• Releases · GNS3/gns3-gui
• Cisco IOS images for Dynamips | GNS3 Documentation
• GNS3 Linux Install | GNS3 Documentation
• Cisco 7200 Series Routers - Configuration Guides - Cisco
• Understand how to Backup and Restore Configuration Files - Cisco
• Expect Scripts - Wikipedia
• Linux expect Command {Basic Use With Variables and Commands}
• expect(1) - Linux manual page
• Expect / Tc Lang Official docs
• Using the Cisco IOS Command-Line Interface Cisco IOS 15.5M&T - Cisco
• How to integrate VM with gns3? – VMware Workstation, VirtualBox, Qemu KVM. – GetLabsDone
• Cloudflare what is IPsec
• Cisco IOS VPN Configuration Guide - Site-to-Site and Extranet VPN Business Scenarios
• Internet Security Association and Key Management Protocol - Wikipedia
• Understand Open Shortest Path First (OSPF) - Design Guide - Cisco
• GNS3 Talks: IOSvL2 switching appliance import & configuration - YouTube

• Cisco Secure Firewall ASA - Configuration Guides
• Cisco Adaptive Security Virtual Appliance (ASAv) Getting Started Guide, 9.8 - Configure the ASAv
  • CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.8 - Cisco
  • CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.8 - Cisco
  • CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 - Cisco
  • ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.8 - Cisco
  • ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.8 - Cisco
  • ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.8 - Cisco
• Site-to-Site VPN through Cisco ASA Firewall Configuration - YouTube

• Cisco-Asa - firewall images
• Cisco-ASAV - virtual firewall emulators
• Cisco-IOSV - virtual router QEMU emulators
• Cisco-IOSV-L2 - virtual Layer 2 switch QEMU emulators
• Cisco-IOU-L2 - virtual layer 2 switches on linux, not QEMU
• Cisco-IOU-L3 - virtual layer 3 on linux, not QEMU (proprietary cisco employee type)
• Cisco 7200 - support C7200 series routers - c7200-adventerprisek9-mz.124-24.T5.image

• linux custom bins

gns3-cnoss
gns3server
gns3server --local
gns3-cnoss-taphost
Copy

• Cisco Router

show running-config
show ip interface brief 
show access-lists
show ip route
config-register 0x2102
show crypto map <mapname>
Copy

• Cisco ASA

<command name> ? --> get more info about any command's options
enable
configure terminal
terminal pager 0
show interface summary
show interface ip brief
show run crypto map
show run crypto isakmp sa
show crypto ipsec sa
sh access-list
Copy

• linux troubleshooting

ip route # the one called "default" should be gateway
route -nv
ifconfig
sysctl net.ipv4.ip_forward #should be set to 1
arp -a
sudo route add -net 10.10.10.0 netmask 255.255.255.0 gw 192.168.1.5
sudo ip route add 10.10.0.0/16 via 10.10.40.0 dev ens4

# I deleted this route for KVM because it appeared to be doing nothing
sudo ip route del 169.254.0.0/16 via 0.0.0.0 dev virbr0
Copy

• this method is most valuable if someone wished to isolate GNS3 resources or deploy on an off-host machine, but it's not necessary on linux in order to get the KVM support for Cisco images

• it's not super obvious, but GNS3 does have a premade KVM VM that can be acquired from their github release page
  

• their KVM image comes with a startup script that looks like:

#!/bin/bash

if [[ ! $(ip link show virbr0) ]]
then
  sudo apt update
  sudo apt install -y libvirt-bin
fi

if [[ ! $(ip link show tap-gns3vm) ]]
then
  echo "Creating TAP interface"
  sudo ip tuntap add dev tap-gns3vm mode tap user $(whoami)
  sudo ip link set tap-gns3vm up
  sudo brctl addif virbr0 tap-gns3vm
fi

qemu-system-x86_64 -name "GNS3 VM" -m 2048M -cpu host -enable-kvm -machine smm=off -boot order=c \
-drive file="GNS3 VM-disk001.qcow2",if=virtio,index=0,media=disk \
-drive file="GNS3 VM-disk002.qcow2",if=virtio,index=1,media=disk \
-device virtio-net-pci,netdev=nic0 -netdev tap,id=nic0,ifname=tap-gns3vm,script=no,downscript=no
Copy

• I dropped this monster command into a local binary called gns3 so that I can run it with an alias
• and redirected the launch to the absolute path of the images
• placed in ~/.local/bin/gns-cnoss

#!/bin/bash

echo "Creating TAP interface"
sudo ip tuntap add dev tap-gns3vm mode tap user $(whoami)
sudo ip link set tap-gns3vm up
sudo brctl addif virbr0 tap-gns3vm

echo "Starting gns3 vm..."
sudo qemu-system-x86_64 -name "GNS3 VM" -m 2048M -cpu host -enable-kvm -machine smm=off -boot order=c \
-drive file="/var/lib/libvirt/images/gns3-cnoss/GNS3 VM-disk001.qcow2",if=virtio,index=0,media=disk \
-drive file="/var/lib/libvirt/images/gns3-cnoss/GNS3 VM-disk002.qcow2",if=virtio,index=1,media=disk \
-device virtio-net-pci,netdev=nic0 -netdev tap,id=nic0,ifname=tap-gns3vm,script=no,downscript=no
Copy

[....]
sudo brctl addif virbr0 tap-gns3vm
sleep 3s
echo "Starting gns3 vm..."
[....]
Copy

• I've already got KVM installed and libvirt, so I'm just going to manually perform the tap interface creation and run the bottom part when I want to load their qcows

#add a new bridge device called tap-gns3vm
sudo ip tuntap add dev tap-gns3vm mode tap user $(whoami)
#enable the new interface
sudo ip link set tap-gns3vm up
#attach the new interface to the virbr0 virtual bridge
sudo brctl addif virbr0 tap-gns3vm
Copy

• brctl show virbr0 yields

bridge name	bridge id		STP enabled	interfaces
virbr0		8000.525400ca8e4c	yes		tap-gns3vm
Copy

• should be able to boot it up like gns3-cnoss, http://192.168.122.76:80 web GUI access

ping 192.168.122.76
PING 192.168.122.76 (192.168.122.76) 56(84) bytes of data.
64 bytes from 192.168.122.76: icmp_seq=1 ttl=64 time=0.122 ms
64 bytes from 192.168.122.76: icmp_seq=2 ttl=64 time=0.187 ms
64 bytes from 192.168.122.76: icmp_seq=3 ttl=64 time=0.171 ms
^C
--- 192.168.122.76 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2029ms
rtt min/avg/max/mdev = 0.122/0.160/0.187/0.027 ms
Copy

visiting the VM in the browser yields

• quick little test in the VM shell to see if I can access the internet

• quick little test in the VM shell to see if my bridge interface is working, because I should be able to view local area network devices
  

• router response
  

• final personal test was seeing if I could ping and ssh to my local server, yeah looks good, bridge is working correctly
  

• Downloading the GNS3 VM | GNS3 Documentation

• just as with linux KVM, windows VM also runs GNS3 (and it is required for KVM support on windows)

• can be imported into virtualbox or vmware and if interfaces with host pc are desired they can be NAT'd through virtual interfaces on windows
  

• follow gns3 install documentation

sudo add-apt-repository ppa:gns3/ppa
sudo apt update                                
sudo apt install gns3-gui gns3-server

# Not needed, probably going to break something with this
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install gns3-iou
Copy

• run gns3server, only if you want to test local virtual networks, but without good hardware virtualization support

  • which turns out to only matter on windows in the end

• need to add "remote" server in order to connect to VM
  

• note that the desktop GUI actually gives a real human error when something isn't correct (the web gui obfuscates a lot of these messages)
  

• add myself to the groups required to launch GNS3 things so that I don't have to be sudo every time

sudo apt install gns3-server
# wireshark docker 
sudo usermod -aG ubridge yorionathan
sudo usermod -aG libvirt yorionathan
sudo usermod -aG kvm yorionathan
Copy

• running this is as simple as

gns3server
Copy

• occasionally there are issues where it can't correct bind to the local network interface, assumed that this is related to other things running, solved with a reboot usually

• something I personally found potentially confusing
  

• datasheet says default onboard memory for these is 512 MB
  

• so that's what was set
  

• pick device
  

• make sure whatever binaries that are needed for the device are present

• from the config backup and restore documentation

enable
! put the password in if there is one
terminal length 0
! which will dump out the whole terminal and not screen by screen

show running-config
Copy

• show running-config dumps the router's entire current config to terminal
• but only if terminal length 0 is enabled, for single screen

Building configuration...

Current configuration : 1023 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-Cisco7200
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
! 
ip tcp synwait-time 5
!
interface Ethernet0/0
 no ip address
 shutdown
 duplex auto
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
gatekeeper
 shutdown
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end
Copy

• there are default base startup configs which are stored locally
  

• if one were to look at this, the config the router prints is being sourced from here

!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname %h
!
ip cef
no ip domain-lookup
no ip icmp rate-limit unreachable
ip tcp synwait 5
no cdp log mismatch duplex
!
line con 0
 exec-timeout 0 0
 logging synchronous
 privilege level 15
 no login
line aux 0
 exec-timeout 0 0
 logging synchronous
 privilege level 15
 no login
!
!
end
Copy

• but something to note is that those configs are actually present in the GNS3 VM home directory as well
• so if the GNS3 client is connect to the VM, it's probably pulling the local path of these base configs by default and not anything in the client
  

• need to quickly compare differences between lab setup and these virtual switches and see which parts are absolutely essential
  • use my handy little dump tool for the IOSvL2 switch

./dump_config_nopass.expect 192.168.122.76 5003 switch_dump.txt
Copy

• using meld to visually compare the lines of the different config files

  • this way I can see which are essential configuration lines and then research whatever else might matter
  • all lines that are identical between them I can only assume are essential CISCO things or very common practice

• notes

• Cisco IOS HTTP Services Command Reference - clear ip http client cookie through show ip http server secure status Support - Cisco

• Cisco IOS Master Command List, All Releases - Cisco

• since it appears all interfaces are already on, most important part is

interface Vlan1
 ip address 10.0.0.10 255.255.255.0
!
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
Copy

enable
config

username admin privilege 15 password 0 admin
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.0.254

interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!         
interface GigabitEthernet0/1
 ip address 10.0.1.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!  
Copy

YouTube
Expect - Wikipedia
Linux expect Command {Basic Use With Variables and Commands}
Expect

• in order to import a whole config into a router over telnet (at least on linux) one can take advantage of the expect syntax and TCL scripting

• expect might not be installed by default so:

sudo apt install expect
Copy

• using expect, instead of bash, one can push scripted commands over telnet to things like Cisco routers etc
• script that will push a config specified in a text file into the virtual interface over telnet

#!/usr/bin/expect -f

# push_config.sh

# Get the variables from command line arguments to script
set router_ip [lindex $argv 0]
set router_user [lindex $argv 1]
set router_pass [lindex $argv 2]

# Open the Telnet connection and authenticate
spawn telnet $router_ip
expect "Username: "
send "$router_user\r"
expect "Password: "
send "$router_pass\r"
expect ">"

# enter enable mode to configure, authenticate, begin config 
send "enable\r"
expect "Password: "
send "$router_pass\r"
expect "#"
send "configure terminal\r"
expect "(config)#"

######### Push the configuration #######
set config [exec cat config.txt]
send "$config\r"
expect "(config)#"
########################################

# Exit configuration mode
send "exit\r"
expect "#"

# Save the configuration
send "write memory\r"
expect "#"

# Close the Telnet connection
send "exit\r"
expect eof

Copy

• executable

chmod +x push_config.sh
Copy

• the configuration can be whatever is needed for that particular device

• example to send the script with command line arguments

• I need to specify ip and port for telnet, and since this is bridged I can access telnet directly over local IP without tunneling into the GNS3 subnet from the host

• this script can be used in reverse to dump configs from routers to local text files

#!/usr/bin/expect -f

# dump_config.expect

# Get the variables from command line arguments to script
set router_ip [lindex $argv 0]
set router_port [lindex $argv 1]
# set router_user [lindex $argv 2]
# set router_pass [lindex $argv 3]
set output_config_file  [lindex $argv 2]

# Open the Telnet connection
spawn telnet $router_ip $router_port

### Authenticate if necessary
# expect "Username: "
# send "$router_user\r"
# expect "Password: "
# send "$router_pass\r"
# expect ">"

# Enter enable mode
expect "#"
send "enable\r"

# Authenticate?
# expect "Password: "
# send "$router_pass\r"

####### Dump the running configuration to a file ######
expect "#"
send "terminal length 0\r"
expect "#"
send "show running-config\r"
expect "#"
# dump whatever is in buffer
#set config [string trimright $output_config_file(buffer) "#"]
set config $expect_out(buffer)
# open up the file
set active_file [open $output_config_file "w"]
# put (in empty file) contents of config
puts $active_file $config
# close the file
close $active_file
#######################################################

# Close the Telnet connection
send "exit\r"
expect eof
Copy

./dump_config.sh <router_ip> <router_port> <router_user> <router_pass> <output_file>
Copy

• if a username and password would be required

./dump_config.expect 192.168.122.76 5002 "" "" config_dump.txt
Copy

• if not username and password required

./dump_config_nopass.expect 192.168.122.76 5002 config_dump.txt
Copy

• I had some issues with that not waiting for the buffer output to fully complete and giving me a partial config dumped to text file, so I altered it to have a timeout expect function to wait for the buffer to actually dump something useful before writing it to an output file

expect {
    "#$"
    {set output $expect_out(buffer)}
    timeout
    {send_user "Error: Timeout waiting for command output\n"; exit 1}
}
Copy

• new script

#!/usr/bin/expect -f

# dump_config.expect

# Get the variables from command line arguments to script
set router_ip [lindex $argv 0]
set router_port [lindex $argv 1]
# set router_user [lindex $argv 2]
# set router_pass [lindex $argv 3]
set output_config_file  [lindex $argv 2]

# Open the Telnet connection and authenticate
spawn telnet $router_ip $router_port
# expect "Username: "
# send "$router_user\r"
# expect "Password: "
# send "$router_pass\r"
# expect ">"

# Enter enable mode and authenticate
expect "#"
send "enable\r"
# expect "Password: "
# send "$router_pass\r"
expect "#"

#################### Dump the running configuration to a file ###################
send "terminal length 0\r"
expect "#"
send "show running-config\r"
expect "#"
##### dump whatever is in buffer but actually wait to make sure it completes ####
expect {
    "#$"
    {set config $expect_out(buffer)}
    timeout
    {send_user "Error: Timeout waiting for command output\n"; exit 1}
}
##################################################################################
# set a variable for opening up the file
set active_file [open $output_config_file "w"]
# put (in empty file) contents of config dumped from buffer
puts $active_file $config
# close the file
close $active_file
#######################################################

# Close the Telnet connection
send "exit\r"
expect eof
Copy

• essentially there will be some subnet connected to another VIA two routers in between.

• there will be an IPsec VPN between the two routers

• ipsec is chosen because it offers good access to cryptographic protocols for packets flowing through the routers vs. traditional tunnel routing
  - What is IPsec? | How IPsec VPNs work | Cloudflare
  - transport mode is chosen here because of the ability to at least packet capture headers and see where packets are destined for
  - Cisco IOS VPN Configuration Guide - Site-to-Site and Extranet VPN Business Scenarios
  - if the routers are configured in full tunnel mode it is probably more secure, but also more restrictive and more difficult to troubleshoot
  

• Behind the second router will be an ASA firewall that will prevent any traffic that isn't VPN based from making its way into the secondary subnet

• something like this will be the flow of traffic
  

• interfaces and hostname, no annoying banners on the C7200 that present in IOSv
• establishing a first subnet

! Set an identifiable hostname
hostname vpnrouter1
!
! Interface for the 10.10.10.0/24 subnet
interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 no shut
 duplex auto
 speed auto
!
! Interface for the connection to the second router
interface GigabitEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 no shut
 duplex auto
 speed auto
Copy

• Internet Security Association and Key Management Protocol
  • Internet Security Association and Key Management Protocol - Wikipedia
• creates a new isakmp policy with priority 1
• using aes encryption, (Diffie hellman group 2)
• key is pass@word1, and is the key for the IP of the interface of Router 2
• telling the router that we're using ipsec and isakmp
  • this "mapping" here is called routermap1
  • the peer router is 192.168.1.2
  • the transform set is routerset1
  • and this VPN routing will be applied to whatever access list is part of 101
    • in this case traffic from 10.10.10.0/24 will be allowed to 10.10.20.0/24

! initial VPN setup
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key pass@word1 address 192.168.1.2
!
!
! Specifying that the VPN configuration is IPsec transform
crypto ipsec transform-set routerset1 esp-aes esp-sha-hmac
!
!
crypto map routermap1 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set routerset1
 match address 101
! permitting traffic from inside network to other inside network
!access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
!
Copy

• we also need to provide a route in Router 1 that tells it where the 10.10.20.0/24 subnet actually is (it's behind the outbound interface of the second router)

ip route 10.10.20.0 255.255.255.0 192.168.1.2
ip route 10.10.30.0 255.255.255.0 192.168.1.2
Copy

• apply crypto map to inbound interface of second router

interface GigabitEthernet1/0
crypto map routermap1
Copy

Verify VPN Tunnel:

1. Verify the status of the VPN tunnel with the "show crypto isakmp sa" command. This command displays the current state of the ISAKMP SA (Security Association) for the VPN tunnel. If the state is "QM_IDLE," it means that the IPsec SA (Security Association) is established:

   R1# show crypto isakmp sa

• how it looks on solarputty on windows
  

2. Verify that the IPsec transform set is configured with the "show crypto ipsec transform-set" command. This command displays the transform sets that are configured for IPsec. If the transform set that is used by the VPN tunnel is configured for IPsec, it means that the VPN tunnel is using IPsec:

R2# show crypto ipsec transform-set

• considered having an intermediate router, but decided to scrap this since it wasn't really necessary

interface <ISP Router interface connected to Router 1>
 ip address <IP address>
!
interface <ISP Router interface connected to Firewall>
 ip address <IP address>
!
ip route 10.10.10.0 255.255.255.0 <IP address of Router 1 interface>
ip route 10.10.30.0 255.255.255.0 <IP address of Firewall interface>
Copy

• router 2 is doing basically the same thing as router 1, except the second half
• it also needs to forward the tunnel onto the interface from the firewall

! Set an identifiable hostname
hostname vpnrouter2
!
interface GigabitEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 no shut
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 ip address 10.10.20.50 255.255.255.0
 no shut
 duplex auto
 speed auto
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key pass@word1 address 192.168.1.1
!crypto isakmp key pass@word1 address 10.10.20.254
crypto isakmp key pass@word1 address 10.10.30.1
!
crypto ipsec transform-set routerset2 esp-aes esp-sha-hmac
!
crypto map routermap2 10 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set routerset2
 match address 101
!
! the permission set from Router 1 but in reverse
! access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
!
Copy

• the route to 10.10.10.0/24

ip route 10.10.10.0 255.255.255.0 192.168.1.1
Copy

• the route to 10.10.30.0/24

ip route 10.10.30.0 255.255.255.0 10.10.20.254
Copy

• apply crypto map to interface attached to first router (peer)

interface GigabitEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
 crypto map routermap2
!
Copy

• the crypto map for the interface facing the firewall
  • same transform-set so that esp-aes gets carried forward

crypto map routermap2firewall 10 ipsec-isakmp
 set peer 10.10.20.254
 set transform-set routerset2
 match address 101

interface GigabitEthernet1/0
 crypto map routermap2firewall
Copy

• maybe I need an internal handover mapping as well

crypto map routermap2 internal 10 ipsec-isakmp
 set peer 10.10.20.50
 set transform-set routerset2
 match address 101
 

Copy

• if I ping across router 1 and router 2 via the 10.10.10.0/24 subnet, my traffic should show encapsulating security payload (ESP) and not show the origin IP of the originating ping request, indicating that the original traffic is being protected by the VPN tunnel

Cisco Adaptive Security Virtual Appliance (ASAv) Getting Started Guide, 9.8 - Configure the ASAv

Enable telnet asav

• syntax is slightly different for firewalls,
  • terminal needs to be specified
  • pager rather than length

configure terminal
terminal pager 0
Copy

• first test was to get a site to site VPN working with no firewall
  

• another example of site-to-site without IOSvL2 switches
  

• this was configured roughly the same as the above notes with ISAKMP and trial and error

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key pass@word1 address 192.168.1.2
!
!
crypto ipsec transform-set routerset1 esp-aes esp-sha-hmac 
!
crypto map routermap1 10 ipsec-isakmp 
 set peer 192.168.1.2
 set transform-set routerset1 
 match address 101
!
interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
!
interface GigabitEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 negotiation auto
 crypto map routermap1
!
ip route 10.10.30.0 255.255.255.0 192.168.1.2
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
Copy

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key pass@word1 address 192.168.1.1
!
!
crypto ipsec transform-set routerset2 esp-aes esp-sha-hmac 
!
crypto map routermap2 10 ipsec-isakmp 
 set peer 192.168.1.1
 set transform-set routerset2 
 match address 101
!
crypto map routermap2firewall 10 ipsec-isakmp 
 set peer 10.10.20.254
 set peer 10.10.30.1
 set transform-set routerset2 
 match address 101
!
interface GigabitEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
 crypto map routermap2
!
interface GigabitEthernet1/0
 ip address 10.10.30.1 255.255.255.0
 negotiation auto
!
ip route 10.10.10.0 255.255.255.0 192.168.1.1
!
access-list 101 permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
Copy

• in the site to site with intermediary firewall configuration some things were modified about peers and routes, but it was mostly the same for VPN setup

R1-C1#show running-config 
Building configuration...

Current configuration : 1657 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-C1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key pass@word1 address 192.168.2.1
!
!
crypto ipsec transform-set routerset1 esp-aes esp-sha-hmac 
!
crypto map routermap1 10 ipsec-isakmp 
 set peer 192.168.2.1
 set transform-set routerset1 
 match address 101
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Ethernet0/0
 no ip address
 shutdown
 duplex auto
!
interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
!
interface GigabitEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 negotiation auto
 crypto map routermap1
!
interface GigabitEthernet2/0
 no ip address
 shutdown
 negotiation auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 10.10.30.0 255.255.255.0 192.168.2.1
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
no cdp log mismatch duplex
!
control-plane
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

Copy

vpn-firewall# show running-config 
: Saved

: 
: Serial Number: 9AAADS8T1G9
: Hardware:   ASAv, 2048 MB RAM, CPU Unknown Model 2304 MHz
:
ASA Version 9.8(1) 
!
hostname vpn-firewall
enable password $sha512$5000$Jy/TNZdjhOAE58YQ1g+FXA==$IqQfAVlwNoZrSCfX3b1zYQ== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 192.168.2.2 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list out extended permit icmp host 192.168.2.1 host 192.168.1.1 
access-list out extended permit udp host 192.168.2.1 host 192.168.1.1 eq isakmp 
access-list out extended permit esp host 192.168.2.1 host 192.168.1.1 
pager lines 23
mtu inside 1500
mtu outside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
access-group out in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
 auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
    308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30 
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30 
    36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b 
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 
    74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967 
    6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c 
    79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562 
    6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72 
    69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 
    3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b 
    e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1 
    b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49 
    ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969 
    7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406 
    04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd 
    75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983 
    cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f 
    3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405 
    30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701 
    0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007 
    06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516 
    23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f 
    2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af 
    33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a 
    982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98 
    097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8 
    e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e 
    db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f 
    e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619 
    e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e 
    6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6 
    183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
Cryptochecksum:e3f109b5557f5bbdc77df280e0748cef
: end

Copy

R2-C1#show running-config 
Building configuration...

Current configuration : 1731 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-C1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key pass@word1 address 192.168.1.1
!
!
crypto ipsec transform-set routerset2 esp-aes esp-sha-hmac 
!
crypto map routermap2 10 ipsec-isakmp 
 set peer 192.168.1.1
 set transform-set routerset2 
 match address 101
!
!
!
ip tcp synwait-time 5
!
interface Ethernet0/0
 no ip address
 shutdown
 duplex auto
!
interface GigabitEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
 crypto map routermap2
!
interface GigabitEthernet1/0
 ip address 10.10.30.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet3/0
 no ip address
 shutdown
 negotiation auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.2
ip route 10.10.10.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
no cdp log mismatch duplex
!
control-plane
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end


Copy