Enterprise VPN Network Design

in studies •  6 years ago  (edited)

This page tag is dedicated to my professional life as a network engineer and learner. I will just put computer network related things in this tag. This is my network journal.

I have been designing an enterprise VPN network for the company I have been working for. Network is pretty straight forward. The network has several branches across the country.
Each site is a logistic warehouse, connected to head-office via VPN. Users on each warehouse need to access the logisitc web-app running on the server at head-office. Web-app is locally developed. Web server is not exposed to public Internet.

There is also a monitoring server at the oversea office. Monitoring server needs to reach both hub and spokes. Not just that, monitoring server will determine the status of VPN and connectivity between hub and spoke. If there is connectivity problem, server will send alerts to administrator.

This is quite a simple setup.

  1. Branches and head-office are connected to public Internet.
  2. Branches are connected to head-office via DMVPN cloud. (Phase 2 or 3)
  3. Oversea office and HO has the site-to-site IPsec VPN connectivity.
  4. Monitoring server should be able to reach branches via HO router and through the DMVPN cloud.
  5. Zone-based Firewall is enabled on both HO and branches.
  6. Static route to monitoring server's IP is required next-hop pointing to Tunnel 0 interface.

I am not going to post the full configuration here as it is quite an easy setup but will put some key cheatsheets for DMVPN and ZBF.

DMVPN Hub

! Create an isakmp policy for DMVPN tunnel protection
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
! Create an isakmp key for DMVPN tunnel protection
! 
crypto isakmp key aps123 address 0.0.0.0  
!
! Create IPSec transform-set
!
crypto ipsec transform-set APS esp-3des esp-md5-hmac 
 mode tunnel
!
! Create an IPSec profile for DMVPN tunnel
!
crypto ipsec profile aps
 set security-association lifetime seconds 120
 set transform-set APS 
!
interface Ethernet0/0
 ip address 100.100.10.2 255.255.255.0
!
interface Ethernet0/1
 ip address 172.10.1.1 255.255.255.0
!
! Create GRE tunnel and apply IPSec profile to that tunnel
!
interface Tunnel0
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
 ip nhrp authentication aps123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 zone-member security DMVPN
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile aps
!
! Specify routing protocol for end-to-end connectivity
!
router eigrp 10
 network 172.10.0.0
 network 192.168.1.0

DMVPN Spoke

! create ipsec transform-set 
!
crypto ipsec transform-set APS esp-3des esp-md5-hmac 
 mode tunnel
!
! create ipsec profile
!
crypto ipsec profile aps
 set security-association lifetime seconds 120
 set transform-set APS 
!
! create isakmp policy
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key aps123 address 0.0.0.0       
!
! create DMVPN Tunnel
!
interface Tunnel0
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication aps123
 ip nhrp map multicast dynamic
 ip nhrp map multicast 100.100.10.2
 ip nhrp map 192.168.1.1 100.100.10.2
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 zone-member security DMVPN
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile aps
!
! specify routing protocol
!
router eigrp 10
 network 172.20.0.0
!
! This route is important for monitoring traffic
ip route 192.168.10.0 255.255.255.0 Tunnel0
!
!

ZBF

! create object groups for zones
!
object-group network DMVPN 
 172.10.0.0 255.255.0.0
 172.30.0.0 255.255.0.0
 172.40.0.0 255.255.0.0
 192.168.10.0 255.255.255.0
!
object-group network INSIDE 
 172.20.0.0 255.255.0.0
!
object-group network OUTSIDE 
 192.168.10.0 255.255.255.0
!
! create zone
zone-security INSIDE
zone-security OUTSIDE
zone-security DMVPNzo
!
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
!
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
!
zone-pair security OUTSIDE-DMVPN source OUTSIDE destination DMVPN
!
zone-pair security DMVPN-OUTSIDE source DMVPN destination OUTSIDE
!
zone-pair security DMVPN-INSIDE source DMVPN destination INSIDE
!
zone-pair security INSIDE-DMVPN source INSIDE destination DMVPN
!
! apply zones to interface
!
interface Ethernet0/0
 zone-member security OUTSIDE
!
interface Ethernet0/1
 zone-member security INSIDE
!
interface Tunnel0
 zone-member security DMVPN
!
! create ACL
!
ip access-list extended DMVPN-INSIDE
 permit ip object-group DMVPN object-group INSIDE
ip access-list extended DMVPN-OUTSIDE
 deny   ip object-group DMVPN any
ip access-list extended INSIDE-DMVPN
 permit ip object-group INSIDE object-group DMVPN
ip access-list extended INSIDE-OUTSIDE
 permit ip object-group INSIDE any
ip access-list extended OUTSIDE-DMVPN
 deny   ip any object-group DMVPN
ip access-list extended OUTSIDE-INSIDE
 permit ip any object-group INSIDE
!
! create class-map
!
class-map type inspect match-all DMVPN-OUTSIDE
 match access-group name DMVPN-OUTSIDE
class-map type inspect match-all OUTSIDE-DMVPN
 match access-group name OUTSIDE-DMVPN
class-map type inspect match-all INSIDE-OUTSIDE
 match access-group name INSIDE-OUTSIDE
class-map type inspect match-any OUTSIDE-INSIDE
 match protocol ssh
 match protocol telnet
 match protocol snmp
 match protocol smtp
 match protocol ftp
 match protocol isakmp
 match protocol icmp
class-map type inspect match-all DMVPN-INSIDE
 match access-group name DMVPN-INSIDE
class-map type inspect match-all INSIDE-DMVPN
 match access-group name INSIDE-DMVPN
!
! create policy map
!
policy-map type inspect OUTSIDE-INSIDE
 class type inspect OUTSIDE-INSIDE
  inspect 
 class class-default
  drop
policy-map type inspect OUTSIDE-DMVPN
 class type inspect OUTSIDE-DMVPN
 class class-default
  drop
policy-map type inspect DMVPN-OUTSIDE
 class type inspect DMVPN-OUTSIDE
 class class-default
  drop
policy-map type inspect INSIDE-OUTSIDE
 class type inspect INSIDE-OUTSIDE
  inspect 
 class class-default
  drop
policy-map type inspect DMVPN-INSIDE
 class type inspect DMVPN-INSIDE
  inspect 
 class class-default
  drop
policy-map type inspect INSIDE-DMVPN
 class type inspect INSIDE-DMVPN
  inspect 
 class class-default
  drop
!
! apply policy map into zone-pair
!
zone-pair security INSIDE-OUTSIDE 
 service-policy type inspect INSIDE-OUTSIDE
zone-pair security OUTSIDE-INSIDE 
 service-policy type inspect OUTSIDE-INSIDE
zone-pair security OUTSIDE-DMVPN 
 service-policy type inspect OUTSIDE-DMVPN
zone-pair security DMVPN-OUTSIDE 
 service-policy type inspect DMVPN-OUTSIDE
zone-pair security DMVPN-INSIDE 
 service-policy type inspect DMVPN-INSIDE
zone-pair security INSIDE-DMVPN 
 service-policy type inspect INSIDE-DMVPN
!

Oryginally posted on AP's Journal. Steem blog powered by ENGRAVE.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @andyap! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You made more than 50 upvotes. Your next target is to reach 100 upvotes.

Click here to view your Board of Honor
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard:

Meet the Steemians Contest - The results, the winners and the prizes
Meet the Steemians Contest - Special attendees revealed
Meet the Steemians Contest - Intermediate results

Support SteemitBoard's project! Vote for its witness and get one more award!

@andyap, thank you for supporting @steemitboard as a witness.

Here is a small present to show our gratitude
Click on the badge to view your Board of Honor.

Once again, thanks for your support!

Do not miss the last post from @steemitboard:

Meet the Steemians Contest - The results, the winners and the prizes
Meet the Steemians Contest - Special attendees revealed
Meet the Steemians Contest - Intermediate results