Secured Path via Public Network using IPSec [No Tunnel]

Posted on April 1, 2008. Filed under: Cisco, IPsec, security |

Securing your private traffic over public network wihout tunnel established ?
Scheme below is config at first site, with purpose of securing traffic from host 192.168.32.13 only to hosts 78.74.95.90 & host 78.74.95.94
by the way of mapping & encrypting with IPSec technology.

Here is the config :

SITE : A

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key S3CUR3D-P4TH address 192.168.27.2
!
!
crypto ipsec transform-set r3m0t3 esp-3des esp-sha-hmac
!
crypto map secured-path 1 ipsec-isakmp
description to-REMOTE-SITE
set peer 192.168.27.2
set security-association lifetime seconds 28800
set transform-set r3m0t3
set pfs group2
match address 133

interface GigabitEthernet0/3.11
description SECURED-SEGMENT-32-0/23
encapsulation dot1Q 11
ip address 192.168.33.32 255.255.254.0
crypto map secured-path

access-list 133 remark SECURED-SEGMENT-MAPPED-IPSec
access-list 133 permit ip host 192.168.32.13 host 78.74.95.90
access-list 133 permit ip host 192.168.32.13 host 78.74.95.94
access-list 133 deny   ip any any

SITE B :

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key S3CUR3D-P4TH address 192.168.33.32
!
!
crypto ipsec transform-set r3m0t3 esp-3des esp-sha-hmac
!
crypto map secured-path 1 ipsec-isakmp
description to-SITE-A
set peer 192.168.33.32
set security-association lifetime seconds 28800
set transform-set r3m0t3
set pfs group2
match address 133

interface GigabitEthernet0/3.11
description SECURED-SEGMENT-32-0/23
encapsulation dot1Q 11
ip address 192.168.27.2 255.255.255.0
crypto map secured-path

access-list 133 remark SECURED-SEGMENT-MAPPED-IPSec
access-list 133 permit ip host 78.74.95.90 host 192.168.32.13
access-list 133 permit ip host 78.74.95.94 host 192.168.32.13
access-list 133 deny   ip any any

Wassalam
a. rahman isnaini r.sutan

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: