ccna np

ccna np.R1 (config)^interface gigabitEthernetO/0Rl(config-if)#ip nat inside R1 (config)#access-list 100 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.0.255//Exclude VPN traffic of interest when performing NAT R1 (config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 any Rl(config)#ip nat insidesource list 100 interface serial0/0/0 overload Rl(config)#ip route 0.0.0.0 0.0.0.0.0 serial 0/0/0(2)Configure router R2 R2(config)#ip route 61.0.0.0 255.255.255.0 serial0/0/l (3)Configure router R3 R3(config)#ip route 202.96.134.0 255.255.255.255.0 serialO/0/1 (4)Configure router R4 R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encryption aes R4(config-isakmp)#authentication pre-share.376 . Cisco Networking Lab CCNA Lab Guide (Release 2)R4(config-isakmp)#hash sha R4(config-isakmp)#group 5 R4(config-isakmp)#exit R4(config)#crypto isakmp key cisco address 202.96.134.1 R4(config )#crypto ipsec transform-set TRAN esp-aes esp-sha-hmac R4(cfg-crypto-trans)# mode tunnel R4(cfg-crypto-trans)#exit R4(config)#ip access-list extended VPNR4(config-ext-nacl)#permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 R4(config)#crypto map MAP 10 ipsec-isakmp R4(config-crypto -map)#set peer202.96.134.1 R4(config-crypto-map)#set transform-set TRAN R4(config-crypto-map)#reverse-route static R4(config-crypto-map)# match address VPN R4(config-crypto-map)#exit R4(config)#interface serialO/O/O R4(config-if)#crypto map MAP R4(config-if)#ip nat outside R4( config)#interface gigabitEthernetO/O R4(config-if)#ip nat inside R4(config)#access-list 100 denyip 172.16.4.00.0.0.255172.16.1.00.0.0. 255R4(config)#access-list 100permit ip172.16.4.0 0.0.0.255 any R4(config)#ip nat inside source list 100 interface serialO/0/0 overload R4(config)#ip route 0.0.0.0 0.0.0.0.0.0.0.0 serial 0/0/0(1) View routing information show ip route 1 Rl#show ip route 172.16.0.0/24 is subnetted, 3 subnets, 2 masks S 172.16.4.0(1/01 via 61.0.0.4 S* 0.0.0.0/0 is directly connected, Serial0/0/0 2 R4#show ip routeS* 0.0.0.0/0 is directly connected, Serial0/0/0 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks S 172.16.1.0/24 11/0] via 202.96.134.1The output of and above shows that a static route already exists on routers R1 and R2, even though the VPN tunnel has not yet been established, and the route was added to the routing table by reverse route injection, with the next hop being the public IP address of the VPN peer. (2) Use the ping command to test the connectivity Rl#ping 172.16.4.4 source 172.16.1.1 to trigger the establishment of the IPSecVPN tunnel to enable the communication between the remote office and the private network of the headquarters Type escape sequence to abort. Sending 5,100-byte ICMP Echos to 172.16.4.4, timeout is 2 seconds: Packet sent with a source address of172.16.1.1 !!!!! Success rateis 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms If you execute the debug crypto isakmp command on R1 before the above command is executed, you can clearly see the IKE phase 1 and phase 2 exchange process. The specific output information is not given here, so the reader is invited to debug and observe by themselves. (3) To view the active IPSec VPN session information Rl#show crypto engine connections active to view the active IPSec VPN session information Crypto Engine Connectionscrypto engine connections ID Type Algorithm EncryptDecrypt LastSeqNIP-Address 1001 IKE SHA+AES 0 0 0202.96.134.1 2001 IPsec AES+SHA 0 19 19202.96.134.1 2002 IPsec AES+SHA 19 0 0202.96.134.1 Chapter 19 Branching Connections . 377 . The above output shows the basic information of IKE and IPSec in the active VPN session, including session ID,session type,encryption and authentication algorithm, number of encrypted and decrypted packets, serial number of the last packet, and IP address of the local encryption point, where IPSec encryption and decryption are separate sessions, and you can see that 19 packets each were encrypted and decrypted. (4) To view isakmp policy information Rl#show crypto isakmp policyisakmp Global IKE policy IKE Protection suite ofpriority 10 encryption algorithm: AES -Advanced Encryption Standard (128 bit keys). encryption algorithm: AES -Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard //HASH algorithm authentication method: Pre-Shared Key Authentication method Diffie-Hellman group: #5 (1536 bit) //DH group lifetime: 86400 seconds, no volume limit Survival time (5)Check the information of IPSec conversion set Rl#show crypto ipsec transform-set to view the information of IPSec transform set Transform set TRAN: { esp-aes esp>sha-hmac }Configured transform set name and encryption and authentication algorithm will negotiate ={ Tunnel, },Working mode is tunnel mode Transformsetdefault:{esp-aesesp-sha-hmac }The default transfer set name and encryption and authentication algorithm willnegotiate =( Transport. },Operating mode is transport mode (6) Check the information of crypto map R1 #show crypto map to see the information of crypto map Crypto Map MAP" 10 ipsec-isakmp named MAP, number 10 configuration Peer = 61.0.0.4 //VPN peer address Extended IP access Ust VPN //VPN traffic of interest