Hello again, this is your host Habib zecharia. And this is our first lap for IPsec VPN with Nat topology. Basically the two sites, site a and site b, r one r two is considered to be a one site location. Our three will be a remote site or branch office perhaps. And basically the link between r two and three I'm showing as a pseudo link. But this could be also an internet cloud.

That means r two r three can only communicate with r two, but it has no reachability to r1. This is basically common scenario at At a lot of organizations, you cannot basically a remote site cannot basically communicate with an internal router, it can only communicate to the edge router. So our two will will be have as our edge router, and our two will have the NAT configuration. So let's start with this task number one, establish connectivity between r one and r three using static routes. Task number two is configure static Nat in r two so that our ones serial interface one slash zero is seen in r two. Right so that's how our tree will communicate with r1 through our To add the third configuration will be the IPsec VPN configuration.

And as I said the IPsec configuration is has a lot of command lines that we will apply. Basically, it's a learning process and anyone who would do this probably two or three times will get to know how to apply IPsec VPN. Now this topology will basically covered the traditional IPsec VPN implementation in our second lab, which is going to be on dmvpn and how to secure the dmvpn tunnels, we're gonna have a much simpler way of doing IPsec VPN by This is basically a very practical lab. And what I will advise my students is really to try it, doing it at home and gaining that comfort level. Okay, so let's start I've started the routers already. And let me bring our one and start configuring it.

Some of the configurations are basically a replica. And it's easier if you use a notepad to do that configuration. But anyway, let's stop doing it. I hope it's clear and the fonts are clear in the video. So first thing is r1. We don't have to give it a host name because it's already showing as r1.

We will start by configuring the loopback interface give it an IP address loopback usually doesn't need the no shut command interface. That's the first interface and the IP address according to the topology is 120 10 dot 10 dot 125525 Let me bring our two now. Give it up to are two has another interface. Let's give it a clock rate even though it's not necessary. The best practice in serial interfaces is to always give the clock rate for the DC. I think we will go back to our one and just give a clock rate as well.

Let me save it. Okay, so let me bring our three Okay, the interfaces are up in r three. The other requirement that we want to provide is a static route between the routers. So let me bring back r1 and apply the static route. So the default route for r1 is going to be IP route and all the traffic will be directed to our tos serial interface one slash one, and that IP is 120 dot 10 dot 10 dot two. Okay, now let me do this Same thing for r three.

All the traffic and r three is directed to our tos serial interface, one slash two, which is dot two. Okay. Now let me bring our two. So our two will have two routes, basically one route to reach the loopback interface inside B and another loopback interface inside a. So let's do that IP I don't know what's happening here IP route. Let me save the configuration.

Now. Basically task two is completed task two was no. Task one is completed with establishing connectivity between r one and r three using static routes. So let me bring our one and we will basically ping our threes. loopback interface. So ping, dirty, dirty, dirty, dirty from source 10 dot 10 dot 10 dot 10.

And yes, we can ping. So that's good. We achieved our first task. Now task number two is configure static Nat. So are two is basically our router here but it could be also a firewall that will do nothing, right. So.

So the configuration of firewall in a router. It's almost the same if you do this if you do it in from Seelye mode. So we have two interfaces in r two. So interface serial one slash one will act as our IP Nat inside and interface one slash s one slash two will be IP Nat outside. Let's exit. Now we will have to basically apply the static Nat.

So IP Nat source, the source is basically static 120 dot 10 dot 10 dot one will be translated to 220 dot 20 dot 20 dot one IP Nat inside There we go. Now if you notice I used one 220 20 dot 20 dot one, where as this interface has got to configure it. Basically if you look at this topology dot one is part of this subnet as well so we could use dot one dot four, because dot three is assigned here, dot five dot six and so on. So we chose dot one okay. So if I do show IP Nat translations, so this tell me the the inside global which is 220 dot 2020 dot one, which is inside global is translated to inside local IP, which is 120 10. dot 10 dot one. So that's what we wanted.

We wanted our three to communicate with r1 using the inside global IP which is 220 20 dot 20 dot one and that's how Nat netting works. Okay. So with this we have actually completed task number two. Now task number three is where we will put all our attention now, which is configuring IPsec VPN. Now if you look at the architecture slide I have said there is IPsec policy that will run first, that's what we will start working on. So let's add the tunnel will be created from r1 all the way to r three, r two has no purpose at this time.

All the work will be done on our work. And our three let me bring our one. So as I said most of the most of the, the commands will be replicated between r one and r three. Let me put both of them here. Let me actually bring r one on top and r three at the bottom. And we will continue applying the same commands into both of the routers, so we don't miss anything.

And I will recommend that you do this at your own pace. The more you practice, the more you will get to know the commands as I mentioned in my previous slides, I say cam is the protocol that drives all other components. And we will add all other components now hash MD five, authentication, pre share, group to encryption will be three deaths. One thing I didn't discuss is about group two group is basically referring to diffie Hellman group and Cisco routers support groups that are from one to 24. For simplicity, I always use group two and it provides 1025 four bits, encryption, okay. Or basically, it can communicate, establish communication using 1064 bits.

That's that's the right way to say it. So that's done. Let me apply the same commands here in our three authentication to encryption three trade So this is all we have to do for ISO camp policy. Now let's add the crypto ISO camp key. Let's use Cisco 123 address. Now this address is the peer IP address in our topology it is going to be 220 dot 20 dot 23.

This IP is the IP of the neighboring device which is our threes interface here. Okay let's do the same thing in our three crypto I can notice I'm missing crypto. I think we said Cisco 123 and the address is 220 20 dot one. If you notice our three is going to establish communication with our tos global inside IP address. Remember that so that's why we are using 220 dot 20 dot 20 dot one as the peer device. Now that is done now we will configure and we will configure something known IPsec transform set to use desk for encryption and Mt five for hashing.

Okay, so let's create the transform set. crypto IPsec transform set, and I'll call it Tran. That's the name I'll give it. We can use ESP does. And e SP, MD five. HMC.

Same thing in our three we have to match all the steps between these two routers. So they can negotiate the authentication and encryption one this time transferring all the interesting traffic Okay, we made a mistake here. I mean that there you go. Now we will create the access list for the interesting traffic. So, access list 101 permit IP host to host same thing here in our three access list 101 permit IP host. So that's how our access list is done.

Now there's a step that we need to do which is the crypto map. Let's do that. crypto map. VPN 10 IPsec. Again, sorry about the typo. It's been a long day.

Said peer Now we know who is our peer that's how our peer match address on a one. Set. Transform set. Tran. Let's apply the same in our three crypto map. VPN 10.

Said peer Don't forget our pier is the global inside IP address. No one. So that is done. Now as you know, we apply crypto map to the interfaces when it comes to VPN. Similarly we do for the access list we apply access group to the interfaces but when it comes to VPN, we apply the crypto map into the interfaces. So in r1 we will apply the crypto map to this interface.

For our three we will apply to this interface which is serial one slash two for r1. It's serial one slash zero. So let's do that interface, serial one slash zero crypto map, v, p n. Let's do the same thing here in our three, interface, one slash two, one slash two. And we said it's crypto map, VPN. Let's save it. Now our configuration is totally complete.

Let's generate interesting traffic that's when the VPN will kick in. So if I do ping 3030 3030 from the source, which is 10 dot 10 dot 10 dot 10 you can see it's going through which is great. Now let's check the policy the policies the security Association. So if I do show crypto I say cam as a I can see that I can see to 20 2023 from the source 120 dot 10 dot 10 dot one and the status is active. The other thing we could do is basically do show crypto IPsec sa, that's another security Association. And we could include number.

And there you go. It tells us how many encapsulations happened, how many decapsulation is happen, and what failed. And what got decompressed. The other command I wanted to show you was the number of connections that are active. So if I do show crypto engine connections active. This tells me that IPsec is active the algorithm is Diaz plus MD five.

So there was a decryption here. Same thing here. So with this, I conclude our first lab, which is basically an implementation of site to site VPN with Nat. This topology could have been simpler. Basically, if you didn't want to introduce Nat in the middle, you could just connect r1 to r three and just follow the same steps but there will be No Nat configurations because there will be no r1 there'll be no r two. So that would have been very simpler lab.

But I introduced this lab to make it a little bit complicated and also to to move to mimic real world topology. I hope you have enjoyed this lab and once again, thank you and we will do the second lab shortly. Thank you