Adding a new site to the network.

Hi Guys,
I just joined a company two weeks ago as a network engineer, and my role is to support my Team lead (We are team of  4, Manager, Team lead, myself and a technician) with some other team surrounding us, i.e. engineering,  Desktop support etc.
Well, I qualified as CCNA in September this year, and I am lucky that I got a company employing me to use it.
Yes I know how to connect router in point to point, and I can navigate my way round most of the frame-relay configuration in a lab environment, also NAT and all other part that can make you to pass the exam, I have always been in desktop support environment.

My problem now is that my team lead had an accident and he will probably be off work for at least a month if not more than that, yes it is good idea if you are faced with challenging problem, but looking through the configuration on a router in one of the site, there are some part that I am not familiar with, and also the idea of tunnelling to HQ are all new to me.

Please I want someone to have a look at the configuration below and just explained to me the area highlighted,
"      and also to advice what I need to do to connect a new site to ISP (E.g. BT)
"      and tunnel to HQ
"      and how to generate crypto
For security reason I have change all the ip addresses, but into range that I know will allow everyone to make reason out of the config.

Thanks for your support

Current configuration : 6007 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable password  XXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-288776303
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-288776303
 revocation-check none
 rsakeypair TP-self-signed-288776303
!
!
crypto pki certificate chain TP-self-signed-288776303
 certificate self-signed 01
  30820258 308201C1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383837 37363330 33301E17 0D303830 38303430 37333031
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3238 38373736
  33303330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  F46A680A 1BC65A65 25E92EE0 6FDBBF1F F0340731 1AC6D890 D79BB0E2 C90DE548
  9882833E 05448902 96669691 922454ED D1540FDB AECDC544 D291D03B AB15A176
  5A48B844 044D0C32 4C7C9778 3ED969C8 4341F388 E8FC1BC9 E705FEB3 288FDBE2
  29FDE719 36F48A68 7D7F9B8C 1113740A 28A73E45 A8F02A3D 50E9B9EE F3FEF3D5
  02030100 01A38181 307F300F 0603551D 130101FF 04053003 0101FF30 2C060355
  1D110425 30238221 554B4252 4E313443 4F4D4352 30312E65 6D65612E 6C656E64
  6C656173 652E636F 6D301F06 03551D23 04183016 80143473 5A4C051A 6D80EC55
  54F0E818 4AEE7B01 0A68301D 0603551D 0E041604 1434735A 4C051A6D 80EC5554
  F0E8184A EE7B010A 68300D06 092A8648 86F70D01 01040500 03818100 59F22C08
  8BF47C8B 62A1D14D BA3A3946 11B009DA F0521044 858B75BB D8FE8B46 5976704F
  F4115F49 10E97DDE D15B3FEC 9A0A970B CCDE2D87 91411B82 89DF31A3 246725A5
  73626AB7 7B58C8DD 69E2D623 819EDF28 AA162696 53320E22 C1E31955 D6CE2F9C
  D3F11011 37A73B0A 6CCE4BE6 67B1D27C D1114A24 CF4F7568 44A6CCD7
        quit
dot11 syslog
!
!
ip cef
!
!
ip domain name xxxx.xxxxxxx.com
ip name-server 174.24.66.68
ip name-server 212.77.118.222
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL icmp
ip inspect name FIREWALL netshow
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL sip
ip inspect name FIREWALL skinny
ip inspect name FIREWALL smtp
ip inspect name FIREWALL sqlnet
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL tftp
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL http java-list 10
ip inspect name urlfilter http urlfilter
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .youtube.com
!
multilink bundle-name authenticated
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx-xxxxxxx address 44.221.76.66!
!
crypto ipsec transform-set transform-LLEMEA esp-3des esp-sha-hmac
!
crypto map LLEMEA 1 ipsec-isakmp
 set peer 44.221.76.66
 set transform-set transform-LLEMEA
 set pfs group2
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel1
 description *** ADSL Tun to Alexandra *****
 ip address 172.21.63.45 255.255.255.252
 ip tcp adjust-mss 1340
 tunnel source Dialer0
 tunnel destination 44.221.76.66
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
 duplex full
 speed 100
 keepalive 22767
 spanning-tree portfast
!
interface FastEthernet2
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet3
 duplex full
 speed 100
!
interface FastEthernet4
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet5
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet6
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet7
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet8
 duplex full
 speed 100
 spanning-tree portfast
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Vlan1
 ip address 172.29.62.1 255.255.255.128
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address 61.112.62.22 255.255.255.248
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxx@hg70.btclick.com
 ppp chap password 7 xxxxxxxxxxxxxxxxx
 crypto map xxxxxxx
!
router eigrp 456
 network 172.25.0.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip tacacs source-interface Vlan1
!
access-list 1 permit 172.29.62.0 0.0.0.127
access-list 101 permit gre host 61.112.62.22 host 44.221.76.66
access-list 150 permit tcp any any eq 22
access-list 150 permit gre any any
access-list 150 permit esp any any
access-list 150 permit udp any any eq isakmp
access-list 150 permit udp any eq domain any
access-list 150 permit tcp any any established
access-list 150 deny   ip any any log
dialer-list 1 protocol ip permit
snmp-server community public0 RO
snmp-server community ljxfd2002 RW
!
!
!
!
!
tacacs-server host 172.27.11.111
tacacs-server directed-request
tacacs-server key 7 xxxxxxxxxx
!
control-plane
!
!
line con 0
 password 7 xxxxxxxxxxxxxxxx
 logging synchronous
line aux 0
line vty 0 4
 password 7 xxxxxxxxxxxxxxxx
 logging synchronous
!
end
lawre1108Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

th3w01fCommented:
It may be my monitor but I'm unable to tell which part of the config you have questions on.  Can you also post the specific part of the config that you highlighted?

Thanks
0
lawre1108Author Commented:
Sorry my mistake, i meant to attached the word document

(1)
crypto pki trustpoint TP-self-signed-288776303
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-288776303
 revocation-check none
 rsakeypair TP-self-signed-288776303
!
!
crypto pki certificate chain TP-self-signed-288776303
 certificate self-signed 01
  30820258 308201C1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383837 37363330 33301E17 0D303830 38303430 37333031
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3238 38373736
  33303330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  F46A680A 1BC65A65 25E92EE0 6FDBBF1F F0340731 1AC6D890 D79BB0E2 C90DE548
  9882833E 05448902 96669691 922454ED D1540FDB AECDC544 D291D03B AB15A176
  5A48B844 044D0C32 4C7C9778 3ED969C8 4341F388 E8FC1BC9 E705FEB3 288FDBE2
  29FDE719 36F48A68 7D7F9B8C 1113740A 28A73E45 A8F02A3D 50E9B9EE F3FEF3D5
  02030100 01A38181 307F300F 0603551D 130101FF 04053003 0101FF30 2C060355
  1D110425 30238221 554B4252 4E313443 4F4D4352 30312E65 6D65612E 6C656E64
  6C656173 652E636F 6D301F06 03551D23 04183016 80143473 5A4C051A 6D80EC55
  54F0E818 4AEE7B01 0A68301D 0603551D 0E041604 1434735A 4C051A6D 80EC5554
  F0E8184A EE7B010A 68300D06 092A8648 86F70D01 01040500 03818100 59F22C08
  8BF47C8B 62A1D14D BA3A3946 11B009DA F0521044 858B75BB D8FE8B46 5976704F
  F4115F49 10E97DDE D15B3FEC 9A0A970B CCDE2D87 91411B82 89DF31A3 246725A5
  73626AB7 7B58C8DD 69E2D623 819EDF28 AA162696 53320E22 C1E31955 D6CE2F9C
  D3F11011 37A73B0A 6CCE4BE6 67B1D27C D1114A24 CF4F7568 44A6CCD7

------------------------------------------------------------------------------------------------------------------------------

(2)
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx-xxxxxxx address 44.221.76.66!
!
crypto ipsec transform-set transform-LLEMEA esp-3des esp-sha-hmac
!
crypto map LLEMEA 1 ipsec-isakmp
 set peer 44.221.76.66
 set transform-set transform-LLEMEA
 set pfs group2
 match address 101

------------------------------------------------------------------------------------------------------------------------------
(3)interface Tunnel1
 description *** ADSL Tun to Alexandra *****
 ip address 172.21.63.45 255.255.255.252
 ip tcp adjust-mss 1340
 tunnel source Dialer0
 tunnel destination 44.221.76.66
------------------------------------------------------------------------------------------------------------------------------
(4)
access-list 101 permit gre host 61.112.62.22 host 44.221.76.66
0
arshanaCommented:
1). PKI stands for Public Key Infrastructure . Crypto PKI is a form of cryptography in which the key used to encrypt a message differs from the key used to decrypt it. In public key cryptography, a user has a pair of cryptographic keysa public key and a private key. The private key is kept secret, while the public key may be widely distributed. Incoming messages would have been encrypted with the recipient's public key and can only be decrypted with his corresponding private key. The keys are related mathematically, but the private key cannot be practically derived from the public key. Here a PKI has been set.
2) ISAKMP (Internet Security Association and Key Management Protocol) is a protocol for establishing Security Associations and cryptographic keys in an Internet environment. ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data.

(Feeling sleepy now will try to do the rest tomorrow :P)


0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

th3w01fCommented:
It will take a lot of space to cover each item in the setup.  Here's a good link that should answer most if not all of your questions.

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_vpn_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html

2). This is the configuration for your IPSEC tunnel.

Here's a Cisco document that covers a very similar config http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

3).  This is your Tunnel for the VPN connection to Alexandra; it is used in conjunction with Interface Dialer 0.  

4).  This is the ACL to define "interesting traffic" for the IPSEC tunnel.  You can see it used under the "crypto map" command.

Crypto Access List Overview
Crypto access lists are used to define which IP traffic is protected by crypto and which traffic is not protected by crypto. (These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface.) For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic between Host A and Host B.

The access lists themselves are not specific to IPSec. It is the crypto map entry referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lawre1108Author Commented:

Hi th3w01f, thanks for this document, looking through the router in HQ, where every other router are connected to this configuration look exactly the same.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

Please i want you tio give me time to read through, i will get back to you for any further question, but you kindly point me to the right direction.
0
lawre1108Author Commented:
Hi th3w01f,

Thanks I look at that document, as I said it is perfect, my next question now is .

Assuming, I configure the router in the office and give it to one of the technician to install in the remote site
"     What do I need to do to be able to telnet to the router (Yes, VTY is configured), I dont know if  he    
      plug the DSL line from the ISP to the router, if I will be able to telnet straight away without having to
      do anything

"     What command do I need to put in place to be able to connect to the internet (

"    I will be grateful if you can just list the step-by-step of what I i need to do, so that will be my template for future assignment.

As always, thank you for your support.

0
th3w01fCommented:
Do you have a static IP assigned from your ISP that has already been configured on the router?

If so you should be able to telnet as long as you've assigned a password.

Telnet is unsecure; you should use SSH instead.  http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

It may already be enabled; what is the output of "show cry key mypubkey rsa"

The usual steps would be.

hostname xxxx

ip domain-name rtp.cisco.com

!--- Generate an SSH key to be used with SSH.

cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2

If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.

line vty 0 4

!--- Prevent non-SSH Telnets.

transport input ssh

0
lawre1108Author Commented:
Hi th3w01f,
Sorry I have been down for the last week, I hope to go back to work on Monday.
Just last week my Manager said I may need to work from home time to time, he decided that I can have broadband installed at home for me.
This now give me an opportunity to try all this with myself.
Now I have configured a 1801 router broadband, and I can connect to the internet from FE 0 Interface.
The next step now is to be able to connect to the office via site-to-site IPSEC GRE Tunnel using the template I posted with the question..
I was given static ip address of /29 by BT, which means that I can use the connection from my house to the office as a typical remote site.

I will be grateful if you can just let me know step by step of what I need to configure on the Office router (3745 Cisco router) and the 1801 router in my house.

By the way, my team lead is recovering well, I guess by the time he comes back, I would have learn so much and he will be impressed with me.
Once again thanks for your support.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.