Plantilla Cafam SSH Radius Cafam Cisco

PREGUNTAS
2. COMANDOS PARA PROBAR LA VPN

3. ESA GESTIO DE AP PARA QUE SIRVE GESTION_AP
==============================================================================
JUNIPER
==============================================================================
set security zones security-zone trust host-inbound-traffic system-services ping
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
==============================================================================
RADIUS
==============================================================================
1. crear rutas con el peer de la interfaz de gesti�n.
ip route 192.168.173.3 255.255.255.255 10.245.87.157 name RADIUS

---------->IP GESTION MPLS(10.245.87.157)
---------->IP GESTION MPLS(10.245.87.157)
---------->IP GESTION MPLS(10.245.87.157)
2. ping a cisco gesti�n y radius para validar conectividad
TRONEX_MED_INT#ping 192.168.100.3 sou 10.253.105.158

TRONEX_MED_INT#ping 192.168.173.4 sou 10.253.105.158
3. comandos aaa y usuario.
aaa new-model
!
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa session-id common
ip cef
!
username cpes password cpes
archive
log config
hidekeys
4. Agregar listas de acceso 98 incluyendo peer interfaz de internet o datos ppal y

la de gesti�n
access-list 98 permit 192.168.100.3

access-list 98 permit 10.245.87.157 ----> ip MPLS GESTION
access-list 98 permit 10.245.87.153 ----> ip MPLS DATOS
5. Agregar comandos radius-server para los tres servidores + el key "tal y como
aparece�.
radius-server host 192.168.173.4 auth-port 1645 acct-port 1646

radius-server host 192.168.173.5 auth-port 1645 acct-port 1646
radius-server key 7 1113123C4454483623
NOTA: SI SALE ERROR, VOLVER A CORRER LOS 3 COMANDOS ANTERIORES

***********************************************************************************
***********************
SI NO FUNCIONAN LOS COMANDOS ANTERIORES
***********************************************************************************
***********************
radius-server key 7 1113123C4454483623

!
ALCAL_COTA_COT_K4C12(config-radius-server)#address ipv4 192.168.173.4 auth-
port 1645 acct-port 1646
radius server ETB
address ipv4 192.168.173.4 auth-port 1645 acct-port 1646
!
radius server ETB2
address ipv4 192.168.173.5 auth-port 1645 acct-port 1646
!
6. Aplicar access-list 98 a la line vty.
line vty 0 4
access-class 98 in
login local
==============================================================================
SSH
==============================================================================
ip ssh version 2
ip domain name etb.com.co
McDonals_Chipichape(config)#crypto key generate RSA
---------------------> caundo pregunta bloque se coloca 2048
!
ip domain name etb.com.co
!
username cpes privilege 15 password cpes
username etb privilege 15 password oo7mund0
!
ip ssh authentication-retries 2
ip ssh port 2222 rotary 1
ip ssh version 2
!
line vty 0 4
login local
transport input telnet ssh -------------------->
Probamos ingresos por ssh y luego quitamos el telnet asi.
!
line vty 0 4
login local
transport input ssh
==============================================================================
GRAFICACION GU
==============================================================================
snmp-server community cispresid RW 97
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server host 10.243.16.78 ciscafam -------------------------->SE MODIFICA
LA COMUNIDAD
LA COMUNIDAD
LA COMUNIDAD
LA COMUNIDAD
LA COMUNIDAD
!
!
ip route 10.243.16.73 255.255.255.255 10.245.87.157 name GU
-------------------------->SE MODIFICA POR LA WAN DE GESTION DE MPLS
ip route 10.243.16.75 255.255.255.255 10.245.87.157 name GU
ip route 10.243.16.76 255.255.255.255 10.245.87.157 name GU
ip route 10.243.16.78 255.255.255.255 10.245.87.157 name GU
ip route 10.243.16.81 255.255.255.255 10.245.87.157 name GU
!
snmp-server enable traps syslog
==============================================================================
AP WIFI CISCO CAFAM
==============================================================================
CAFAM_PAS_K22DC2_PASTO#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
CAFAM_PAS_K22DC2_PAS(config)#inter Wlan-GigabitEthernet8
CAFAM_PAS_K22DC2_PAS(config-if)#inter wlan-ap0
The wlan-ap 0 interface is used for managing the embedded AP.
Please use the "service-module wlan-ap 0 session" command to console into the
embedded AP
CAFAM_PAS_K22DC2_PAS(config-if)#^Z
CAFAM_PAS_K22DC2_PASTO#service-module wlan-ap 0 session
IP address needs to be configured on interface wlan-ap0
CAFAM_PAS_K22DC2_PASTO#
CAFAM_PAS_K22DC2_PASTO#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
CAFAM_PAS_K22DC2_PAS(config)#
CAFAM_PAS_K22DC2_PAS(config)#interface wlan-ap0
The wlan-ap 0 interface is used for managing the embedded AP.
Please use the "service-module wlan-ap 0 session" command to console into the
embedded AP
CAFAM_PAS_K22DC2_PAS(config-if)#ip add
CAFAM_PAS_K22DC2_PAS(config-if)#ip address 10.10.10.2 255.255.255.252
CAFAM_PAS_K22DC2_PAS(config-if)#^Z
CAFAM_PAS_K22DC2_PASTO#service-module wlan-ap 0 session
Trying 10.10.10.2, 2002 ... Open
ap>ena
===================================================================================
=====
CAFAM_MED_K66C49_I#
CAFAM_MED_K66C49_I#TELnet 10.241.245.18 2002 --------------->WAN DEL ROUTER
Trying 10.241.245.18, 2002 ... Open
===================================================================================
ap>ENA
ap>ENAble
Password: Cisco
ap#
dot11 ssid MERCADEO

vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii M2RC1D24.Wmic
!
crypto pki trustpoint TP-self-signed-153192716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-153192716
revocation-check none
rsakeypair TP-self-signed-153192716
!
crypto pki certificate chain TP-self-signed-153192716
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
ssid MERCADEO
!
antenna gain 100
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 30
!
ssid MERCADEO
!
antenna gain 100
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
==============================================================================
PASOS PARA CAFAM
==============================================================================
1. CONFIGURAMOS WAN DE SERVICIO Y GESTION
interface FastEthernet0
no ip address
load-interval 30
duplex full
speed 100
!
interface FastEthernet0.100
description GESTION_MPLS
encapsulation dot1Q 100
ip address 10.245.87.158 255.255.255.252
!
interface FastEthernet0.101
description CONEXION_WAN
bandwidth 2048
encapsulation dot1Q 101
ip address 10.247.235.146 255.255.255.252
crypto map ETB
-------------------------------------------------------------->IMPORTANTE
PARA LEVANTAR LA VPN
service-policy output LIMIT ------------------------------->LIMITANTE DEL BW
!
2. CONFIGURAMOS LA IP PUBLICA Y LA GU
interface Loopback0
description IP_PUBLICA_NAT
ip address 190.27.170.97 255.255.255.248
!
interface Loopback20
description GRAFICACION GU
ip address 10.172.8.155 255.255.255.255
!
3. CONFIGURACION DEL DHCP
ip dhcp excluded-address 172.25.48.2 172.25.48.19

!
ip dhcp pool LAN
network 172.25.48.0 255.255.255.0
default-router 172.25.48.1
dns-server 172.19.1.111 172.19.1.112 200.75.51.132
netbios-name-server 172.19.1.111
!
4. CONFIGURACION DE LAPOLITICA DEL BW
class-map match-all TRAFFIC

match any
!
policy-map LIMIT
class TRAFFIC
shape average 2048000
!
5. CONFIGURACION LAN CLIENTE
interface Vlan1
description LAN_CLIENTE
ip address 172.25.48.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
6. CONFIGURACION DE LA VPN
crypto isakmp policy 10

encr aes 256
authentication pre-share
group 2
crypto isakmp key 45yWplc8x address 190.24.129.139
------------------------->SE MODIFICA LA LLAVE DE LA VPN (45yWplc8x), LA SUMINISTRA
EL ING DE PROYECTO
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto map ETB local-address Loopback0
crypto map ETB 10 ipsec-isakmp
set peer 190.24.129.139
set security-association idle-time 3600
set transform-set AES128-SHA
match address VPN
7. CONFIGURACION DEL NAT, SE MODIFICA LA LAN (172.25.48.0) POR LA NUEVA
access-list 10 permit 192.168.0.0 0.0.0.255
ip access-list extended NAT

deny ip 172.25.48.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.25.48.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.25.48.0 0.0.0.255 192.168.0.0 0.0.255.255
permit tcp 172.25.48.0 0.0.0.255 host 200.26.150.71 eq 443
permit ip 172.25.48.0 0.0.0.255 host 190.145.88.54
permit ip 172.25.48.0 0.0.0.255 host 190.145.88.55
permit ip 172.25.48.0 0.0.0.255 host 200.75.51.132
permit ip 172.25.48.0 0.0.0.255 host 190.24.129.144
permit ip 172.25.48.0 0.0.0.255 host 200.21.200.10
permit ip 172.25.48.0 0.0.0.255 host 200.21.200.80
permit ip 172.25.48.0 0.0.0.255 host 200.13.249.101
permit ip 172.25.48.0 0.0.0.255 host 200.13.224.254
permit ip 172.25.48.0 0.0.0.255 host 168.62.205.105
permit ip 172.25.48.0 0.0.0.255 host 137.116.74.192
ip access-list extended VPN
permit ip 172.25.48.0 0.0.0.255 any
permit ip 172.25.48.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 172.25.48.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.25.48.0 0.0.0.255 10.0.0.0 0.255.255.255
8. COMUNIDAD SNMP PARA GRAFICACION DE CAFAM
snmp-server community CAFAM.etb RO

snmp-server community CAFAM.ETB RO
snmp-server host 172.26.100.101 CAFAM.ETB

snmp-server host 172.26.100.22 CAFAMREDES
9. ASOCIAMOS EL NAT A LA IP PUBLICA
route-map NAT1-RM permit 10

match ip address NAT
ip nat translation timeout 2

ip nat translation routemap-entry-timeout 2
ip nat translation icmp-timeout 2
ip nat inside source route-map NAT1-RM interface Loopback0 overload
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx
===================================================================================
======================
PLANTILLA CAFAM ING FREDY PORTILLA
===================================================================================
======================
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
&%&%&%&%&%&%&%&%&% VPN &%&%&%&%&%&%&%&%&%
crypto isakmp policy 10

encr aes 256
authentication pre-share
group 2
crypto isakmp key J8h4na2v address 190.24.129.139
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map ETB local-address Loopback0
crypto map ETB 10 ipsec-isakmp
set peer 190.24.129.139
set security-association idle-time 3600
set transform-set AES128-SHA
match address VPN
interface Loopback0
description NAT
ip address 190.27.168.105 255.255.255.248
!
interface Loopback1
description GESTION_AP
ip address 2.2.2.2 255.255.255.255
interface Vlan1
description LAN_CLIENTE
ip address 172.25.138.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
route-map NAT1-RM permit 10

match ip address NAT
ip nat translation timeout 2

ip nat translation routemap-entry-timeout 2
ip nat translation icmp-timeout 2
ip nat inside source route-map NAT1-RM interface Loopback0 overload
access-list 10 permit 192.168.0.0 0.0.0.255
ip access-list extended NAT

deny ip 172.25.138.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.25.138.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.25.138.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.25.138.0 0.0.0.255 host 190.145.88.54
permit ip 172.25.138.0 0.0.0.255 host 190.145.88.55
permit ip 172.25.138.0 0.0.0.255 host 200.75.51.132
permit ip 172.25.138.0 0.0.0.255 host 190.24.129.144
permit ip 172.25.138.0 0.0.0.255 host 200.21.200.10
permit ip 172.25.138.0 0.0.0.255 host 200.21.200.80
permit ip 172.25.138.0 0.0.0.255 host 200.13.249.101
permit ip 172.25.138.0 0.0.0.255 host 200.13.224.254
permit ip 172.25.138.0 0.0.0.255 host 168.62.205.105
permit ip 172.25.138.0 0.0.0.255 host 137.116.74.192
ip access-list extended VPN
permit ip 172.25.138.0 0.0.0.255 any
permit ip 172.25.138.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 172.25.138.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.25.138.0 0.0.0.255 10.0.0.0 0.255.255.255
snmp-server community CAFAM.etb RO

snmp-server community CAFAM.ETB RO

snmp-server host 172.26.100.22 CAFAMREDES
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Plantilla Cafam SSH Radius Cafam Cisco

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Plantilla Cafam SSH Radius Cafam Cisco

Uploaded by

Copyright:

Available Formats

PREGUNTAS

2. COMANDOS PARA PROBAR LA VPN

ip route 192.168.173.3 255.255.255.255 10.245.87.157 name RADIUS

2. ping a cisco gesti�n y radius para validar conectividad

TRONEX_MED_INT#ping 192.168.100.3 sou 10.253.105.158

3. comandos aaa y usuario.

4. Agregar listas de acceso 98 incluyendo peer interfaz de internet o datos ppal y

access-list 98 permit 192.168.100.3

radius-server host 192.168.173.4 auth-port 1645 acct-port 1646

NOTA: SI SALE ERROR, VOLVER A CORRER LOS 3 COMANDOS ANTERIORES

radius-server key 7 1113123C4454483623

6. Aplicar access-list 98 a la line vty.

dot11 ssid MERCADEO

3. CONFIGURACION DEL DHCP

ip dhcp excluded-address 172.25.48.2 172.25.48.19

4. CONFIGURACION DE LAPOLITICA DEL BW

class-map match-all TRAFFIC

5. CONFIGURACION LAN CLIENTE

crypto isakmp policy 10

7. CONFIGURACION DEL NAT, SE MODIFICA LA LAN (172.25.48.0) POR LA NUEVA

access-list 10 permit 192.168.0.0 0.0.0.255

ip access-list extended NAT

8. COMUNIDAD SNMP PARA GRAFICACION DE CAFAM

snmp-server community CAFAM.etb RO

snmp-server host 172.26.100.101 CAFAM.ETB

9. ASOCIAMOS EL NAT A LA IP PUBLICA

route-map NAT1-RM permit 10

ip nat translation timeout 2

&%&%&%&%&%&%&%&%&% VPN &%&%&%&%&%&%&%&%&%

crypto isakmp policy 10

route-map NAT1-RM permit 10

ip nat translation timeout 2

access-list 10 permit 192.168.0.0 0.0.0.255

ip access-list extended NAT

snmp-server community CAFAM.etb RO

snmp-server host 172.26.100.101 CAFAM.ETB

You might also like