Cisco | VPN - DMZ
Router R-SIP
hostname R-ISP
interface GigabitEthernet0/1
no shut
ip address 192.168.214.10 255.255.255.0
ip nat outside
no shut
exit
!
interface GigabitEthernet0/2
no shut
description ALLOT3_P2L4L3_IFORTEX-200M
ip address 36.93.253.229 255.255.255.252
ip nat inside
no shut
exit
!
interface GigabitEthernet0/0
nos shut
description ALLOT2_P4L4L3_TELCOM-200M
ip address 103.158.58.137 255.255.255.252
ip nat inside
no shut
exit
!
router bgp 17995
bgp log-neighbor-changes
redistribute static
neighbor 36.93.253.230 remote-as 24205
neighbor 36.93.253.230 description EBGP_to_IFORTE
neighbor 36.93.253.230 version 4
neighbor 36.93.253.230 next-hop-self
neighbor 103.158.58.138 remote-as 24205
neighbor 103.158.58.138 description EBGP_to_TELKOM
neighbor 103.158.58.138 version 4
neighbor 103.158.58.138 next-hop-self
default-information originate
exit
!
ip route 0.0.0.0 0.0.0.0 192.168.214.2 name default
ip route 202.191.3.0 255.255.255.0 103.158.58.138
!
access-list 1 permit any
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
hostname R-ISP
interface GigabitEthernet0/1
no shut
ip address 192.168.214.10 255.255.255.0
ip nat outside
no shut
exit
!
interface GigabitEthernet0/2
no shut
description ALLOT3_P2L4L3_IFORTEX-200M
ip address 36.93.253.229 255.255.255.252
ip nat inside
no shut
exit
!
interface GigabitEthernet0/0
nos shut
description ALLOT2_P4L4L3_TELCOM-200M
ip address 103.158.58.137 255.255.255.252
ip nat inside
no shut
exit
!
router bgp 17995
bgp log-neighbor-changes
redistribute static
neighbor 36.93.253.230 remote-as 24205
neighbor 36.93.253.230 description EBGP_to_IFORTE
neighbor 36.93.253.230 version 4
neighbor 36.93.253.230 next-hop-self
neighbor 103.158.58.138 remote-as 24205
neighbor 103.158.58.138 description EBGP_to_TELKOM
neighbor 103.158.58.138 version 4
neighbor 103.158.58.138 next-hop-self
default-information originate
exit
!
ip route 0.0.0.0 0.0.0.0 192.168.214.2 name default
ip route 202.191.3.0 255.255.255.0 103.158.58.138
!
access-list 1 permit any
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
-------
hostname R-INET-01
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
exit
!
interface GigabitEthernet0/1
description "Link-to-SW-INET-01 ->FW-T1-01"
ip address 202.191.13.253 255.255.255.252
no shut
exit
!
interface GigabitEthernet0/2
description iFORTE
ip address 103.158.58.138 255.255.255.252
no shut
exit
!
interface GigabitEthernet0/0
description FIREWALL-TIER-1
ip address 202.191.13.67 255.255.255.248
standby 1 ip 202.191.13.65
standby 1 preempt
standby 1 priority 110
standby 1 version 2
standby 1 track 100 decrement 20
no shut
exit
!
track 100 list boolean and
object 10
object 20
!
track 20 ip sla 12 reachability
!
ip sla 12
icmp-echo 103.158.58.138 source-ip 103.158.58.137
threshold 400
timeout 2000
frequency 5
!
ip sla scheduler 12 life forover start-time now
!
router bgp 24205
bgp log-neighbor-changes
aggregate-address 202.191.13.0 255.255.254.0
network 202.191.13.0
neighbor 103.158.58.137 remote-as 17995
neighbor 103.158.58.137 description eBGP_to_IFORTE
neighbor 103.158.58.137 version 4
neighbor 202.191.3.254 remote-as 24205
neighbor 202.191.3.254 description iBGP-To-R-INET-02
neighbor 202.191.13.254 remote-as 24205
neighbor 202.191.13.254 description iBGP-To-R-INET-02
neighbor 202.191.13.254 version 4
!
address-family ipv4
network 10.1.1.1 mask 255.255.255.255
network 202.191.13.0
neighbor 103.158.58.137 activate
neighbor 103.158.58.137 soft-reconfiguration inbound
no neighbor 202.191.3.254 activate
neighbor 202.191.13.254 activate
exit
!
ip route 202.191.13.0 255.255.255.0 202.191.13.69
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
exit
!
interface GigabitEthernet0/1
description "Link-to-SW-INET-01 ->FW-T1-01"
ip address 202.191.13.253 255.255.255.252
no shut
exit
!
interface GigabitEthernet0/2
description iFORTE
ip address 103.158.58.138 255.255.255.252
no shut
exit
!
interface GigabitEthernet0/0
description FIREWALL-TIER-1
ip address 202.191.13.67 255.255.255.248
standby 1 ip 202.191.13.65
standby 1 preempt
standby 1 priority 110
standby 1 version 2
standby 1 track 100 decrement 20
no shut
exit
!
track 100 list boolean and
object 10
object 20
!
track 20 ip sla 12 reachability
!
ip sla 12
icmp-echo 103.158.58.138 source-ip 103.158.58.137
threshold 400
timeout 2000
frequency 5
!
ip sla scheduler 12 life forover start-time now
!
router bgp 24205
bgp log-neighbor-changes
aggregate-address 202.191.13.0 255.255.254.0
network 202.191.13.0
neighbor 103.158.58.137 remote-as 17995
neighbor 103.158.58.137 description eBGP_to_IFORTE
neighbor 103.158.58.137 version 4
neighbor 202.191.3.254 remote-as 24205
neighbor 202.191.3.254 description iBGP-To-R-INET-02
neighbor 202.191.13.254 remote-as 24205
neighbor 202.191.13.254 description iBGP-To-R-INET-02
neighbor 202.191.13.254 version 4
!
address-family ipv4
network 10.1.1.1 mask 255.255.255.255
network 202.191.13.0
neighbor 103.158.58.137 activate
neighbor 103.158.58.137 soft-reconfiguration inbound
no neighbor 202.191.3.254 activate
neighbor 202.191.13.254 activate
exit
!
ip route 202.191.13.0 255.255.255.0 202.191.13.69
!
-----
hostname R-INET-02
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
interface GigabitEthernet0/1
description "Link-to-R_INET-01
ip address 202.191.13.254 255.255.255.252
no shut
!
interface GigabitEthernet0/2
description ALLOT3_P2L4L3_TLKM-200M
ip address 36.93.253.230 255.255.255.252
no shut
!
interface GigabitEthernet0/0
descriptionL "LNIK-TO-SW-INET-02 --> FW-T1-02"
ip address 202.191.13.68 255.255.255.248
standby 1 ip 202.191.13.65
standby 1 preempt
standby 1 version 2
no shut
exit
!
router bgp 24205
bgp log-neighbor-changes
neighbor 36.93.253.229 remote-as 17995
neighbor 36.93.253.229 description EBGP_TO_TELKOM
neighbor 36.93.253.229 version 4
neighbor 202.191.13.253 remote-as 24205
neighbor 202.191.13.253 description IBGP-To-R-INET-01
neighbor 202.191.13.253 version 4
!
address-family ipv4
network 10.1.1.2 mask 255.255.255.255
network 202.191.13.0
neighbor 36.93.253.229 activate
neighbor 36.93.253.229 remove-private-as
neighbor 36.93.253.229 soft-reconfiguration inbound
neighbor 202.191.13.253 activate
neighbor 202.191.13.253 next-hop-self
exit-address-family
exit
!
ip route 202.191.13.0 255.255.255.0 202.191.13.69
!
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
interface GigabitEthernet0/1
description "Link-to-R_INET-01
ip address 202.191.13.254 255.255.255.252
no shut
!
interface GigabitEthernet0/2
description ALLOT3_P2L4L3_TLKM-200M
ip address 36.93.253.230 255.255.255.252
no shut
!
interface GigabitEthernet0/0
descriptionL "LNIK-TO-SW-INET-02 --> FW-T1-02"
ip address 202.191.13.68 255.255.255.248
standby 1 ip 202.191.13.65
standby 1 preempt
standby 1 version 2
no shut
exit
!
router bgp 24205
bgp log-neighbor-changes
neighbor 36.93.253.229 remote-as 17995
neighbor 36.93.253.229 description EBGP_TO_TELKOM
neighbor 36.93.253.229 version 4
neighbor 202.191.13.253 remote-as 24205
neighbor 202.191.13.253 description IBGP-To-R-INET-01
neighbor 202.191.13.253 version 4
!
address-family ipv4
network 10.1.1.2 mask 255.255.255.255
network 202.191.13.0
neighbor 36.93.253.229 activate
neighbor 36.93.253.229 remove-private-as
neighbor 36.93.253.229 soft-reconfiguration inbound
neighbor 202.191.13.253 activate
neighbor 202.191.13.253 next-hop-self
exit-address-family
exit
!
ip route 202.191.13.0 255.255.255.0 202.191.13.69
!
--
hostname SW-INET-01
vlan 11
vlan 12
!
interface Ethernet0/0
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/1
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/3
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet1/0
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet0/2
no shut
descr "Link-SW-INET-02"
switchport trunk encapsulation dot1q
switchport mode trunk
!
exit
--
vlan 11
vlan 12
!
interface Ethernet0/0
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/1
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/3
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet1/0
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet0/2
no shut
descr "Link-SW-INET-02"
switchport trunk encapsulation dot1q
switchport mode trunk
!
exit
--
hostname SW-INET-02
vlan 11
vlan 12
!
interface Ethernet0/0
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/1
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/3
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet1/0
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet0/2
no shut--
vlan 11
vlan 12
!
interface Ethernet0/0
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/1
no shut
switchport access vlan 11
switchport mode access
!
interface Ethernet0/3
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet1/0
no shut
switchport access vlan 12
switchport mode access
!
interface Ethernet0/2
no shut--
hostname SW-DMZ-01
!
vlan 450
vlan 460
!
vlan 310
name VPN Outside
!
vlan 340
name SERVER_WEB
exit
!
vlan 350
SERVER_DB
exit
!
vlan 380
name VPN_Inside
!
interface Ethernet0/0
no shut
description "ACCESS TO FW-PA-T1 310 EXT_DIRECT-PUBLIC"
switchport
switchport access vlan 310
spanning-tree guard root
exit
!
interface Ethernet0/3
no shut
description "Access_To_VPN_PA-VPN1-Outside
switchport
switchport access vlan 310
switchport mode access
spanning-tree guard root
exit
!
interface Ethernet1/2
no shut
description 'TRUNK-TO-SW-INET-02"
switchport trunk encapsulation dot1q
switchport mode trunk
exit
!
interface Ethernet0/1
description "TRUNK TO FW-PA-T1 340,350 WEB,DB"
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 340,350
switchport mode trunk
spanning-tree guard root
exit
!
interface Ethernet1/0
no shut
description To_VPN_PA-VPN1-Inside
switchport
switchport access vlan 380
switchport mode access
spanning-tree guard root
exit
!
interface Ethernet0/2
description FW-T2_Primary_port3_(DMZ-vpn,DMZ-uat)
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 380,450,460
switchport mode trunk
spanning-tree guard root
exit
!
descr "Link-SW-INET-01"
switchport trunk encapsulation dot1q
switchport mode trunk
!
exit
--
!
vlan 450
vlan 460
!
vlan 310
name VPN Outside
!
vlan 340
name SERVER_WEB
exit
!
vlan 350
SERVER_DB
exit
!
vlan 380
name VPN_Inside
!
interface Ethernet0/0
no shut
description "ACCESS TO FW-PA-T1 310 EXT_DIRECT-PUBLIC"
switchport
switchport access vlan 310
spanning-tree guard root
exit
!
interface Ethernet0/3
no shut
description "Access_To_VPN_PA-VPN1-Outside
switchport
switchport access vlan 310
switchport mode access
spanning-tree guard root
exit
!
interface Ethernet1/2
no shut
description 'TRUNK-TO-SW-INET-02"
switchport trunk encapsulation dot1q
switchport mode trunk
exit
!
interface Ethernet0/1
description "TRUNK TO FW-PA-T1 340,350 WEB,DB"
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 340,350
switchport mode trunk
spanning-tree guard root
exit
!
interface Ethernet1/0
no shut
description To_VPN_PA-VPN1-Inside
switchport
switchport access vlan 380
switchport mode access
spanning-tree guard root
exit
!
interface Ethernet0/2
description FW-T2_Primary_port3_(DMZ-vpn,DMZ-uat)
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 380,450,460
switchport mode trunk
spanning-tree guard root
exit
!
descr "Link-SW-INET-01"
switchport trunk encapsulation dot1q
switchport mode trunk
!
exit
--
hostname SW-DMZ-02
!
vlan 310
name VPN Outside
!
vlan 340
name SERVER_WEB
exit
!
vlan 350
SERVER_DB
exit
!
vlan 380
name VPN_Inside
!
!
interface Ethernet0/0
no shut
description "ACCESS TO FW-PA-T1 310 EXT_DIRECT-PUBLIC"
switchport
switchport access vlan 310
spanning-tree guard root
exit
!
interface Ethernet0/3
no shut
description "Access_To_VPN_PA-VPN1-Outside
switchport
switchport access vlan 310
switchport mode access
spanning-tree guard root
exit
!
interface Ethernet1/2
no shut
description 'TRUNK-TO-SW-INET-02"
switchport trunk encapsulation dot1q
switchport mode trunk
exit
!
interface Ethernet0/1
description "TRUNK TO FW-PA-T1 340,350 WEB"
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 340,350
switchport mode trunk
spanning-tree guard root
exit
!
interface Ethernet1/0
no shut
description To_VPN_PA-VPN1-Inside
switchport
switchport access vlan 380
switchport mode access
channel-group 5 mode active
spanning-tree guard root
exit
!
!
vlan 310
name VPN Outside
!
vlan 340
name SERVER_WEB
exit
!
vlan 350
SERVER_DB
exit
!
vlan 380
name VPN_Inside
!
!
interface Ethernet0/0
no shut
description "ACCESS TO FW-PA-T1 310 EXT_DIRECT-PUBLIC"
switchport
switchport access vlan 310
spanning-tree guard root
exit
!
interface Ethernet0/3
no shut
description "Access_To_VPN_PA-VPN1-Outside
switchport
switchport access vlan 310
switchport mode access
spanning-tree guard root
exit
!
interface Ethernet1/2
no shut
description 'TRUNK-TO-SW-INET-02"
switchport trunk encapsulation dot1q
switchport mode trunk
exit
!
interface Ethernet0/1
description "TRUNK TO FW-PA-T1 340,350 WEB"
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 340,350
switchport mode trunk
spanning-tree guard root
exit
!
interface Ethernet1/0
no shut
description To_VPN_PA-VPN1-Inside
switchport
switchport access vlan 380
switchport mode access
channel-group 5 mode active
spanning-tree guard root
exit
!
Posting Komentar untuk "Cisco | VPN - DMZ"