Enable Network Address Translation | Enterasys Networks XSR-3150

VPN Sample Configuration with Network Extension Mode

Generate the master key. Refer to the following sample key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5 163b 4bdf fe92 dbc1 1232 ffe0 f8d9 3649

Apply the following ACLs to the public interface of the XSR before creating the VPN configuration. These ACLs are applied only to an XSR configured to terminate Network Extension Mode (NEM) tunnels initiated from ANG-1100s. These ACLs allow all outbound IP traffic and established inbound TCP traffic and employ well-known protocol numbers for IKE UDP (500) and ICMP to and from the public interface (if preferred).

XSR(config)#access-list 1 deny 26.26.26.0 0.0.0.255

XSR(config)#access-list 1 permit any

XSR(config)#access-list 110 permit udp any any eq 500

XSR(config)#access-list 110 permit icmp any host 26.26.26.10

XSR(config)#access-list 110 deny ip any any

XSR(config)#access-list 111 permit udp any any eq 500

XSR(config)#access-list 111 permit icmp host 26.26.26.10 any

XSR(config)#access-list 111 deny ip any any

XSR(config)#interface gigabitethernet 2

XSR(config-if<F2>)#ip access-group 110 in

XSR(config-if<F2>)#ip access-group 111 out

Enable Network Address Translation:

XSR(config-if<F2>)#ip nat source assigned overload

Create the VPN virtual subnet:

XSR(config)#ip local pool virtual_subnet 10.10.10.0 255.255.255.248

Configure AAA authentication by assigning a virtual subnet to the DEFAULT AAA group, associate it with DNS and WINs servers, and add two AAA users with passwords.

When a remote XSR tunnels into the local XSR, it will be assigned these DNS, WINS and PPTP values and be assigned dynamically to the IP pool virtual_subnet. Be aware that users not added to a specified group will automatically be assigned to the DEFAULT group and groups must be created before users can be added to them. Remember to create the same users and passwords on the remote XSRs.

XSR(ip-local-pool)#aaa group DEFAULT

XSR(aaa-group)#ip pool virtual_subnet

Configure DNS and WINS parameters:

XSR(aaa-group)#dns server primary 172.16.10.10

XSR(aaa-group)#dns server secondary 172.16.10.11

XSR(aaa-group)#wins server primary 172.16.10.10

XSR(aaa-group)#wins server secondary 172.16.10.11

XSR Getting Started Guide 3-31

Enterasys Networks XSR-3150 manual Enable Network Address Translation

Models: XSR-3150

Generate the master key. Refer to the following sample key:

Enable Network Address Translation:

Configure DNS and WINS parameters: