Abstract. Avaya Solution & Interoperability Test Lab
|
|
- Sharleen Harris
- 5 years ago
- Views:
Transcription
1 Avaya Solution & Interoperability Test Lab Configuring VPN backup for Avaya S8700 Media Servers and Avaya G600 Media Gateways Controlling Avaya G350 Media Gateways, using the Avaya Security Gateway and Cisco PIX - Issue 1.0 Abstract These Application Notes present a sample configuration of VPN backup across the Internet for a leased line using the Avaya Security Gateway and Cisco PIX for Avaya S8700 Media Servers and Avaya G600 Media Gateways in the main office controlling Avaya G350 Media Gateways in the small office. Under normal operations, a leased line is used between a main office and a small office. If the leased line is down, the VPN backup will be used automatically for communication between the main and the small office. These Application Notes focus on the VPN backup configuration. 1 of 18
2 1. Introduction The network diagram in Figure 1 shows two offices. The office labeled Main Office uses Avaya Communication Manager, Avaya S8700 Media Servers, and Avaya G600 Media Gateway. The office labeled Small Office contains an Avaya G350 Media Gateway with an Avaya S8300 Media Server, configured as a Local Survivable Processor (LSP). Under normal operation, the main office and the small office communicate through a leased line. The Cisco 3640 access router and the Avaya G350 Media Gateway with a WAN module are used for the WAN access. If the leased line is down, the Internet-based VPN tunnel between the Avaya Security Gateway 203 and the Cisco PIX 525 can be used automatically as a backup. The access to the Internet from the Avaya SG203 in the small office might be cable modem, DSL modem, etc. If the S8300 Media Server is not installed on the G350 Media Gateway, the VPN backup will allow the Avaya G350 Media Gateway to function when the leased line is down. If the VPN backup cannot provide high quality VoIP calls, it is recommended to use PSTN bypass as a last resort (not covered in these Application Notes). Avaya S8700 Media Servers Avaya G600 Media Gateway Main Office DHCP/TFTP Cisco Cat 6509 Avaya 4612 IP Telephone Avaya 6210 Analog Telephone Avaya 6402D Digital Telephone Local IP networks: S8700 Media Server: /24 IP telephones: /24 PCs: /24 Public: Private: Cisco PIX Cisco 3640 Avaya IP Softphone PC Internet VPN Leased Line Small Office Public: Private: Avaya SG203 Avaya 6402D Digital Telephone Avaya S8300 Media Server LSP with Avaya G350 Media Gateway Avaya 6210 Analog Telephone Cisco 2950 Avaya 4620 IP Tel ephone PC Avaya 4606 IP Telephone Local IP networks: G350 Media Gateway, IP telephones: /24 S8300 Media Server LSP: PCs: /24 Figure 1: VPN backup across the Internet for the Avaya VoIP infrastructure 2 of 18
3 2. Equipment and Software Validated Table 1 below shows the versions verified in these Application Notes. Equipment Software Avaya Communication Manager Avaya S8700 Media Server Avaya S8300 Media Server LSP R012x R012x Avaya G600 Media Gateway IPSI (TN2312AP) C-LAN (TN799DP) MEDPRO (TN2302AP) HW02 FW005 HW01 FW009 HW03 FW055 Avaya G350 Media Gateway Avaya IP Telephones 1.81 Avaya IP Softphones Avaya SG203 Security Gateway Cisco 3640 Access Router IOS 12.2(19) Cisco Catalyst 6509 Switch Layer 2 Layer 3 7.6(1) 12.1(16)E6 Cisco Catalyst 2950 Switch IOS 12.0 (5.3) WC (1) Cisco PIX (2) Table 1: Software Versions 3. Configurations Refer to reference [1] for detailed configurations of the Avaya VoIP components, as well as the LAN and WAN switches and routers. The OSPF routing protocol is used across the leased line while the default routes are used for the VPN backup on the Avaya G350 Media Gateway and the Cisco Catalyst Sections 3.1 to 3.4 show the VPN related configuration on the Avaya G350 Media Gateway, the Avaya SG203, the Cisco Catalyst 6509 and the Cisco PIX. Note that private IP addresses are used for the public IP addresses of the SG203 and the Cisco PIX for demonstration purposes. These IP addresses must be replaced in real scenarios Configuring Avaya G350 Media Gateways The private port of the Avaya SG203 in Figure 1 is connected to the Ethernet WAN port of the Avaya G350 Media Gateway, which is identified as FastEthernet 10/2. This interface is configured with an IP address The default gateway on the Avaya G350 Media Gateway is configured to the private IP address of the Avaya SG203, which is interface FastEthernet 10/2 ip address exit ip default-gateway low 3 of 18
4 3.2. Configuring Avaya SG Basic configurations via the console port for interfaces, static and default routes With the proper user name and password, log on to the Avaya SG203 via the console port. Configure the Avaya SG203 with the following IP parameters: Public IP: Default Gateway: Private IP: Static Route: /24 and /24 with next hop Note that and are local networks configured on the Avaya G350 Media Gateway. The following screen shows these configurations: VSU(root)[29]# config VSU(configure)[32]# interface VSU(configure interface)[34]# set public mode ipstatic ip mask gateway VSU(configure interface)[38]# set private -mode ipstatic -ip mask VSU(configure interface)[40]# config VSU(configure)[42]# route VSU(configure route)[65]# add VSU(configure route)[65]# add The following screen shows how to verify the above configuration: VSU(configure interface)[36]# show public Interface Port: public Configured as: ipstatic IP address : Mask: Mac address : 00:60:a1:00:ca:d5 Link: up Default Route : VSU(configure interface)[39]# show private Interface Port: private Configured as: ipstatic IP address : Mask: Mac address : 00:60:a1:00:ca:d4 Link: up VSU(configure route)[50]# show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default UGS fxp1 127/8 localhost UGRS lo0 localhost localhost UH lo0 4 of 18
5 /24 link#1 UC fxp :4:d:29:c7:b4 UHL fxp /24 link#2 UC fxp link#2 UHL fxp / UGS fxp / UGS fxp NAT and VPN configurations via the Web access Log on to the Avaya SG203 at from a PC on the /24 or /24 network with the proper username and password. To eliminate some potential problems in implementing Network Address Translation (NAT) for the VoIP protocol, do not configure NAT for VoIP traffic. Navigate to Configure Security VPN Setup. The VPN Setup window opens. Click Add The new VPN window opens (Figure 2). Provide the following information: VPN Name: PIX Secret Text: secret Local IP Groups: / / /24 The above Local IP Groups are the local networks configured on the Avaya G350 Media Gateway. Figure 2: Add New VPN 5 of 18
6 Click Next> and a new window (Figure 3) opens. Provide the following information: Zone: public Remote TEP IP: Member Remote TEPs: IP Groups for : / / / /24 The public IP address of the Cisco PIX is The IP groups for are the local IP networks configured on the Cisco Catalyst Figure 3: Add New VPN Remote End Points Configuration Click Next> and a new window for VPN remote users opens. The configuration for remote users is not discussed in these Application Notes. Click Next> to skip this window. Provide the following information (Figure 4): IKE Security: Encryption: 3DES Authentication: SHA1 Lifetime(Time-based): 1 DAYS 6 of 18
7 Liftime(Throughput): 0 GB DH Group: 2 IPSec Security: AH/ESP: ESP Perfect Forward Secrecy: NO Encryption: 3DES Authentication: HMC_SHA Compression: NONE Lifetime(Time-based): 1 DAYS Lifetime(Throughput): 0 GB Figure 4: Add New VPN IKE and IPSec Security Configuration All the VPN parameters including IKE, IPSec and Pre-shared Secret on the Avaya SG203 must match with the Cisco PIX (see Section 3.4). 7 of 18
8 3.3. Configuring Cisco 6509 The private interface of the Cisco PIX is connected to the Cisco Catalyst A separate network /24 is configured for this connection. The default gateway on the Cisco 6509 is configured to the private IP address of the Cisco PIX, which is interface Vlan103 ip address IP route The private interface is connected to port 4/14 on the Cisco Catalyst The following shows how to configure port 4/14 in VLAN 103 in the Layer 2 mode of the Cisco Catalyst The show trunk 4/14 command can be used to verify the configuration. Console> (enable) set vlan 103 4/14 VLAN Mod/Ports /14 Console> (enable) show trunk 4/14 * - indicates vtp domain mismatch # - indicates dot1q-all-tagged enabled on the port Port Mode Encapsulation Status Native vlan /14 auto negotiate not-trunking 103 Port Vlans allowed on trunk / , Port Vlans allowed and active in management domain / Port Vlans in spanning tree forwarding state and not pruned /14 8 of 18
9 3.4. Configuring Cisco PIX The following configurations use CLI on the Cisco PIX Basic Configuration The following shows the basic configurations for interfaces, static routes and default routes. Ethernet 0 is configured as a public interface with IP address while Ethernet 1 is configured as a private interface with IP address nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto ip address outside ip address inside route outside route inside route inside route inside Access List Configuration An access list is configured on the Cisco PIX for the traffic to be encrypted to the Avaya SG203. This includes the traffic from the local networks on the private side of the Cisco PIX to the local networks on the private side of the Avaya SG203. Three local networks are configured on the Avaya SG203: /24, /24 and /24. Four local networks are configured on the Cisco PIX: /24, /24, /24 and /24. The following shows the access list configuration for the SG203-tunnel: access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip of 18
10 To eliminate some potential problems in implementing Network Address Translation (NAT) for the VoIP protocol, access list nonattosg is configured for VoIP traffic in the following: access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip When access list nonattosg is applied to the inside interface of the Cisco PIX, the VoIP traffic defined in this access list is not NATed. nat (inside) 0 access-list nonattosg VPN Configuration The following shows the configuration for IKE phase I attributes, which include the source interface for the VPN, pre-shared key, and ISAKMP policy. The attributes must match the configuration of the Avaya SG203 in Section isakmp enable outside isakmp key ******** address netmask isakmp identity address isakmp policy 11 authentication pre-share isakmp policy 11 encryption 3des isakmp policy 11 hash sha isakmp policy 11 group 2 isakmp policy 11 lifetime This following shows the configuration for IPSec (IKE phase 2), which must match the configuration of the Avaya SG203 in Section crypto ipsec transform-set SG203-Set esp-3des esp-sha-hmac crypto map mapforsgs 12 ipsec-isakmp crypto map mapforsgs 12 match address SG203-tunnel crypto map mapforsgs 12 set peer crypto map mapforsgs 12 set transform-set SG203-Set crypto map mapforsgs interface outside 10 of 18
11 Enter the sysopt connection permit-ipsec command to implicitly permit IPSec packets to bypass PIX Firewall Access Lists, access groups, and conduits. The command no fixup protocol h must be entered to ensure that the Avaya VoIP signaling packets can pass through the Cisco PIX without any change to their contents. sysopt connection permit-ipsec no fixup protocol h Verification Steps 4.1. IP Routing When the WAN link is up, Use the command show ip route on the Cisco Catalyst 6509 and the Avaya G350 Gateway to verify that all the traffic between the main office and the small office is routed through the WAN link using the OSPF routing protocol. The following shows the output of the show ip route command from the Layer 3 mode of the Cisco Catalyst Ensure that the default route is configured to the Cisco PIX ( ). Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is to network C /24 is directly connected, Vlan47 C /24 is directly connected, Vlan46 O /24 [110/67] via , 00:04:26, Vlan102 O /24 [110/67] via , 00:04:26, Vlan102 C /24 is directly connected, Vlan102 C /24 is directly connected, Vlan103 C /24 is directly connected, Vlan87 O /24 [110/66] via , 00:04:26, Vlan102 S* /0 [1/0] via of 18
12 The following shows the output of the show ip route command from the Avaya G350 Media Gateway. Ensure that the default route is configured to the Avaya SG203 ( ). G (super)# show ip route Showing 11 rows Network Mask Interface Next-Hop Cost TTL Source FastEth 10/ n/a STAT-LO FastEth 10/ n/a LOCAL Serial 5/ n/a OSPF Serial 5/ n/a OSPF Serial 5/ n/a OSPF Serial 5/ n/a LOCAL Serial 5/ n/a LOCAL Serial 5/ n/a OSPF Serial 5/ n/a OSPF Vlan n/a LOCAL Vlan n/a LOCAL Follow the verification steps in Section 14 of Reference [1] when the WAN link is up. Disconnect or disable the WAN link. Use the command show ip route on the Cisco Catalyst 6509 and the Avaya G350 Gateways to verify that all the traffic between the main office and the small office is routed through the VPN link using their default routes. The following shows the output of the show ip route command from Layer 3 mode of the Cisco Catalyst Note that there are no OSPF routes for the networks of the small office. Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is to network C /24 is directly connected, Vlan47 C /24 is directly connected, Vlan46 C /24 is directly connected, Vlan102 C /24 is directly connected, Vlan103 C /24 is directly connected, Vlan87 S* /0 [1/0] via of 18
13 The following shows the output of the show ip route command from the Avaya G350 Media Gateway. Note that there are no OSPF routes for the networks of the main office. G (super)# show ip route Showing 4 rows Network Mask Interface Next-Hop Cost TTL Source FastEth 10/ n/a STAT-LO FastEth 10/ n/a LOCAL Vlan n/a LOCAL Vlan n/a LOCAL 4.2. Avaya VoIP Connectivity Use the verification steps below to validate VoIP connectivity. Verify that the Avaya G600 and the G350 Media Gateways are registered to the Avaya S8700 Media Server. Verify that the Avaya S8300 Media Server LSP is registered to the Avaya S8700 Media Server. Verify that all the IP telephones and Softphones are registered to the C-LAN on the Avaya G600 Media Gateway. Verify that intra-office and the inter-office calls are successful If the Avaya G350 Media Gateway, or the IP telephones or Softphones are registered with the Avaya S8300 Media Server LSP, use the command reset system 4 on the SAT of the Avaya S8300 Media Server LSP to reset the Avaya S8300 Media Server. If the VPN tunnel is established successfully, the Avaya G350 Media Gateway, the IP telephones, the Softphones, and the Avaya S8300 Media Server LSP will register with the Avaya G600 Media Gateway C- LAN. 13 of 18
14 4.3. VPN Status The following shows how to check the VPN status on the Cisco PIX and the Avaya SG203. Use the command show crypto isakmp sa on the Cisco PIX to display the current IKE SA: pixfirewall# show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created QM_IDLE 0 15 Use the command show crypto ipsec sa on the Cisco PIX to display the current IPSec status. The following shows one IPSec tunnel between /24 in the main office and /24 in the small office. pixfirewall# show crypto ipsec sa interface: outside Crypto map tag: mapforsgs, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 2242, #pkts encrypt: 2242, #pkts digest 2242 #pkts decaps: 2496, #pkts decrypt: 2496, #pkts verify 2496 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 62809c88 inbound esp sas: spi: 0xa2da9a9c( ) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 16, crypto map: mapforsgs sa timing: remaining key lifetime (k/sec): ( /7668) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x62809c88( ) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 15, crypto map: mapforsgs sa timing: remaining key lifetime (k/sec): ( /7668) IV size: 8 bytes replay detection support: Y 14 of 18
15 Log on to the Avaya SG203 at Navigate to Monitor VPNs. Click IKE SA, and then Refresh to check IKE SA status (Figure 5). Figure 5: ISAKMP SA Status on the Avaya SG of 18
16 Click IPSec SA, and then Refresh to check IPSec SA status (Figure 6). Figure 6: IPSec Status on the Avaya SG203 In order to troubleshoot VPN problems, use the debug commands debug crypto engine and debug crypto isakmp on the Cisco PIX and check the IKE log by navigating to Monitor Logs IKE Log on the Avaya SG203 Security Gateway. Refer to the related administration guide for the Cisco PIX and Avaya SG203 for detailed information on Firewall configurations. 5. Conclusion As illustrated by these Application Notes, the Avaya SG203 and Cisco PIX can be configured to establish a VPN tunnel across the Internet to back up a leased line between the main office and the small office. When the leased line is down, the VPN tunnel will be used automatically as a backup. The leased line is always used whenever it is active. This backup configuration also applies to the Avaya G700 Media Gateway with an X330 WAN module. 16 of 18
17 6. Additional References Application Notes: [1] Configuring Avaya Communication Manager for Avaya S8700 Media Servers and Avaya G600 Media Gateways Controlling Avaya G350 Media Gateways with Avaya S8300 Media Servers as Local Survivable Processors 17 of 18
18 Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at 18 of 18
Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example
Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Document ID: 113337 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration
More informationLAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example
LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example Document ID: 26402 Contents Introduction Prerequisites Requirements Components Used Conventions Configure
More informationVPN Between Sonicwall Products and Cisco Security Appliance Configuration Example
VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example Document ID: 66171 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure
More informationPIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example
PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example Document ID: 68815 Contents Introduction Prerequisites Requirements
More informationTable of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example
Table of Contents PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example...1 Document ID: 64692...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1 Conventions...2 Configure...2
More informationLab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP
CCNA Security Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP Topology Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces. 2015 Cisco and/or its affiliates.
More informationConfiguring IOS to IOS IPSec Using AES Encryption
Configuring IOS to IOS IPSec Using AES Encryption Document ID: 43069 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Configurations Verify Troubleshoot Troubleshooting
More informationChapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS
Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2017 Cisco and/or its affiliates. All rights
More informationTable of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0
Table of Contents Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0...1 Document ID: 64693...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1
More informationRouter Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example Document ID: 91193 Contents Introduction Prerequisites Requirements Components Used Conventions Background
More informationConfiguration Example of ASA VPN with Overlapping Scenarios Contents
Configuration Example of ASA VPN with Overlapping Scenarios Contents Introduction Prerequisites Requirements Components Used Background Information Translation on both VPN Endpoints ASA 1 Create the necessary
More informationHow to Configure the Cisco VPN Client to PIX with AES
How to Configure the Cisco VPN Client to PIX with AES Document ID: 42761 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configurations Network Diagram
More informationNetwork Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys
1 1 Network Security 2 Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys 2 Learning Objectives 4.1 Prepare a Router for Site-to-Site VPN using Pre-shared Keys 4.2 Configure a Router for IKE Using
More informationRFC 430x IPsec Support
The includes features Phase 1 and RFC430x IPsec Support Phase 2 that implement Internet Key Exchange (IKE) and IPsec behavior as specified in RFC 4301. Finding Feature Information, page 1 Information About,
More informationLab 4.5.5a Configure a PIX Security Appliance Site-to-Site IPSec VPN Tunnel Using CLI
Lab 4.5.5a Configure a PIX Security Appliance Site-to-Site IPSec VPN Tunnel Using CLI Objective Scenario Topology In this lab exercise, the students will complete the following tasks: Prepare to configure
More informationHOME-SYD-RTR02 GETVPN Configuration
GETVPN OVER DMVPN Topology Details HOME-SYD-RTR02 is GETVPN KS. R2 & R3 are GETVPN Members. R2 is DMVPN Hub. R3 is DMVPN Spoke. HOME-PIX01 is Firewall between R2 and R3. IP Addressing Details HOME-SYD-RTR01
More informationChapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS
Chapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS Topology IP Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 FA0/1 192.168.1.1 255.255.255.0 N/A
More informationSharing IPsec with Tunnel Protection
The feature allows sharing an IPsec security association database (SADB) between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used. Shared tunnel interfaces
More informationCisco - VPN Load Balancing on the CSM in Dispatched Mode Configuration Example
Page 1 of 7 VPN Load Balancing on the CSM in Dispatched Mode Configuration Example Contents Introduction Before You Begin Requirements Components Used Conventions Configurations Tasks Network Diagram CSM
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Site-to-Site VPN Configuration between Avaya SG208 Security Gateway, Enterasys XSR-1805 Security Router, and Cisco VPN 3000 Concentrator using AES-128, Perfect
More informationConfiguring Layer 2 Tunneling Protocol (L2TP) over IPSec
Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec Document ID: 14122 Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot
More informationQuick Note 060. Configure a TransPort router as an EZVPN Client (XAUTH and MODECFG) to a Cisco Router running IOS 15.x
Quick Note 060 Configure a TransPort router as an EZVPN Client (XAUTH and MODECFG) to a Cisco Router running IOS 15.x 17 August 2017 Contents 1 Introduction... 3 1.1 Introduction... 3 1.2 Cisco EasyVPN...
More informationAbstract. Avaya Solution and Interoperability Test Lab
Avaya Solution and Interoperability Test Lab An Avaya IP Telephone at a Remote Site served by an Avaya IP Office over a Virtual Private Network Implemented between a SonicWALL TZ 170 and PRO 3060 - Issue
More informationPacket Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI
Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI Topology Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Port G0/0 192.168.1.1 255.255.255.0
More informationNetwork Security CSN11111
Network Security CSN11111 VPN part 2 12/11/2010 r.ludwiniak@napier.ac.uk Five Steps of IPSec Step 1 - Interesting Traffic Host A Router A Router B Host B 10.0.1.3 10.0.2.3 Apply IPSec Discard Bypass IPSec
More informationASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example
ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products Conventions
More informationConfigure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI on the ASA
Configure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI on the ASA Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Configure Via the ASDM VPN Wizard Configure
More informationASA-to-ASA Dynamic-to-Static IKEv1/IPsec Configuration Example
ASA-to-ASA Dynamic-to-Static IKEv1/IPsec Configuration Example Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ASDM Configuration Central-ASA (Static Peer) Remote-ASA
More informationReverse Route Injection
Reverse Route Injection Last Updated: October 15, 2012 Reverse route injection (RRI) is the ability to automatically insert static routes in the routing process for those networks and hosts protected by
More informationInvalid Security Parameter Index Recovery
When an invalid security parameter index error (shown as Invalid SPI ) occurs in IP Security (IPsec) packet processing, the feature allows for an Internet Key Exchange (IKE) security association (SA) to
More informationDynamic Site to Site IKEv2 VPN Tunnel Between Two ASAs Configuration Example
Dynamic Site to Site IKEv2 VPN Tunnel Between Two ASAs Configuration Example Contents Introduction Prerequisites Requirements Components Used Background Information Network Diagram Configure Solution 1
More informationApplying the Tunnel Template on the Home Agent
Tunnel templates allow a mobile router to carry multicast sessions to mobile networks as it roams. The for Multicast feature allows the configuration of multicast sessions on statically created tunnels
More informationco Configuring PIX to Router Dynamic to Static IPSec with
co Configuring PIX to Router Dynamic to Static IPSec with Table of Contents Configuring PIX to Router Dynamic to Static IPSec with NAT...1 Introduction...1 Configure...1 Components Used...1 Network Diagram...1
More informationDeploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels
Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled)
More informationInvalid Security Parameter Index Recovery
When an invalid security parameter index error (shown as Invalid SPI ) occurs in IP Security (IPsec) packet processing, the feature allows for an Internet Key Exchange (IKE) security association (SA) to
More informationConfiguration Summary
POWER ACT NETWORK PIX Firewall SERIES How to configure dynamic IPSec tunneling Configuration Summary This document describes configuring an NSE initiated IPSec tunnel from behind a NAT device to a VPN
More informationLab 6-1 Configuring a WLAN Controller
Lab 6-1 Configuring a WLAN Controller Topology Diagram Scenario Step 1 In the next two labs, you will configure a wireless solution involving a WLAN controller, two lightweight wireless access points,
More informationConfiguring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT
Avaya CAD-SV Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0 Issue 1.0 30th October 2009 ABSTRACT These Application Notes describe the steps to configure the Cisco VPN 3000 Concentrator
More informationInternet. SonicWALL IP Cisco IOS IP IP Network Mask
Prepared by SonicWALL, Inc. 9/20/2001 Introduction: VPN standards are still evolving and interoperability between products is a continued effort. SonicWALL has made progress in this area and is interoperable
More informationHow to Configure a Cisco Router Behind a Non-Cisco Cable Modem
How to Configure a Cisco Router Behind a Non-Cisco Cable Modem Document ID: 19268 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify
More informationThe information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default)
CONFIGURATION GUIDE CONFIGURING CISCO VPN CLIENT AND CISCO IOS EASY VPN SERVER Figure 1 Network Diagram 30.30.30.0 C1751V Easy VPN Server 20.20.20.0 IPsec Tunnel Easy VPN 20.20.20.10 Cisco VPN Client INTRODUCTION
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Configuring Session Initiated Protocol over Port Network Address Translation for Avaya 4602 SIP IP Telephones using the Kagoor VoiceFlow 200 Application Layer
More informationSecurizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site Site-to-Site IPsec VPNs Behaviour
More informationFeature-by-Feature Router Configurations
CHAPTER 3 Feature-by-Feature Router Configurations This chapter includes feature-by-feature configuration procedures for the Cisco 806 router. This chapter is useful if you have a network in place and
More informationRealCiscoLAB.com. Inter-VLAN Routing with an Internal Route Processor and Monitoring CEF Functions
RealCiscoLAB.com CCNPv6 SWITCH Inter-VLAN Routing with an Internal Route Processor and Monitoring CEF Functions Topology Objective Background Route between VLANs using a 3560 switch with an internal route
More informationA Sample Configuration for Securing Avaya IP Softphone Clients over a Wireless LAN using Avaya VPNremote Software and IP Address Pooling - Issue 1.
Avaya Solution & Interoperability Test Lab A Sample Configuration for Securing Avaya IP Softphone Clients over a Wireless LAN using Avaya VPNremote Software and IP Address Pooling - Issue 1.0 Abstract
More informationHow to Configure an IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationVPN Connection through Zone based Firewall Router Configuration Example
VPN Connection through Zone based Firewall Router Configuration Example Document ID: 112051 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configure
More informationSyslog "%CRYPTO 4 RECVD_PKT_MAC_ERR:" Error Message with Ping Loss Over IPsec Tunnel Troubleshooting
Syslog "%CRYPTO 4 RECVD_PKT_MAC_ERR:" Error Message with Ping Loss Over IPsec Tunnel Troubleshooting Document ID: 116085 Contributed by Cisco TAC Engineers. Oct 24, 2013 Contents Introduction Prerequisites
More informationSecurizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site Site-to-Site IPsec
More informationConfiguring Secrets Management on the Avaya G250 and G350 Media Gateways - Issue 1.0
Avaya Solution & Interoperability Test Lab Configuring Secrets Management on the Avaya G250 and G350 Media Gateways - Issue 1.0 Abstract Previous releases of the Avaya G250 and G350 Media Gateways maintained
More informationCradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions
Cradlepoint to Palo Alto VPN Example Summary This configuration covers an IPSec VPN tunnel setup between a Cradlepoint Series 3 router and a Palo Alto firewall. IPSec is customizable on both the Cradlepoint
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Configuring Avaya W310 Mobility Gateway with the Avaya W110 Light Access Point for Avaya Wireless IP Telephones and Avaya IP Softphone in an Avaya IP Telephony
More informationConfiguring Redundant Routing on the VPN 3000 Concentrator
Configuring Redundant Routing on the VPN 3000 Concentrator Document ID: 13354 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Router Configurations
More informationASA Has High CPU Usage Due to a Traffic Loop When VPN Clients Disconnect
ASA Has High CPU Usage Due to a Traffic Loop When VPN Clients Disconnect Contents Introduction Prerequisites Requirements Components Used Background Information Problem: Packets Destined for a Disconnected
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Application Notes for Configuring the Expand Networks Accelerator 4820 with Avaya IP Telephony through Avaya SG203 and SG208 Security Gateways - Issue 1.0 Abstract
More informationCisco PIX. Interoperability Guide
Cisco PIX Interoperability Guide Copyright 2004, F/X Communications. All Rights Reserved. The use and copying of this product is subject to a license agreement. Any other use is strictly prohibited. No
More informationEIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example
EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example Document ID: 116346 Contributed by Michal Garcarz and Olivier Pelerin, Cisco TAC Engineers. Sep 18, 2013
More informationGoogle Cloud VPN Interop Guide
Google Cloud VPN Interop Guide Using Cloud VPN With Cisco ASA Courtesy of Cisco Systems, Inc. Unauthorized use not permitted. Cisco is a registered trademark or trademark of Cisco Systems, Inc. and/or
More informationLab 6-1 Configuring a WLAN Controller
Lab 6-1 Configuring a WLAN Controller Topology Diagram Scenario In the next two labs, you will configure a wireless solution involving a WLAN controller, two lightweight wireless access points, and a switched
More informationApplication Notes for Mirage Networks Endpoint Controller in an Avaya IP Telephony Infrastructure Issue 1.0
Avaya Solution & Interoperability Test Lab Application Notes for Mirage Networks Endpoint Controller in an Avaya IP Telephony Infrastructure Issue 1.0 Abstract These Application Notes describe a configuration
More informationIPsec Anti-Replay Window Expanding and Disabling
IPsec Anti-Replay Window Expanding and Disabling Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence
More informationConfiguring VPN from Proventia M Series Appliance to Proventia M Series Appliance
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance January 13, 2004 Overview Introduction This document describes how to configure a VPN tunnel from one Proventia M series
More informationLab 5-1 Hot Standby Router Protocol
Lab 5-1 Hot Standby Router Protocol Topology Diagram Objective Configure inter-vlan routing with HSRP to provide redundant, fault tolerant routing to the internal network. Scenario Step 1 HSRP provides
More informationConfiguring Router to Router IPsec (Pre shared Keys) on GRE Tunnel with IOS Firewall and NAT
Configuring RoutertoRouter IPsec (Preshared Keys) on GRE Tunnel with IOS Firewall and NAT Document ID: 9221 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information
More informationRealCiscoLAB.com. Configure inter-vlan routing with HSRP to provide redundant, fault-tolerant routing to the internal network.
RealCiscoLAB.com CCNPv6 SWITCH Hot Standby Router Protocol Topology Objective Background Configure inter-vlan routing with HSRP to provide redundant, fault-tolerant routing to the internal network. Hot
More informationIPsec Data Plane Configuration Guide
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationConfiguring G350 dynamic-cac for branch offices with a Cisco WAN router
Configuring G350 dynamic-cac for branch offices with a Cisco WAN router Abstract Call Admission Control (CAC) is the capability to avoid QoS degradation due to VoIP congestion on low bandwidth WAN links
More informationHOW TO CONFIGURE AN IPSEC VPN
HOW TO CONFIGURE AN IPSEC VPN LAN to LAN connectivity over a VPN between a MRD-455 4G router and a central ADSL-350 broadband router with fixed IP address Introduction What is an IPSec VPN? IPSec VPN s
More informationConfiguring a VPN Using Easy VPN and an IPSec Tunnel, page 1
Configuring a VPN Using Easy VPN and an IPSec Tunnel This chapter provides an overview of the creation of Virtual Private Networks (VPNs) that can be configured on the Cisco 819, Cisco 860, and Cisco 880
More informationConfiguring the Avaya SG203 Security Gateway to Support H.323 IP Trunking over Port Network Address Translation (PNAT) - Issue 1.0
Configuring the Avaya SG203 Security Gateway to Support H.323 IP Trunking over Port Network Address Translation (PNAT) - Issue 1.0 Abstract These Application Notes describe how to configure the Avaya SG203
More informationSite-to-Site VPN. VPN Basics
A virtual private network (VPN) is a network connection that establishes a secure tunnel between remote peers using a public source, such as the Internet or other network. VPNs use tunnels to encapsulate
More informationIPv6 over DMVPN. Finding Feature Information
This document describes how to implement the Dynamic Multipoint VPN for IPv6 feature, which allows users to better scale large and small IPsec Virtual Private Networks (VPNs) by combining generic routing
More informationFlexVPN HA Dual Hub Configuration Example
FlexVPN HA Dual Hub Configuration Example Document ID: 118888 Contributed by Piotr Kupisiewicz, Wen Zhang, and Frederic Detienne, Cisco TAC Engineers. Apr 08, 2015 Contents Introduction Prerequisites Requirements
More informationLab Configuring 802.1Q Trunk-Based Inter-VLAN Routing (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
More informationSwift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code
Swift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code Contents Introduction Prerequisites Requirements Components Used Conventions Why Migrate to IKEv2? Migration Overview Migration
More informationIKEv2 with Windows 7 IKEv2 Agile VPN Client and Certificate Authentication on FlexVPN
IKEv2 with Windows 7 IKEv2 Agile VPN Client and Certificate Authentication on FlexVPN Document ID: 115907 Contributed by Praveena Shanubhogue and Atri Basu, Cisco TAC Engineers. May 20, 2013 Contents Introduction
More informationConfiguring VPN from Proventia M Series Appliance to NetScreen Systems
Configuring VPN from Proventia M Series Appliance to NetScreen Systems January 13, 2004 Overview This document describes how to configure a VPN tunnel from a Proventia M series appliance to NetScreen 208
More informationPre-Fragmentation for IPSec VPNs
Pre-Fragmentation for IPSec VPNs Feature History Release 12.1(11b)E 12.2(13)T 12.2(14)S Modification This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(13)T. This feature
More informationHow to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationIPSec Virtual Private Networking (VPN) between Avaya G250-BRI Media Gateway and Juniper Networks NetScreen-25 VPN Gateway - Issue 1.
Avaya Solution & Interoperability Test Lab IPSec Virtual Private Networking (VPN) between Avaya G250-BRI Media Gateway and Juniper Networks NetScreen-25 VPN Gateway - Issue 1.0 Abstract These Application
More informationHow to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationDMVPN to Group Encrypted Transport VPN Migration
DMVPN to Group Encrypted Transport VPN Migration This document provides the steps for Dynamic Multipoint VPN (DMVPN) to Group Encrypted Transport VPN migration. DMVPN to Group Encrypted Transport VPN Migration
More informationLab Configuring Per-Interface Inter-VLAN Routing (Solution)
(Solution) Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/0 192.168.20.1 255.255.255.0 N/A G0/1 192.168.10.1 255.255.255.0 N/A S1 VLAN 10 192.168.10.11
More informationImplementing Traffic Filters and Firewalls for IPv6 Security
Implementing Traffic Filters and Firewalls for IPv6 Security Last Updated: August 1, 2012 This module describes how to configure Cisco IOS IPv6 traffic filter and firewall features for your Cisco networking
More informationCCNA Security 1.0 Student Packet Tracer Manual
1.0 Student Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More informationLab Configuring Per-Interface Inter-VLAN Routing (Instructor Version)
(Instructor Version) Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only. Topology Addressing Table Objectives Device Interface IP Address Subnet Mask
More informationAnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example
AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example Document ID: 115014 Contributed by Marcin Latosiewicz and Atri Basu, Cisco TAC Engineers. Jan 18, 2013 Contents Introduction
More informationIPsec Dead Peer Detection Periodic Message Option
IPsec Dead Peer Detection Periodic Message Option First Published: May 1, 2004 Last Updated: March 24, 2011 The feature is used to configure the router to query the liveliness of its Internet Key Exchange
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Application Notes for Configuring SonicWALL VPN for Supporting H.323 Trunk and Station Traffic to Avaya Communication Manager and Avaya IP Office - Issue 1.0
More informationConfiguring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec
Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec Document ID: 14095 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations
More informationHow to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT
How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT Table of Contents TABLE OF CONTENTS 1 INTRODUCTION 2 AWS Configuration: 2 Forcepoint Configuration 3 APPENDIX 7 Troubleshooting
More informationDocument ID: Contents. Introduction. Prerequisites. Requirements. Introduction. Prerequisites Requirements
Products & Services ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example Document ID: 70559 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Background
More informationZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003
ZyWALL 70 Internet Security Appliance Quick Start Guide Version 3.62 December 2003 Introducing the ZyWALL The ZyWALL 70 is the ideal secure gateway for all data passing between the Internet and the LAN.
More informationTable of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example
Table of Contents IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example...1 Document ID: 63881...1 Introduction...1 Prerequisites...2 Requirements...2 Components Used...2 Conventions...2
More informationLab Configure a Router with the IOS Intrusion Prevention System
Lab 2.1.6 Configure a Router with the IOS Intrusion Prevention System Objective Scenario Topology In this lab, the students will complete the following tasks: Initialize the Intrusion Protection System
More informationSEC _05_2001_c , Cisco Systems, Inc. All rights reserved.
1 Troubleshooting the Implementation of IPSec VPNs Session 3 Virtual Private Network (VPN) Defined A Virtual Private Network carries private traffic over public network. 4 The Complete VPN Supplier Service
More informationConfiguration of an IPSec VPN Server on RV130 and RV130W
Configuration of an IPSec VPN Server on RV130 and RV130W Objective IPSec VPN (Virtual Private Network) enables you to securely obtain remote access to corporate resources by establishing an encrypted tunnel
More informationIPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More information