Cisco IOS Notes
We recently had to set up a IPSEC VPN from one of our offices to a client. The client recommended a Cisco 806 with the crypto module, which we picked up on EBay for about $150 or so. The main problem was to figure out IOS, with a bit of help from the client to set up the crypto sections, in a couple of days. I had played a little with IOS before to set up an ISDN box for a particular project, but that was a long time ago
Here’s a tutorial: http://www.fantek.org/cisco/wpbascom.htm, which is nice for starting out in IOS but not too useful for what we wanted. The main resources were the two O’Reilly books, Cisco Cookbook and Cisco IOS in a Nutshell, which we ordered from Barnes & Noble, mainly for the same day delivery in Manhattan. Both seem pretty good, with the Cookbook very interesting: you have scenarios, sample scripts and discussions on these scripts
The script provided by the client established the basic VPN:
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key XXXXXX address 999.999.999.999
!
crypto ipsec transform-set MyVPN esp-3des esp-md5-hmac
!
crypto map MyVPN 1 ipsec-isakmp
set peer 999.999.999.999
set transform-set MyVPN
match address 100
!
access-list 100 permit ip my.vpn.ip.addr 0.0.0.255 client.vpn.ip.addr 0.0.0.255
access-list 199 permit udp any any eq isakmp
access-list 199 permit ahp any any
access-list 199 permit esp any any
access-list 199 permit ip client.vpn.ip.addr 0.0.0.255 my.vpn.ip.addr 0.0.0.255
!
interface Ethernet1
ip address 999.999.999.999 255.255.255.0
ip access-group 199 in
no cdp enable
crypto map MyVPN
So, we define the IPSEC parameters (pre-shared key, peer, mechanisms) and define the crypto map with an access-list to match against for the transformation. This is different from, say, CIPE, in that we don’t set up virtual ethernet interfaces and route through those. The crypto map is then assigned to the external ethernet interface of the router
The problem with this basic script is that the my.vpn.ip.addr was assigned to us by the client, and doesn’t match up with any of our defined networks. Ethernet0 on the Cisco actually uses a completely different IP address. To accomodate this, we have to define a NAT that will take our IP addresses and map them to the my.vpn.ip.addr network:
ip nat pool NATPOOL my.vpn.ip.2 my.vpn.ip.100 netmask 255.255.255.0
ip nat inside source list 15 pool NATPOOL
ip nat inside source static my.real.ip.1 my.vpn.ip.1
access-list 15 permit my.real.net.0 0.0.0.255
!
interface Ethernet0
ip address my.real.ip.1 255.255.255.0
ip nat inside
interface Ethernet1
ip nat outside
This creates a NAT pool, so that we have 1-1 mappings of real hosts with NAT’ed hosts, or at least 98 such hosts. Any traffic from list 15 to Ethernet0 undergoes this mapping. We also create a static NAT so that the router’s Ethernet0 interface is pingable by the client. Ethernet0 is then tagged as the inside NAT and Ethernet1 as the outside NAT.
This setup then fulfills the crypto requirement of translating our IPs to the client-assigned IPs required for the VPN (or at least the firewall on their side). This took a while to figure out, since I kept on leaving out a keyword or two in various places when trying to set up the NAT. Also, debugging was slowed because I didn’t have a box in the DMZ from which to test from: I think half the testing time went into looking for IOS scripting issues when the problem was most likely with the iptables rules I had set up for DMZ access.
Conclusions so far? IOS is mysterious and powerful. The O’Reilly books are surprising large for a language that is meant to just set up routers. What we did was also relatively minor stuff: the real magic, why Cisco CCNAs get paid the big bucks, is in setting up routings. That’s the bulk of these books.