Configuring the VPN DNS topology

Last Updated : Apr 10, 2018 |

Procedure

  1. Define the private VLAN1 and VLAN2 interfaces (IP address and mask), and define one of them as the PMI and ICC-VLAN.
  2. Define the public FastEthernet10/3 interface (IP address and mask).
  3. Define the default gateway (the IP of the next router).
  4. Define the DNS name-server-list and the IP address of the DNS server.
    Note:

    Alternatively, you can use DHCP Client or PPPoE to dynamically learn the DNS server’s IP address. Use the ip dhcp client request command when using DHCP client, or use the ppp ipcp dns request command when using PPPoE.

  5. Define the ISAKMP policy, using the crypto isakmp policy command.
  6. Define the remote peer with FQDN, using the crypto isakmp peer address command, including:

    • the pre-shared key

    • the ISAKMP policy

  7. Define the IPSEC transform-set, using the crypto ipsec transform-set command.
  8. Define the crypto map, using the crypto map command.
  9. Define the crypto list as follows:
    1. Set the local address to the public interface name (for example, FastEthernet 10/3.0)
    2. For each private interface, define an ip-rule using the following format:

      • source-ip <private subnet> <private subnet wild card mast>. For example, 10.10.10.0 0.0.0.255

      • destination-ip any

      • protect crypto map 1

  10. Define the ingress access control list (ACL) to protect the device from Incoming traffic from the public interface, as follows:
    1. Permit DNS traffic to allow clear (unencrypted) DNS traffic
    2. Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE)
    3. Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC)
    4. Permit ICMP traffic, to support PMTU application support, for a better fragmentation process
    5. For each private subnet, add a permit rule, with the destination being the private subnet and the source being any.

      This traffic will be allowed only if it tunnels under the VPN, because of the crypto list.

    6. Define all other traffic (default rule) as deny in order to protect the device from non-secure traffic
  11. Define the egress access control list to protect the device from sending traffic that is not allowed to the public interface (optional):
    1. Permit DNS traffic to allow clear (unencrypted) DNS traffic
    2. Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE)
    3. Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC)
    4. Permit ICMP traffic, to support PMTU application support, for a better fragmentation process
    5. For each private subnet, add a permit rule, with the source being the private subnet, and the destination being any
    6. Define all other traffic (default rule) as deny in order to protect the device from sending non-secure traffic
  12. Activate the crypto list, the ingress access control list, and the egress access control list, on the public interface.
Related information
IPSec VPN