoever.
Here are the four ways the same 10.0.110.0/24 subnet is utilized:
The LAN subnet defined by “ip address 10.0.110.1 255.255.255.0” in the FastEthernet0/1 interface.
The WAN subnet is defined by “ip address 10.0.110.2 255.255.255.0” in the Fast Ethernet0/0 interface.
The remote subnet at the end of the tunnel is defined by
“access-list 120 permit ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255”
The remote IPsec peer is referred to as “10.0.110.1” in the isakmp key and crypto map, which is on the same 10.0.110.0/24 subnet.
================================================================
crypto isakmp policy 10 encryption aes 256 authentication pre-share lifetime 180 crypto isakmp key cisco123 address 10.0.110.1 ! ! crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac mode transport ! crypto map aesmap 10 ipsec-isakmp set peer 10.0.110.1 set transform-set aesset match address 120 ! ! ! voice call carrier capacity active ! ! mta receive maximum-recipients 0 ! ! interface FastEthernet0/0 ip address 10.0.110.2 255.255.255.0 ip nat outside no ip route-cache no ip mroute-cache duplex auto speed auto crypto map aesmap ! interface Serial0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 10.0.110.1 255.255.255.0 ip nat inside no ip route-cache no ip mroute-cache duplex auto speed auto ! ip nat inside source list 110 interface FastEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.5.1.1 ip route 10.0.110.0 255.255.255.0 FastEthernet0/0 ip route 172.18.124.0 255.255.255.0 10.5.1.1 ip route 172.18.125.3 255.255.255.255 10.5.1.1 ip http server ! ! access-list 110 deny ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255 access-list 110 permit ip 10.0.110.0 0.0.0.255 any access-list 120 permit ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255 !
Solved! Go to Solution.
03-07-2012 11:44 AM
Looks like a documentation bug - typically IOS will not allow same subnet in same VRF.
If you have the time bring this to attention of TAC.
03-07-2012 11:44 AM
Looks like a documentation bug - typically IOS will not allow same subnet in same VRF.
If you have the time bring this to attention of TAC.
03-07-2012 12:43 PM
Thanks, Marcin. I thought this configuration looked funny. I’ll submit a TAC later today.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: