Enterprise VPN Network Design

This page tag is dedicated to my professional life as a network engineer and learner. I will just put computer network related things in this tag. This is my network journal.

<p dir="auto">I have been designing an enterprise VPN network for the company I have been working for. Network is pretty straight forward. The network has several branches across the country.<br /> Each site is a logistic warehouse, connected to head-office via VPN. Users on each warehouse need to access the logisitc web-app running on the server at head-office. Web-app is locally developed. Web server is not exposed to public Internet. <p dir="auto">There is also a monitoring server at the oversea office. Monitoring server needs to reach both hub and spokes. Not just that, monitoring server will determine the status of VPN and connectivity between hub and spoke. If there is connectivity problem, server will send alerts to administrator.<br /> <img src="https://images.hive.blog/768x0/https://i.imgur.com/BTwIPDw.png" srcset="https://images.hive.blog/768x0/https://i.imgur.com/BTwIPDw.png 1x, https://images.hive.blog/1536x0/https://i.imgur.com/BTwIPDw.png 2x" /> <p dir="auto">This is quite a simple setup. <ol> <li>Branches and head-office are connected to public Internet. <li>Branches are connected to head-office via DMVPN cloud. (Phase 2 or 3) <li>Oversea office and HO has the site-to-site IPsec VPN connectivity. <li>Monitoring server should be able to reach branches via HO router and through the DMVPN cloud. <li>Zone-based Firewall is enabled on both HO and branches. <li>Static route to monitoring server's IP is required next-hop pointing to Tunnel 0 interface. <p dir="auto">I am not going to post the full configuration here as it is quite an easy setup but will put some key cheatsheets for DMVPN and ZBF. <p dir="auto"><strong>DMVPN Hub <pre><code>! Create an isakmp policy for DMVPN tunnel protection ! crypto isakmp policy 10 hash md5 authentication pre-share ! ! Create an isakmp key for DMVPN tunnel protection ! crypto isakmp key aps123 address 0.0.0.0 ! ! Create IPSec transform-set ! crypto ipsec transform-set APS esp-3des esp-md5-hmac mode tunnel ! ! Create an IPSec profile for DMVPN tunnel ! crypto ipsec profile aps set security-association lifetime seconds 120 set transform-set APS ! interface Ethernet0/0 ip address 100.100.10.2 255.255.255.0 ! interface Ethernet0/1 ip address 172.10.1.1 255.255.255.0 ! ! Create GRE tunnel and apply IPSec profile to that tunnel ! interface Tunnel0 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1440 no ip next-hop-self eigrp 10 no ip split-horizon eigrp 10 ip nhrp authentication aps123 ip nhrp map multicast dynamic ip nhrp network-id 1 zone-member security DMVPN tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile aps ! ! Specify routing protocol for end-to-end connectivity ! router eigrp 10 network 172.10.0.0 network 192.168.1.0 <p dir="auto"><strong>DMVPN Spoke <pre><code>! create ipsec transform-set ! crypto ipsec transform-set APS esp-3des esp-md5-hmac mode tunnel ! ! create ipsec profile ! crypto ipsec profile aps set security-association lifetime seconds 120 set transform-set APS ! ! create isakmp policy ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key aps123 address 0.0.0.0 ! ! create DMVPN Tunnel ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication aps123 ip nhrp map multicast dynamic ip nhrp map multicast 100.100.10.2 ip nhrp map 192.168.1.1 100.100.10.2 ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 zone-member security DMVPN tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile aps ! ! specify routing protocol ! router eigrp 10 network 172.20.0.0 ! ! This route is important for monitoring traffic ip route 192.168.10.0 255.255.255.0 Tunnel0 ! ! <p dir="auto"><strong>ZBF <pre><code>! create object groups for zones ! object-group network DMVPN 172.10.0.0 255.255.0.0 172.30.0.0 255.255.0.0 172.40.0.0 255.255.0.0 192.168.10.0 255.255.255.0 ! object-group network INSIDE 172.20.0.0 255.255.0.0 ! object-group network OUTSIDE 192.168.10.0 255.255.255.0 ! ! create zone zone-security INSIDE zone-security OUTSIDE zone-security DMVPNzo ! zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE ! zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE ! zone-pair security OUTSIDE-DMVPN source OUTSIDE destination DMVPN ! zone-pair security DMVPN-OUTSIDE source DMVPN destination OUTSIDE ! zone-pair security DMVPN-INSIDE source DMVPN destination INSIDE ! zone-pair security INSIDE-DMVPN source INSIDE destination DMVPN ! ! apply zones to interface ! interface Ethernet0/0 zone-member security OUTSIDE ! interface Ethernet0/1 zone-member security INSIDE ! interface Tunnel0 zone-member security DMVPN ! ! create ACL ! ip access-list extended DMVPN-INSIDE permit ip object-group DMVPN object-group INSIDE ip access-list extended DMVPN-OUTSIDE deny ip object-group DMVPN any ip access-list extended INSIDE-DMVPN permit ip object-group INSIDE object-group DMVPN ip access-list extended INSIDE-OUTSIDE permit ip object-group INSIDE any ip access-list extended OUTSIDE-DMVPN deny ip any object-group DMVPN ip access-list extended OUTSIDE-INSIDE permit ip any object-group INSIDE ! ! create class-map ! class-map type inspect match-all DMVPN-OUTSIDE match access-group name DMVPN-OUTSIDE class-map type inspect match-all OUTSIDE-DMVPN match access-group name OUTSIDE-DMVPN class-map type inspect match-all INSIDE-OUTSIDE match access-group name INSIDE-OUTSIDE class-map type inspect match-any OUTSIDE-INSIDE match protocol ssh match protocol telnet match protocol snmp match protocol smtp match protocol ftp match protocol isakmp match protocol icmp class-map type inspect match-all DMVPN-INSIDE match access-group name DMVPN-INSIDE class-map type inspect match-all INSIDE-DMVPN match access-group name INSIDE-DMVPN ! ! create policy map ! policy-map type inspect OUTSIDE-INSIDE class type inspect OUTSIDE-INSIDE inspect class class-default drop policy-map type inspect OUTSIDE-DMVPN class type inspect OUTSIDE-DMVPN class class-default drop policy-map type inspect DMVPN-OUTSIDE class type inspect DMVPN-OUTSIDE class class-default drop policy-map type inspect INSIDE-OUTSIDE class type inspect INSIDE-OUTSIDE inspect class class-default drop policy-map type inspect DMVPN-INSIDE class type inspect DMVPN-INSIDE inspect class class-default drop policy-map type inspect INSIDE-DMVPN class type inspect INSIDE-DMVPN inspect class class-default drop ! ! apply policy map into zone-pair ! zone-pair security INSIDE-OUTSIDE service-policy type inspect INSIDE-OUTSIDE zone-pair security OUTSIDE-INSIDE service-policy type inspect OUTSIDE-INSIDE zone-pair security OUTSIDE-DMVPN service-policy type inspect OUTSIDE-DMVPN zone-pair security DMVPN-OUTSIDE service-policy type inspect DMVPN-OUTSIDE zone-pair security DMVPN-INSIDE service-policy type inspect DMVPN-INSIDE zone-pair security INSIDE-DMVPN service-policy type inspect INSIDE-DMVPN ! <hr /> <p dir="auto"><center> <h3>Oryginally posted on <a href="http://dopus2.engrave.site/enterprise-vpn-network-design" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">AP's Journal. Steem blog powered by <a href="https://engrave.website" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">ENGRAVE. <p dir="auto">