CCNP Encor Lab Live Part 5 - PAT for VRF, IPSEC Site to Site, Static NAT and More

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello hello guys welcome to a new video um we are going to keep working on this lab that i've been working for about a week now maybe less than a week but in this video we are going to um fix some configurations that are at the road we are probably going to do some some changes to the toner once again but we are going to leave that ipsec for last so on the last video we configured vrf uh green vrf yellow uh we also did net or no we did pat so we did port um port address translation um but then at the end it was gonna the video was getting too long um so i did not configure the the routes um so the vrf green network cannot go out to the network so you cannot communicate with any of the other routers um or all the other networks and also the yellow the vrf yellow cannot communicate outside so in my configuration i did a couple things that i shouldn't have done so i configured it wrong so the first one i'm going to show you we are going to go to router 12 and in router 12 enable let's just do a show run so the first one that i want to configured correctly is the nat um i'm supposed to say net and i'm supposed to add the vrf because if you don't do the vrf we won't be able uh it won't work let's see where it is um so this one right here the ip not inside source list one interface here with a slash two overload um so this one is wrong because i need to specify the vrf so the first thing that i need to do actually let me go ahead and get out of here convicted so i need to remove this one right here okay so but before we do that i'm going to show you um why it's not working right uh before we do that let's go ahead and go to green [Music] okay and what we're going to do first let's go ahead and configure this the route um so what we need to happen with the routes is i want vrf um vrf green um to use the default gateway um i wanted to use a default weight whenever it is going to let's say if it is going to the once to the 20 network or to the 172 network i want you just another 220 that 1.1.1 right and when it's going to the 192.003 network and when it's going to the 192.6 network i'm going to configure static routes to go to the 201.1 so we need to go ahead and configure that the way they do that let's see if i remember it is ip route um so we are going to configure the route for vrf green to go out to toronto 1.1 so ip routes we are going to say vrf we are going to specify now vrf green um then we specify the destination so 192 that was just eight that's zero that zero two five five that two five five that's zero zero so if i do that it is going to be able to um to take the three network the four network and the three networks so both of them are going to be in there um so then you want to do the default like where you want to send that one change 201.1 but then at the end you need to specify that this is going to a global right because we are doing it from a vrf and then we are saying send it to 20.1.1 which is in the global um which is in the global route so if you do do show ip route you are going to see that the 20 network is in the global network okay sounds good sounds good we also need to do it for the yellow network yellow there we go uh i did it wrong it needs to be vrf and then yellow there you go also if you are going to the that 172 network that's to 16.00 i went into center to 21.1 uh i did this again vrf there you go and then we need to say yellow as well over here there we go so i configure those static routes and the study routes means that if vr green wants you go to this network i want you to send it to 20.1.101 which is located in the lo in the global ib route also data for the yellow network and i also did it for the 192 network right send it to the 20.1.101 but now if we see the do show do so ipe or do show run i'm just going to include that um you can see that we are only netting for gigabit zero slash two we want an at four server slash one so if we go and say let me get rid of this what i want to say is and this is going to be wrong but i want to show you guys that it's actually run inside source list one interface gigabit gigabit zero slash one over low there we go so now let's try to ping from this screen i want to ping the 201 network and what's going to happen is that oh it's saying destination host unreachable interesting so it is unable from vrf green we are unable to reach the 20.1 okay what if we also do from here hey if we want to reach the 200 network 20.1.1.0 uh 20 that won the one so let's send it to let's see if iprod we have green 20. the 1.1.0 inconsistent so 201.005.25 there we go so let's send it over here yep that makes more sense um let's see if we are able to yep so as you can see we are not getting the wholesome reachable now because we know how to get there also let's configure that for the yellow as well um okay so as you can see right now we don't we are not getting destination house on ritual because we are now having that route to get there right we are selected to 201.101 but what's happening is that net is not working and i'm going to show you how you are able to see that if you do enable if you do a d bug debug ip icmp messages on you're going to see that the destination that we're getting is 172. that's 16. that 5.2 network so what is happening right now is that nat is not working why it's not working because we're supposed to be getting 201.2 um destination right and route 13 does not know how to get to this network so therefore we need to configure nat um correctly on router 12. so let's go ahead and just go ahead and cancel that on the green computer let's go into the router 12 and what we need to do first let's go ahead and say let's go ahead and negate this one say no also negative four two gigabytes of stars too they said it didn't find it do show run include um nuts okay that's fine um tone of destination that's fine that ip inside that's fine let's also go ahead and do so run let me do a do show run and see if those interfaces have configured the inside and outside correctly so we are going to see the gigabit server slash 0.5 and it says inside that's good zero slash one says outside so slash two is outside um and then we see serious 3.6 inside okay so that's good so now what we need to do is we need to go ahead and configure the nat's translation with er with vrf covalent correctly so we are going to do a ipnot inside source list one and then interface and then i will leave is interface gigabit server slash one and then we are specifying vrf green and then we are saying overload we need to do that for vrf yellow as well loose show run include not now we can see it over here let's go ahead and see if we do a for gigabyte slash 2 which is going out this way and then let's do do chevron including that okay so what is happening right now is that we can only do it for um we can only do nat either for zero slash one or slash two we cannot do it for both so i believe we need to create another another access list probably so let's do let's go ahead and change this to one and then we can configure that later all right do show it including that so there we go that is good so now what i want to do i want to modify that nat is working now it should be working if we go to router 13 instead of 172.16 that five of that two it should give me that ip address of gigabyte zero slash one which is 21.1.2 and now you can see that we are getting replies because uh router 13 knows how to get to 220 that won the 192. and there we go 21.1.2 instead of 172. that's 16. the five of the two so nat we just fix net um so that that's how you would do that so now if we want to go to github slash two i think we need to probably do another access list let's do a show do show run act you know just include access list see if i get any hints okay so what we're going to do we're going to configure this access list 2 basically the same so access list 2 permit 172.16.0.0 four five two by five there we go so now it's going to create and see if that works um so access list number two do show run i want to include this is my favorite command not so there we go so now you can see that since we we use we are using another access list now we are able to configure it for we are able to configure another one but this one needs to be i did this incorrectly because i need to put giga residual slash 2 instead of 3 slash 1. let's say no and then let's say slash 2 and then let's do the show run including that in which you see three there we go so now that is great so that it is working correctly and now let's go ahead and do it for the vrf screen okay and if we do a show run include that there we go we are now an adding so that is great um so that is done we have configured uh nat all of that is good let's see what else we can do what we can do now um is that i want to remove that um the gre tunnel i'm not i don't want to use the gre toner so what i'm going to do is just a simple you know side to side connection is instead of like the gre because if we paint from any of these devices it doesn't go through the tunnel and for me that i remember for this to go to through the tono i'm gonna need to configure your static routes sending all the i'll send all the routes and point it to the ip or the turn up but i don't want to do that i want to keep using ospf that i'm using over here so therefore i'm going to need to configure a side to side vpn tunnel so i have almost everything configured what i don't have configured is the the crypto map so what we need to do is that let's go ahead and go to route 12 first let's go to interface tunnel let's go ahead and remove toner 12 real quick um now i do i want to say no bye bye so we have removed that if we do show run so we can see the policy configuration you're also going to see the the isa cam key configuration um the and then we also need to configure that access list so that access list it is going to allow that traffic to go in right so i'm going to specify what what interfaces i actually want to go in to into this network right so let's let let's go ahead and do that um let me see um we are going to use the same crypto policy 12 we are going to keep that uh the toner is going to be the same the profile we do not need a profile so we can go ahead and remove that profile we select that and say no so you know okay that has been removed so now let's go ahead and configure that ip access list so we are going to do a ip access list we are going to just do an extended one let's just call it vpn um let's just call it vpn and in here what we need to do is we we need to permit what are we going to permit right we want to permit ip and going from the source address of 172 that's 16.00 we're just going to take uh either 172 the 16.5 that one or once a once over to the 16 that fire that's zero or 172 that's 16.6.0 network so both networks 2.5.25 there we go now where's the destination um so if it is going to let's say if it is going to [Music] uh if it's going to the 20 network 201.1.0 i want you to encrypt it also if it is going to the network the 172 network right here i want you to encrypt it uh command and complete let's see oh that's the file again i want you to encrypt it also if it's going to it is the 192.168.0 network i want you to encrypt it 192. that one is eight that's the other network i want you to encrypt it okay that's it so now what um let's see what i want to do let's see let's see hmm if we want to do we need to go ahead and create um a crypto map and in the crypto map we are going to set the peer we are going to set the transform set and we are going to set that access list so crypto map let's just call it map 12 it's going to be a ipsec is it so let me see i'm doing this let's see crypto map map 12 we can say 10 then we can say ipsec with isa camp okay so over here we need to set the pier to 200. that one the one the one wanting to set the transform set i believe it was called t set 12. let's see there we go t set to off t step 12 then we're going to set the or we are going to match the address to just vpn that's what i call it there we go so that is great let's go ahead and say this configuration let's go ahead and go to router 13 and basically um almost do the same right let's go ahead and go enable config t um what i want to do let's do a do show run and we need to remove that ipsec profile and let's see i think that's all we need to do like we did on the other side remove the ipsec profile and add that access list right which is the remove the toner and the ipsec profile this one right here let's say no okay so no tono no interface toner 13 and then we should be able to remove the crypto ipsec profile then we are going to say the ip access list extended we are going to be calling this vpn and what we need to allow is we want to allow the 172 networks and the 192 network uh to be able that whenever we reach any in any ip address in rebounder 12 i wanted to i want i wanted to encrypt it okay so if we do a let's see we do a permit ip coming from 172.16.0.0 it's about zero let's say that 255. that's 255. going to if it is going to let's say 20.1.1.0 0.0.05 i wanted to encrypt it and also if it's going to uh the 172 network over here i think we're going to be we're going to need to be more specific so we don't get this access list all messed up so 172.16 that's 5.0 and also that's six at zero all right so then we want to do the 172 that wants to say network or the 192. that won't use eight going to the sixth network and going to the five network and we also need to do the 200 network 20. that one the one that one that zero net worth okay a lot of access less but that should make sense hopefully i don't get i don't get it messed up but i shouldn't so that is good now let's go ahead and create that crypto map exit crypto map map 13 let's say 10 is good ipsec ice at camp and here we need to set the transform set which is called t set 13 i believe verify that over here there you go tset13 and then we need to set also what is the other thing that we need to set uh we need to set the pier um here 20.1.1.2 after we do that we need to do the match um we are going to match that address and we call that accessories vpn exit now we need to go into interface gigabytes one and then we need to attach that crypto map um so we do a crypto map map um what did i name it was a map dash 13 what did i name it map dash 13 now we need to go into router 12 and we need to go into interface gigabit slash one and we need to add that um that crypto map dash 12. crypto map um crypto map map to all uh hey here we go isaac is now on that is a good sign and so i p or show crypto ipsec sa um here we have format ipsec say so that that is looking good all right let's go ahead and go to r6 let's see what happens when r6 tries to communicate between that 1.1.2 hopefully it works 20.1.1.2 unless there we go whoop that is great so for us to see if it is getting encrypted we need to show that every second say again and it's not getting it's not being encrypted so uh what did i miss um so if i send it to 201.2 it's not being encrypted what if i send it okay 172. so we are doing nat so here it comes net again i believe this is because of nat since net is translating this what if we say so whenever we do nat so the access list for nat do we have to think it's not going to work with net once again i'm gonna need to [Music] figure a better way to do this because it's not being encrypted i mean the everything is good what if we think from this guy right here 201.2 still nothing it is yeah we're using ports 500 oh did i not do did i not do did i not do for this guy right here let me go ahead and do go ahead and remove this first always forget to do the transparent mode but i don't think it is going to work anyways but let's go ahead and do this crypto i'd be sick transform set why is it giving me an error curve to episode transform set t set interesting 12 esp because i'm not in the config mode wow i need to sleep config mode transparent mode or transport mode am i able to copy from here no first let's go ahead and remove this and then we are going to go in here do mode transport mode interface gigabit zero size one shutdown interface gigahertz one so we can force shutdown shutdown shutdown actually there we go bgp blue show ip do show crypto ipsec essay okay do show crypto isa camp let's say we don't see any say in here oh this is ipv6 i need to put to show do show crypto app is like i say oh um and that's no but it's not showing for either ipv4 ipv6 conflicty interface skills slash one shut it down again show crypto map write show crypto map so appear 20.1.2 that's good um we have a bunch of permits over here excellent access list current peer so it is it looks like we have up here so what if we do a let's do a confetti um let's let me do things 201.1 201.2 show crypto ipsec essay nothing encrypted so nothing is getting encrypted right now still using port 500 but i bet you if i remove the net so you can see protected yeah we don't have url 192. it's 172. so you can see that we have a cup over here let me see was i not looking i was looking at the correct one so this is the pier the first one second one third one because we have a cup over here so this is 20 this for 172 no nothing encapsulated nothing so we have one which is protective erf none 192 the local and the remote do we need to do okay so if i'm going from over here but the thing is that whenever i ping from this local guy it's going to be netted and it's going to be a basically 20.1.1 so what if we just do a config t ip access list extended vpn so ip oh permit let's permit an ip 200. that won the 1.1 oh there is to be some net so that's not going to work because if i want to permit this guy to this one i'm just basically permitting but what if i just permit like a single one 220 just to make it go yes now i think i need to allow that to permit so if we do let's permit ip let's go and negate this let's go ahead and exit do show ipnet or do show run i'm going to remove pad include net so let's go ahead and do now ipnet inside source list one interface gigabit zero slash overload so now if i ping front router six 20 201.2 what is going to happen i'm unable to bring 20.1.2 now let's go ahead and show iprout so from router 13 okay what if we're over here show ib route we do have that network loader 12 has to show ib route it does have that network via bgp debug ip icmp let's see what happens whenever ping from order six okay so something we're gonna hit up show ip access list 26 matches so 10 per minute to this network it should allow okay permitting the through network one match let's go ahead and try it again we have 30 matches so it is getting over here 172 that's 16 that's zero that zero consider that 000 that's 255 that 255.255. 220.1.1.0 so it is going over here to the 20 network but it's not getting to this at all so let's go ahead and show crypto i scripted ipsec sa this is the okay local and remote let's go ahead and go to show crypto rp second say let's look for the local 172 and remove 20.1 so it's this one and it's not matching we don't see anything is getting encrypted or decrypted so once again i'm gonna have to do more research i think i believe i got this working i mean we can see the ipsec are being formed the ipsec security association for for some reason not working i don't know let me go ahead and take show show run and also do i should run over here so crypto policy okay hmm okay i think i found i think i found it i think i know what it is um [Music] so let me see so we doing transport that's fine whatever let's go ahead and change that to config since we remove the transport the nat let's go ahead and change this back to mode um mode toner do the same over here cripped up electrons from set config t i always forget to do that config t mode still not able to do it interface can give us here slash one shutdown interface give it zero slash one shut down now shut down notion down still not able to ping tony the one that won the two point router six and if we can see and let's show ip access list we can see that it keeps getting we can't get in a head hit right here are we going to hit over here show ip accessed list so we have this 20.101 so we're saying hop on the tonal so let's get into the tunnel let's do a choice routes 201.2 harsh you are on the right track so check the ip address of the destination and source for ipsec i think i did that but let me give you one second so we are getting to so we are getting the icmp time exceeded time to leave sent to destination base so it is only getting to the to my default gateway then after that it dies send the icmp time exceeded time to leave send to destination and this guy over here router 12 is not doing anything what if now we ping 201.2 so we're able to print another one that won the two blah blah blah so i show crypto i'd be sick i say okay i might have to implement i might have to implement um vti i think it's called vti or dvti svti so static virtual tonal interface i'm gonna have to implement um so i can also use uh nat conflicting let's go ahead and just insert right here in that and we're going to do an ip not inside source list gigabit zero slash one let's go ahead and put that source list one so slash one over low inside source list one interface gigabyte slash one overload we are going to do this and on the next video we are just going to implement i was at the with side to side that was going to work but i did before i did it with i did not i have not done it with let me go ahead and save my configuration over here do wr also save it over here let's also say right over here okay so yeah i'm just going to configure s vti so a static verto tono i know with that it's going to work uh i just thought for some reason tono and doing those um access lists um was going to work but it didn't work that's fine uh that's more videos that i need that uh i'm going to to be doing and also after i configure that ipsec or that static um virtual tonal i'm going to configure inside a neck over here we are going to configure ip addresses for this for all these three servers one server is going two servers are going to be web pages and another one is going to be ftp so we are going to be saving ftp it's saving basically our configuration from all these routers and switches so we can save all the configuration on that ftp server and then we are going to configure two websites basically so we can access those websites um and then at the end probably we should be ending this by wednesday hopefully we are going to be configuring aaa is kind of cool um to configure um so thank you guys for watching i am really tired it is sunday um i was working all day outside so yeah thank you guys for watching and i will see you in the next one guys bye

Info

Channel: CCNADailyTIPS

Views: 658

Rating: undefined out of 5

Keywords:

Id: UlFaN3ZfkuI

Channel Id: undefined

Length: 51min 8sec (3068 seconds)

Published: Mon Jul 13 2020