Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Vpnvoip

    Enviado por

    Youssef Addi
    18 visualizações19 páginas
    CME & VPN IPSEC

    Título original

    vpnvoip

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    CME & VPN IPSEC

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    18 visualizações19 páginas

    Vpnvoip

    Enviado por

    Youssef Addi
    CME & VPN IPSEC

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 19

    Nov

    CME & VPN IPSEC


    Que tal lectores, en esta ocacin les comparto otra practica muy util en el campo de las redes.
    Un Call Manager Express simulado en cada Site y conectados por medio de VPN IPSEC Siteto-Site con trafico interesante de redes de VOZ y DATOS, usando subinterfaces.

    Les muestro las configuraciones:


    Si alguien quiere los archivos de la NVRAM: solo pidanlos:
    version 12.4
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Router-LAN
    !
    !
    !
    !
    ip dhcp excluded-address 10.10.10.1 10.10.10.10
    ip dhcp excluded-address 10.10.20.1 10.10.20.10
    !
    ip dhcp pool DATA
    network 10.10.10.0 255.255.255.0
    default-router 10.10.10.1
    ip dhcp pool VOICE
    network 10.10.20.0 255.255.255.0
    default-router 10.10.20.1
    option 150 ip 10.10.20.1
    !
    !
    !

    crypto isakmp policy 1


    encr aes
    authentication pre-share
    group 2
    !
    crypto isakmp key 1009480 address 189.210.125.54
    !
    !
    crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
    !
    crypto map R2_TO_R1 10 ipsec-isakmp
    set peer 189.210.125.54
    set transform-set VPNSET
    match address 101
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.10
    description ## DATOS ##
    encapsulation dot1Q 10
    ip address 10.10.10.1 255.255.255.0
    !
    interface FastEthernet0/0.110
    description ## VOICE ##
    encapsulation dot1Q 110
    ip address 10.10.20.1 255.255.255.0
    !
    interface FastEthernet0/1
    description ## INTERNET ##
    ip address 177.17.17.1 255.255.255.0
    duplex auto
    speed auto
    crypto map R2_TO_R1
    !
    interface Vlan1
    no ip address
    shutdown
    !
    ip classless

    ip route 0.0.0.0 0.0.0.0 177.17.17.2


    !
    !
    access-list 101 permit ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    !
    !
    !
    !
    !
    dial-peer voice 1 voip
    destination-pattern 2001
    session target ipv4:192.168.110.2
    !
    dial-peer voice 10 voip
    !
    telephony-service
    max-ephones 5
    max-dn 5
    ip source-address 10.10.20.1 port 2000
    auto assign 1 to 5
    !
    ephone-dn 1
    number 1001
    !
    ephone-dn 2
    number 1002
    !
    ephone-dn 3
    number 1003
    !
    ephone 1
    device-security-mode none
    mac-address 0030.F25A.88A6
    type 7960
    button 1:1
    !
    ephone 2
    device-security-mode none
    mac-address 0009.7C8B.61E4
    type 7960
    button 1:2
    !
    ephone 3
    device-security-mode none
    mac-address 000A.41A8.DB02
    type CIPC
    button 1:3
    !
    line con 0
    line vty 0 4

    login
    !
    !
    !
    end
    ISP
    version 12.4
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname R1
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ISP#
    ISP#sh run
    Building configuration...
    Current configuration : 543 bytes
    !
    version 12.4
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname ISP
    !
    !
    !
    !
    !
    !
    !

    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 189.210.125.49 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 177.17.17.2 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    no ip address
    clock rate 64000
    shutdown
    !
    interface Vlan1
    no ip address
    shutdown
    !
    ip classless
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line vty 0 4
    login
    !
    !
    !
    end
    R2
    version 12.4
    no service timestamps log datetime msec

    no service timestamps debug datetime msec


    no service password-encryption
    !
    hostname R2-Sitio2
    !
    !
    !
    !
    ip dhcp excluded-address 192.168.10.1 192.168.10.10
    ip dhcp excluded-address 192.168.110.1 192.168.110.10
    !
    ip dhcp pool DATA
    network 192.168.10.0 255.255.255.0
    default-router 192.168.10.2
    ip dhcp pool VOICE
    network 192.168.110.0 255.255.255.0
    default-router 192.168.110.2
    option 150 ip 192.168.110.2
    !
    !
    !
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    !
    crypto isakmp key 1009480 address 177.17.17.1
    !
    !
    crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
    !
    crypto map R1_TO_R2 10 ipsec-isakmp
    set peer 177.17.17.1
    set transform-set VPNSET
    match address 101
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.10

    description ## DATA ##
    encapsulation dot1Q 2
    ip address 192.168.10.2 255.255.255.0
    !
    interface FastEthernet0/0.20
    description ## VOICE ##
    encapsulation dot1Q 102
    ip address 192.168.110.2 255.255.255.0
    !
    interface FastEthernet0/1
    ip address 189.210.125.54 255.255.255.0
    duplex auto
    speed auto
    crypto map R1_TO_R2
    !
    interface Serial0/0/0
    no ip address
    shutdown
    !
    interface Vlan1
    no ip address
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
    !
    !
    access-list 101 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
    !
    !
    !
    !
    !
    dial-peer voice 1 voip
    destination-pattern 10..
    session target ipv4:10.10.20.1
    !
    telephony-service
    max-ephones 5
    max-dn 5
    ip source-address 192.168.110.2 port 2000
    auto assign 1 to 5
    create cnf-files version-stamp Jan 01 2002 00:00:00
    !
    ephone-dn 1
    number 2001
    !
    ephone-dn 2
    number 2002
    !

    ephone 1
    device-security-mode none
    mac-address 0010.11B4.56C8
    type 7960
    button 1:1
    !
    line con 0
    line vty 0 4
    login
    !
    !
    !
    end
    Switch Sitio 2
    version 12.2
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Switch
    !
    !
    !
    interface FastEthernet0/1
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/2
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/3
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/4
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/5

    switchport trunk native vlan 2


    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/6
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/7
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/8
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/9
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/10
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/11
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/12
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/13
    switchport trunk native vlan 2
    switchport mode trunk

    switchport voice vlan 102


    spanning-tree portfast
    !
    interface FastEthernet0/14
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/15
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/16
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/17
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/18
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/19
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/20
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/21
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast

    !
    interface FastEthernet0/22
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/23
    switchport trunk native vlan 2
    switchport mode trunk
    switchport voice vlan 102
    spanning-tree portfast
    !
    interface FastEthernet0/24
    switchport mode trunk
    !
    interface GigabitEthernet1/1
    !
    interface GigabitEthernet1/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan2
    ip address 192.168.10.3 255.255.255.0
    !
    ip default-gateway 192.168.10.2
    !
    !
    line con 0
    !
    line vty 0 4
    login
    line vty 5 15
    login
    !
    !
    end
    Switch-LAN
    version 12.1
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname SW-LAN
    !
    !

    !
    interface FastEthernet0/1
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/2
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/3
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/4
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/5
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/6
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/7
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/8
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/9

    switchport trunk native vlan 10


    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/10
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/11
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/12
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/13
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/14
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/15
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/16
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/17
    switchport trunk native vlan 10
    switchport mode trunk

    switchport voice vlan 110


    spanning-tree portfast
    !
    interface FastEthernet0/18
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/19
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/20
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/21
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/22
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/23
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 110
    spanning-tree portfast
    !
    interface FastEthernet0/24
    description ## UPLINK TO ROUTER-LAN ##
    switchport mode trunk
    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan10
    ip address 10.10.10.2 255.255.255.0
    !

    ip default-gateway 10.10.10.1
    !
    !
    line con 0
    !
    line vty 0 4
    login
    line vty 5 15
    login
    !
    !
    end
    Para levantar la VPN solo necesitan generar trafico desde una interfaz de origen del router
    donde se encuentren.
    Ejemplo:
    Desde el Router CME-VPN seria asi:
    Router-LAN>en
    Router-LAN#ping
    Protocol [ip]:
    Target IP address: 192.168.10.2 <----Interface destinoRepeat count [5]:
    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: yes <-----------Yes para generar trafico exendidoSource address or
    interface: 10.10.10.1 <----- Interface origen del router donde se encuentranType of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
    Packet sent with a source address of 10.10.10.1
    !!!!! <----- Ping Excitoso y VPN arribaSuccess rate is 100 percent (5/5), round-trip
    min/avg/max = 6/9/16 ms
    Router-LAN#

    Ahora verificamos que la VPN se encuentre en UP con el siguiente comando:


    Router-LAN#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst
    src
    state
    189.210.125.54 177.17.17.1
    IPv6 Crypto ISAKMP SA

    conn-id slot status


    QM_IDLE
    1011

    0 ACTIVE

    Router-LAN#

    Saludos y Hasta un nuevo Post....


    Publicado 9th November 2010 por Ruben Rojas
    Etiquetas: Call Manager ExpressCCNACCNA
    Express
    SecurityCMEPacket
    Packet Tracer
    TracerVPN
    11

    Ver comentarios
    1.
    Shamhain16
    16 de noviembre de 2010, 16:10
    gracias por este ejemplo... en cuanto pueda terminarlo escribo ms al respecto.
    Saludos
    Responder

    2.
    Shamhain16
    16 de noviembre de 2010, 16:21
    bueno, no pude esperar porque la configuracion del router ISP no parece la que
    debera ser... porque tiene configurada la IP de un enlace serial y un fast ethernet
    solamente y no coinciden las IPs, si puede explicarme al respecto le agradece
    agradecera.
    Responder

    3.
    Ruben Rojas19
    19 de noviembre de 2010, 11:30
    Excelente observacion Shamhain, efectivamente la configuracion era de otra
    topologia, el problema fue que lo hice con dos topologias distintas y hubo una
    confusion ala hora de elegir las imagenes, ya edite la entrada a la nueva configuracion.

    saludos y gracias por comentar.


    Responder

    4.
    Anonymous14
    14 de abril de 2011, 6:50
    Hola Ruben, por favor podras publicar un ejemplo de la configuracin de una
    centralita SPA9000 con un correo de voz spa400 con telfonos cisco 7970?.
    Responder

    5.
    Ruben Rojas14
    14 de abril de 2011, 7:35
    Hola que tal.
    Como tu lo quieres hacer solo lo he hecho una vez ya que
    que la empresa donde laboro
    manejo puros equipos grandes como Catalyst 2960, 3750, 6500 y Routers ISR como
    2811, 2911, 2925, 3945 etc...Los equipos que me mencionas desgraciadamente no
    cuento con ellos para poder brindarte un ejemplo.
    Lo que deseas realizar lo puedes hacer con una VPN Easy client, te adjunto ejemplos
    de Packet Tracer para que los analices ademas de la VPN IPSEC Site to Site te adjunto
    la VPN Easy client que es la necesitas, si tienes dudas con gusto.
    Espera los videos.
    Estoy a tus ordenes.
    Saludos
    Responder

    6.
    Jairo44 de octubre de 2011, 14:40

    Disculpa necesito saber solo la configracion de vpn si puedes mandarmela, hasta


    donde se las listas de acceso se tienen que asociar a una interfaz ya sea de salida(out) o
    entrada(in) y no lo veo en la configuracion de los router.
    tengo activo el tunel pero cuando compruebo a traves del comando
    show cryto isakmp sa no me muestra ninguna direccion. este es mi archivo de
    configuracion.
    CE1#show running-config
    Building configuration...
    Current configuration : 1054 bytes
    !
    version 12.4
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname CE1
    !
    !
    !
    !
    ip dhcp excluded-address 10.10.10.1 10.10.10.20
    !
    ip dhcp pool CE1
    network 10.10.10.0 255.255.255.0
    default-router 10.10.10.1
    !
    !
    !
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    !
    crypto isakmp key 1009480 address 189.210.125.2
    !
    !
    crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
    !
    crypto map RUTA 10 ipsec-isakmp
    set peer 189.210.125.2
    set transform-set VPNSET
    match address 101
    !
    !
    !
    !
    !
    !
    !

    !
    !
    interface FastEthernet0/0
    ip address 177.17.17.1 255.255.255.252
    ip access-group 101 out
    duplex auto
    speed auto
    crypto map RUTA
    !
    interface FastEthernet0/1
    ip address 10.10.10.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface Vlan1
    no ip address
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 177.17.17.2
    !
    !
    access-list 101 permit ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    !
    !
    !
    !
    !
    line con 0
    line vty 0 4
    access-class 101 out
    login
    !
    !
    !
    end
    Responder

    Você também pode gostar