WEBVTT 00:00.710 --> 00:01.190 Right. 00:01.370 --> 00:03.440 We've already seen this before. 00:04.510 --> 00:07.540 The same concept will be repeated again. 00:07.900 --> 00:12.870 Nothing will change except for the device which was the router before. 00:12.880 --> 00:13.690 Now it's a. 00:15.920 --> 00:16.610 That's it. 00:17.610 --> 00:17.880 Right. 00:18.390 --> 00:20.340 Let's talk about it again. 00:20.370 --> 00:21.240 Company. 00:23.970 --> 00:24.360 Right here. 00:28.120 --> 00:29.550 Connect it to the Internet. 00:30.780 --> 00:32.790 You can consider this part to be the HQ. 00:38.690 --> 00:39.080 Right. 00:39.080 --> 00:41.120 So this can be considered as. 00:43.850 --> 00:47.930 And you want to connect up to the HQ using router as a client. 00:48.950 --> 00:53.450 And this is what the VPN client on a host machine. 00:54.140 --> 00:55.490 Public IP is here. 00:55.490 --> 00:56.090 Here. 00:57.840 --> 00:58.890 Let's have a look back. 01:06.830 --> 01:07.040 Okay. 01:07.490 --> 01:14.240 So you want people on the on the inside network to communicate through the tunnel across to these servers. 01:15.110 --> 01:22.070 And this guy who's sitting on a host PC connected to the Internet should also be able to access these 01:22.070 --> 01:24.770 devices right here across the Internet. 01:25.980 --> 01:26.970 They're connected across. 01:26.970 --> 01:27.480 Right. 01:27.720 --> 01:28.560 So. 01:29.770 --> 01:31.600 This is going to be my server. 01:31.660 --> 01:33.730 This is going to be a router as a client. 01:34.920 --> 01:40.920 And this side is going to be the easy VPN client, the software to connect. 01:42.150 --> 01:44.630 Now, I have configured the devices. 01:44.640 --> 01:45.030 This guy. 01:45.060 --> 01:45.690 This guy. 01:47.840 --> 01:48.680 And this. 01:48.710 --> 01:49.130 Not. 01:49.130 --> 01:50.090 Not this one yet. 01:50.120 --> 01:50.990 We'll do this later. 01:51.530 --> 01:52.790 Let's do this one first. 01:53.750 --> 01:55.640 Okay, so I have configured this. 01:55.640 --> 01:58.250 The only thing that is left is the AC or the pics. 01:58.700 --> 02:00.410 Let's start on it. 02:06.150 --> 02:10.140 Now interface Ethernet two is the one pointing upwards inside. 02:10.620 --> 02:11.970 I'll call it inside. 02:12.450 --> 02:13.800 Security is 100. 02:13.870 --> 02:14.970 IP address is ten. 02:14.970 --> 02:15.300 11. 02:15.300 --> 02:15.600 11. 02:15.840 --> 02:16.200 Ten. 02:18.510 --> 02:19.100 And no shut. 02:19.980 --> 02:22.190 The other one is Ethernet three if. 02:23.160 --> 02:24.570 Outside security. 02:24.600 --> 02:25.050 Zero. 02:25.380 --> 02:27.750 IP Address 151 .3. ten. 02:27.990 --> 02:30.360 This is the address that others are going to come up to. 02:33.360 --> 02:33.890 Okay. 02:33.900 --> 02:35.670 Also require a root. 02:36.650 --> 02:38.120 To the internet. 02:38.150 --> 02:40.010 151 .3.3. 02:41.640 --> 02:41.890 Correct. 02:42.090 --> 02:44.490 Right now should be able to ping R4 for sure. 02:47.100 --> 02:47.580 I can think. 02:49.950 --> 02:51.130 Okay, Done. 02:51.490 --> 02:52.020 Save. 02:52.380 --> 02:56.230 Now, the good thing is that R4 and the ACA have connectivity. 02:56.250 --> 02:57.990 Now I just need to configure R4. 02:58.020 --> 02:58.350 Sorry. 02:59.100 --> 02:59.790 For what? 02:59.820 --> 03:01.510 For VPN capabilities. 03:01.590 --> 03:07.830 Now let's go back a little and talk about what VPN was before and how did it work. 03:12.850 --> 03:17.410 First of all, what we did with the VPN was all the policies were defined here. 03:18.130 --> 03:21.310 If you remember, all the policies were defined here. 03:21.550 --> 03:23.200 The transform set was defined here. 03:23.320 --> 03:25.150 Your access list was here. 03:25.150 --> 03:28.540 Split tunnel ACL that use your configuration group. 03:30.340 --> 03:32.650 The key to that group was also. 03:34.140 --> 03:34.470 Right. 03:34.470 --> 03:37.110 And then everything was pushed down to the client. 03:37.140 --> 03:38.040 The client had nothing. 03:38.040 --> 03:40.500 So all the information which you had was there on the. 03:41.750 --> 03:42.770 We just push it down. 03:45.110 --> 03:45.610 Okay. 03:45.620 --> 03:47.420 Again, if you want to go through. 03:49.500 --> 03:50.520 Let's make it easier. 03:50.520 --> 03:51.390 You'll use what? 03:54.030 --> 03:54.930 This is which one? 03:55.380 --> 03:57.450 IPsec Remote access. 03:57.450 --> 03:59.100 And then you go for the steps. 03:59.130 --> 04:00.960 Now, you could use this. 04:01.470 --> 04:04.350 It will give you everything else, but not recommended. 04:04.350 --> 04:06.490 Right now we try to do it without it. 04:06.490 --> 04:10.560 It'll show you everything, all the steps and whatever you need to know to configure it. 04:10.560 --> 04:16.950 On the other side, we'll configure it based on what we knew from before, and you'll see how easy it 04:16.950 --> 04:20.190 is to do it here as compared to the one on the iOS. 04:21.120 --> 04:25.320 Step one obviously the same crypto policy. 04:26.450 --> 04:29.090 Then encryption. 04:29.270 --> 04:31.640 Reader's authentication. 04:33.400 --> 04:35.190 Hash MD5. 04:35.200 --> 04:37.980 Remember MD5 is VPN, right? 04:38.830 --> 04:40.360 Since I'm using the VPN client. 04:41.380 --> 04:41.820 Correct. 04:45.250 --> 04:46.090 We did this. 04:47.380 --> 04:51.040 Requires, but requires an activation to. 04:59.860 --> 05:00.400 There you go. 05:01.030 --> 05:02.220 Show version. 05:03.250 --> 05:05.650 Now it does support let's do the same thing. 05:05.650 --> 05:16.420 Crypto ICBM policy ten Encryption three does authentication Pre-shared hash in the five and group. 05:18.050 --> 05:18.290 Today. 05:19.800 --> 05:21.030 Do I need to specify the key? 05:25.070 --> 05:26.090 I do not need a key. 05:26.930 --> 05:28.160 I do not need a key. 05:28.190 --> 05:29.690 But what do I have instead? 05:29.810 --> 05:30.560 A group name. 05:31.550 --> 05:33.380 Do you remember this from yesterday? 05:33.860 --> 05:34.640 Tunnel group here. 05:34.640 --> 05:38.210 I used to specify about the IP address to specify the peer. 05:38.240 --> 05:39.170 Now I'll specify. 05:39.170 --> 05:39.680 What? 05:43.630 --> 05:47.740 What type L to L or remote access this is. 05:49.640 --> 05:52.820 Then again, tunnel group sales. 05:52.850 --> 05:55.070 Now you get more attributes to it. 05:55.190 --> 05:59.540 You have VPN attributes, you have general attributes, you have IPsec attributes. 05:59.630 --> 06:05.690 What you're going to be working on is general is for what I told you yesterday. 06:05.930 --> 06:06.770 Two things. 06:07.430 --> 06:11.580 General is for the pool, for the split tunnel and all the other things. 06:11.600 --> 06:15.980 If you want to do the key, it is done in IPsec Attributes. 06:19.250 --> 06:20.390 Go to IPsec attribute. 06:20.390 --> 06:21.730 So you have all those options here. 06:21.740 --> 06:23.600 What do what do I want right now? 06:23.840 --> 06:28.190 I want to use the Pre-shared key Pre-shared key will be Cisco. 06:31.330 --> 06:31.960 Group and key. 06:31.990 --> 06:32.470 Right. 06:32.890 --> 06:34.100 Group sales key. 06:37.090 --> 06:38.650 Okay again. 06:40.230 --> 06:41.910 Tunnel group IPsec attributes. 06:42.990 --> 06:44.950 And then I specified the key. 06:47.350 --> 06:47.620 Okay. 06:51.030 --> 06:52.320 Once you do this. 06:55.570 --> 06:59.050 You also have to do your IPsec transform set. 06:59.200 --> 07:03.100 P set esp guitars esp MD5. 07:03.610 --> 07:06.940 Configure the transform set which is supposed to be used. 07:08.090 --> 07:08.480 Right. 07:08.510 --> 07:10.220 You also require a username. 07:11.720 --> 07:15.260 Now if you remember we use username where last time. 07:18.820 --> 07:20.800 We use the username to bind the group policy. 07:20.800 --> 07:21.250 Right. 07:21.370 --> 07:23.500 You brought in the group policy into what? 07:23.680 --> 07:24.850 Into that username. 07:25.120 --> 07:30.070 So we specified a username password and then to that username and password we applied. 07:30.070 --> 07:30.400 What? 07:34.660 --> 07:36.040 How did we do that last time? 07:36.700 --> 07:37.630 If you remember. 07:40.230 --> 07:42.090 Authentication was used already. 07:45.420 --> 07:45.850 Is the tunnel. 07:48.470 --> 07:49.520 For the authorization. 07:49.520 --> 07:50.000 Yes. 07:50.000 --> 07:50.810 Yes. 07:50.810 --> 07:53.270 So you have your username and password, Cisco. 07:53.300 --> 07:54.740 This will be used only for what? 07:56.000 --> 07:57.230 This will be used for x auth. 07:57.980 --> 08:01.520 Extended authentication only for x SR. 08:01.640 --> 08:09.620 Right now what the most important part right now to me is IP local pool, because the VPN, the important 08:09.620 --> 08:13.880 part is that I should push down a pool to the user split tunnel I will use later. 08:14.180 --> 08:16.820 Right now I need to make sure that I push down a pool. 08:16.820 --> 08:17.690 I'll call this pool. 08:17.690 --> 08:18.260 Anything. 08:19.670 --> 08:24.140 192 168 dot let's say ten dot one and 192. 08:25.900 --> 08:28.540 168 dot ten dot ten. 08:29.230 --> 08:31.000 This is the pool that I'm supposed to push down. 08:31.090 --> 08:32.890 Where do I push down the pool? 08:33.340 --> 08:34.180 Tunnel group. 08:34.720 --> 08:35.620 What is it called? 08:35.770 --> 08:36.910 Sales. 08:37.420 --> 08:40.630 General attributes in the general attributes. 08:40.840 --> 08:43.900 The option is address, value. 08:44.830 --> 08:45.730 Address pools. 08:46.000 --> 08:48.100 Then the name of the pool is. 08:51.520 --> 08:51.930 Correct. 08:51.970 --> 08:53.920 You have other options here too. 08:54.040 --> 08:55.540 This one is important. 08:55.540 --> 08:59.680 So you're pushing down that pool to the users, right? 08:59.680 --> 09:01.510 You could do some other stuff here also. 09:02.940 --> 09:04.290 You can have some other stuff here. 09:04.290 --> 09:07.950 But most important is the pool that is supposed to be pushed down. 09:11.080 --> 09:11.330 Right. 09:11.530 --> 09:12.580 I would also require. 09:12.580 --> 09:13.060 What? 09:21.280 --> 09:22.630 It is provided. 09:25.660 --> 09:28.150 I would also require a group policy. 09:29.200 --> 09:31.210 Now, what do we do in this group policy? 09:31.210 --> 09:31.630 This is. 09:31.630 --> 09:32.740 Do you remember this? 09:33.460 --> 09:34.780 Do you remember the group policy? 09:36.250 --> 09:37.620 You have to define it separately. 09:37.630 --> 09:38.590 Group policy. 09:40.120 --> 09:41.050 Call it anything. 09:42.040 --> 09:43.800 This is an internal policy. 09:43.810 --> 09:44.950 And then. 09:45.980 --> 09:47.990 Attributes of the policy. 09:48.230 --> 09:50.850 Here you have certain other values available to you. 09:50.870 --> 09:56.030 This is where you do what Your split tunnel and your split tunnel network. 09:59.180 --> 10:00.980 Just like, where did we do this before? 10:00.980 --> 10:05.270 If you remember web VPN, web VPN, we had the same thing. 10:05.270 --> 10:07.820 Yes, there was username, but username is not used here. 10:07.820 --> 10:10.160 Username was used in web VPN. 10:10.190 --> 10:11.450 We had everything. 10:11.450 --> 10:13.430 The group policy was bound to the username. 10:16.550 --> 10:19.760 So in the username we set default group policy is whatever. 10:20.060 --> 10:21.350 Now we won't do that. 10:21.350 --> 10:24.110 Now we what we did was we created a tunnel group. 10:26.820 --> 10:31.290 Basically saying sales and he was. 10:33.110 --> 10:33.590 Cisco. 10:34.440 --> 10:35.640 To the cells. 10:36.540 --> 10:37.410 I also attached. 10:37.420 --> 10:37.800 What? 10:40.120 --> 10:40.900 Group policy. 10:43.650 --> 10:45.820 Now in that group policy, I'll have split. 10:47.760 --> 10:54.030 I will have network specified or network all tunnel all or tunnel everything. 10:54.420 --> 10:59.750 And I would also now the pool can either be given here or it can be given inside the group also. 11:00.750 --> 11:02.970 Last time when we did it, we did it through the group policy. 11:02.970 --> 11:03.450 Right? 11:03.600 --> 11:07.060 We specified the pool in the group policy and then it was called. 11:07.080 --> 11:08.280 So let's do that. 11:10.990 --> 11:12.160 I'll go here in the group policy. 11:12.160 --> 11:13.960 I'll specify the address pools. 11:13.990 --> 11:16.790 Value is pool split. 11:16.790 --> 11:20.930 Tunnel can be done here, but I will not do that right now because I have not created the split ACL. 11:22.150 --> 11:24.070 So run tunnel group. 11:25.630 --> 11:26.590 I have this right here. 11:26.590 --> 11:32.620 So what I'll do is I'll go inside my term group sales IP, general attributes, no need for address 11:32.620 --> 11:37.650 tool here because I'm already using it in the group policy and you can call the default group policy. 11:37.660 --> 11:38.560 What was it called? 11:41.350 --> 11:42.100 What did I name it? 11:44.010 --> 11:44.820 Also since. 11:48.270 --> 11:48.870 Also sales. 11:49.590 --> 11:50.100 Okay. 11:50.130 --> 11:51.090 Again, notepad. 11:52.610 --> 11:53.570 So I said tunnel. 11:54.570 --> 11:56.790 Group sales key. 11:57.360 --> 11:57.660 Sorry. 11:58.770 --> 12:00.780 Key and channel group sales. 12:00.780 --> 12:02.280 Then I specify type. 12:02.310 --> 12:03.630 This is IPsec. 12:05.100 --> 12:07.290 Remote access. 12:08.520 --> 12:11.040 Then done a group. 12:14.280 --> 12:15.290 Sales. 12:15.300 --> 12:17.800 And then you specify IPsec. 12:18.840 --> 12:25.740 Attributes and where in which you specify the Pre-shared key is Cisco. 12:26.830 --> 12:28.010 Then you go and go again. 12:28.020 --> 12:29.970 Tunnel Group. 12:31.300 --> 12:34.360 Sales general attributes. 12:39.290 --> 12:39.560 Here. 12:39.560 --> 12:40.520 I specified what? 12:42.850 --> 12:48.010 Default group policy is called also sets. 12:48.640 --> 12:50.680 So I went to the policy group. 12:52.360 --> 12:52.930 Policy. 12:53.760 --> 12:54.680 Sales. 12:55.710 --> 12:57.120 This is an internal policy. 12:58.540 --> 12:58.990 Group. 12:59.940 --> 13:02.820 Policy sales attributes. 13:03.620 --> 13:05.210 What are the attributes of sales? 13:05.750 --> 13:06.950 The important one is. 13:07.870 --> 13:08.280 Address. 13:08.290 --> 13:11.140 Pool value is cool. 13:11.650 --> 13:15.460 You can also do split ACL and NM and all the other stuff is done here. 13:17.810 --> 13:19.910 Correct Maternal group is created. 13:19.910 --> 13:21.580 Maternal group policy is created. 13:21.590 --> 13:24.240 My IPsec Transform set is created. 13:24.260 --> 13:27.470 What else do you require on the server side? 13:28.370 --> 13:28.880 A map. 13:29.240 --> 13:31.310 A crypto map to bind all of this together. 13:31.460 --> 13:35.750 The problem with crypto map is this case is going to be dynamic. 13:38.130 --> 13:39.990 I would require a dynamic crypto map. 13:39.990 --> 13:47.010 So when you create a map, you say crypto dynamic map just like before d y n specify the number ten 13:47.940 --> 13:52.230 and then you don't press the enter key as before here, just like the access list yesterday, you just 13:52.230 --> 13:53.910 specify it in the same line. 13:53.910 --> 13:54.870 So match. 13:56.040 --> 13:56.390 Address. 13:56.390 --> 13:57.100 We don't need match. 13:57.110 --> 13:57.400 Address. 13:57.410 --> 13:58.400 We need set. 13:59.040 --> 14:00.030 Transform set. 14:01.370 --> 14:02.750 Set no matter Dressier. 14:04.520 --> 14:07.190 Okay, so you have this then? 14:07.190 --> 14:08.990 Crypto map. 14:09.020 --> 14:09.770 I map. 14:11.760 --> 14:16.370 Then IPsec Isakmp and then you specify the dynamic map was defined. 14:18.560 --> 14:20.480 Buying the crypto map together. 14:20.480 --> 14:21.410 That one to this one. 14:22.220 --> 14:23.690 What else do you need to do? 14:23.810 --> 14:25.340 Apply it on the outside interface. 14:25.340 --> 14:28.100 Crypto map map interface. 14:28.280 --> 14:33.920 Outside crypto I can enable anything else. 14:35.160 --> 14:36.510 Crypto imap. 14:39.510 --> 14:40.080 Crypto map. 14:42.590 --> 14:43.030 Client. 14:46.910 --> 14:48.440 Authentication this will be used for. 14:50.600 --> 14:51.790 This will be used, for example. 14:55.110 --> 14:55.860 No, that's not here. 14:59.390 --> 14:59.720 I not. 14:59.730 --> 15:01.860 You don't need that reverse route. 15:01.880 --> 15:03.410 Yes, but we'll do that later. 15:05.000 --> 15:06.170 Reverse out will do later. 15:06.170 --> 15:08.080 So it's enabled on the outside interface. 15:08.090 --> 15:08.990 What did I use? 15:12.150 --> 15:12.720 I said. 15:14.090 --> 15:14.570 Capital. 15:15.540 --> 15:15.960 Map. 15:18.680 --> 15:20.720 Crypto dynamic. 15:23.100 --> 15:25.720 Map y n ten. 15:26.130 --> 15:33.600 Then I said set, transform, set t set to bind it to the physical one. 15:33.600 --> 15:34.890 I said crypto map. 15:34.920 --> 15:36.600 I map ten. 15:39.230 --> 15:43.790 IPsec Isakmp dynamic is the. 15:45.170 --> 15:47.450 The crypto map I map. 15:48.320 --> 15:49.130 Interface. 15:50.540 --> 15:51.100 I'll take. 15:53.420 --> 15:55.250 Crypto map map. 15:55.520 --> 15:56.930 This is case sensitive. 15:59.100 --> 15:59.550 The price. 16:01.900 --> 16:02.410 Enabled. 16:07.220 --> 16:07.450 Right. 16:07.490 --> 16:08.540 No need for set pair. 16:08.930 --> 16:10.250 No need for match address. 16:10.280 --> 16:13.100 The only thing that you need is the transform set which you already bound. 16:13.130 --> 16:15.860 Then you apply that crypto map on the outside interface. 16:16.220 --> 16:20.210 You enable escape on the outside because by default, the service is disabled. 16:21.800 --> 16:22.100 Right. 16:22.400 --> 16:22.870 Done. 16:23.420 --> 16:25.910 Let's try and see if this is working. 16:26.180 --> 16:27.050 Show run. 16:28.150 --> 16:30.220 Crypto first, let's check the configs. 16:30.820 --> 16:31.990 Dynamic map is correct. 16:32.020 --> 16:33.670 Apply to the outside interface. 16:33.700 --> 16:34.690 All is good. 16:35.480 --> 16:37.490 From here to Sunset is also here. 16:37.490 --> 16:38.630 Show Run Tunnel Group. 16:40.100 --> 16:43.040 Tunnel Group is sales policy and sales show run. 16:44.440 --> 16:47.320 Policy sales is here and the address value is. 16:49.500 --> 16:54.540 Let's go where our for how do you connect from for crypto IPsec client VPN easy. 16:55.980 --> 17:00.000 Here is 151 .3. ten. 17:01.200 --> 17:01.920 Correct or not? 17:02.310 --> 17:03.300 Group is. 17:04.270 --> 17:05.020 He is. 17:07.460 --> 17:08.030 Connect. 17:08.830 --> 17:09.340 Auto. 17:10.880 --> 17:12.200 More, let's say, client. 17:13.990 --> 17:15.040 Create a loop back. 17:15.190 --> 17:16.600 Do you guys remember or you forgot? 17:18.890 --> 17:26.600 Remember this interface fast Ethernet zero zero crypto IPsec Client VPN easy outside interface loopback 17:26.600 --> 17:32.390 zero will be crypto IPsec client is an easy moment. 17:32.390 --> 17:34.760 You do this, it will try to create that connection up. 17:37.330 --> 17:38.170 It says what? 17:39.850 --> 17:42.010 Pending requests. 17:43.720 --> 17:44.030 Pending. 17:44.320 --> 17:46.300 That's because by default. 17:47.050 --> 17:50.200 By default, x auth is enabled. 17:51.020 --> 17:51.440 On this. 17:52.280 --> 17:54.830 By default, you have to disable it. 17:56.030 --> 17:57.140 So you go to the ESR. 17:58.310 --> 18:00.200 I think it should be in group policy. 18:01.850 --> 18:03.290 Sales attributes. 18:04.900 --> 18:06.390 There is an m here? 18:06.400 --> 18:07.120 Yes. 18:11.990 --> 18:12.950 User authentication? 18:12.950 --> 18:13.370 Yes. 18:16.390 --> 18:18.190 Let's do this user authentication disabled. 18:18.190 --> 18:19.510 There was a there was a command. 18:19.510 --> 18:23.080 So let's try clear crypto IP client is. 18:27.600 --> 18:28.920 We will try to connect up again. 18:29.080 --> 18:32.170 That's not it has to be somewhere else. 18:38.780 --> 18:39.910 User authentication. 18:39.920 --> 18:40.390 No need. 18:40.400 --> 18:41.070 Split tunnel. 18:41.090 --> 18:42.800 Not required right now? 18:43.730 --> 18:44.270 Nope. 18:46.200 --> 18:49.230 VPN filter sessions Tunnel protocol. 18:49.260 --> 18:55.890 Let's try in the tunnel group sales General attributes. 18:58.630 --> 19:00.760 Authorization Authentication Server group. 19:06.230 --> 19:07.280 Then because it was somewhere. 19:08.850 --> 19:11.970 Is a command in the IPsec properties. 19:19.590 --> 19:21.620 Key client authorization required. 19:27.220 --> 19:28.050 I said camp. 19:28.090 --> 19:28.690 Yes. 19:45.120 --> 19:45.400 So. 19:46.200 --> 19:47.660 Crypto IPsec. 19:48.650 --> 19:52.640 Market channel Group Sales IPsec. 19:52.670 --> 19:53.600 Attributes. 19:54.270 --> 19:55.940 It's where I camp. 19:56.520 --> 19:57.330 Not here. 19:57.330 --> 19:57.810 It's. 19:59.130 --> 19:59.960 The first option. 20:00.500 --> 20:00.950 I agree. 20:00.950 --> 20:03.620 One user authentication, I'll say none. 20:04.670 --> 20:06.680 So I'll remove it by default. 20:06.680 --> 20:07.280 It's what? 20:10.350 --> 20:10.760 The music. 20:13.050 --> 20:18.520 Now go to our four player Crypto IPsec client is a VPN. 20:23.510 --> 20:24.410 So it's. 20:25.460 --> 20:31.370 Like the same concept if you check here show crypto IPsec client is VPN, you'll have the same things 20:31.370 --> 20:31.790 again. 20:31.790 --> 20:33.140 Same things as before. 20:34.160 --> 20:34.610 Right? 20:34.640 --> 20:41.060 Show IP route will show you what nothing here but show IP interface brief will show you. 20:41.060 --> 20:46.970 An IP address has been pushed down to loopback 10,000 just like before Show Crypto IPsec will show you 20:46.970 --> 20:50.780 anything which is sourced from 192 168 10.1 will go through the tunnel. 20:50.990 --> 20:55.970 The remote endpoint is 30.10, local endpoint is 34.4. 20:56.060 --> 21:03.140 Also along the same lines, if you go to if you go here and you do your show route, you have what by 21:03.140 --> 21:05.540 default route is set to the other side. 21:05.540 --> 21:09.410 So now I can 192 168 .1.1 I can ping the guy. 21:11.020 --> 21:11.280 Right. 21:11.500 --> 21:14.440 The question is, can the guy are four? 21:14.470 --> 21:16.600 Can he go to ten, 11, 11.1. 21:17.290 --> 21:17.860 Right. 21:18.370 --> 21:19.420 Like this cannot. 21:19.420 --> 21:25.540 But if he uses the source of loopback, 10,000 then should be allowed to go here as well as if he wants 21:25.540 --> 21:27.610 to go to ten 1111 dot two. 21:29.590 --> 21:30.450 And other things. 21:30.460 --> 21:30.880 Everything. 21:30.880 --> 21:32.560 The concept is exactly the same. 21:33.430 --> 21:34.750 There is no difference at all. 21:35.980 --> 21:36.510 Right. 21:36.520 --> 21:40.480 The tunnel which is created show crypto campus a middle. 21:41.350 --> 21:41.730 Right. 21:41.740 --> 21:44.890 If you want to check from this side, it just shows you differently. 21:45.130 --> 21:46.630 But it is the same. 21:47.440 --> 21:50.400 It just tells you it's called a m a m y. 21:52.280 --> 21:57.650 Why am if you remember is a VPN uses what aggressive mode not main mode. 21:57.650 --> 21:58.730 It uses aggressive mode. 21:59.150 --> 22:02.720 Everything is negotiated with three packets instead of six. 22:04.470 --> 22:04.740 Right. 22:04.740 --> 22:06.000 So am active. 22:06.390 --> 22:06.900 Right. 22:06.930 --> 22:09.900 There is no rekeying procedure here because I'm not. 22:09.930 --> 22:15.450 It's not get VPN and the peer which I'm creating the tunnel with is 30 4.4. 22:16.790 --> 22:19.810 Okay, so Crypto IPsec is same. 22:20.420 --> 22:21.890 How many packets have gone through? 22:23.150 --> 22:25.220 Right and inbound and outbound. 22:25.610 --> 22:27.800 You're using crypto map which won the win. 22:28.940 --> 22:32.360 The actual map that you're using is the dynamic map show. 22:32.360 --> 22:33.230 Crypto map. 22:39.600 --> 22:40.740 I don't think you can see it. 22:43.760 --> 22:44.000 Here. 22:44.000 --> 22:46.010 You can't on the router, you can't. 22:46.010 --> 22:47.520 So if you go to router show. 22:51.050 --> 22:51.370 Map. 22:51.440 --> 22:52.150 I'll show you the time. 22:52.160 --> 22:55.130 But here it's fine because everything is coming down from the top. 22:55.130 --> 22:55.610 Right? 22:56.000 --> 22:59.180 So this is what you have received from the Transform set. 22:59.210 --> 23:01.700 On the other side, you're using group two. 23:01.940 --> 23:08.120 You're not using FS right now and you have your current pair is 30.30 access list. 23:09.310 --> 23:13.540 Look at the access list that has been pushed from you to. 23:15.190 --> 23:15.520 Tunnel. 23:15.730 --> 23:16.510 Everything. 23:17.820 --> 23:23.610 We call this tunnel everything I want to do what I don't want to do, tunnel everything I want to do 23:23.640 --> 23:24.510 tunnel specified. 23:24.960 --> 23:27.420 Basically, I want to have a split tunnel in here. 23:27.900 --> 23:28.830 Let's do this. 23:28.830 --> 23:29.970 Let's remove this. 23:30.930 --> 23:31.860 Let's start our. 23:36.760 --> 23:41.050 And let's run up and see if it works the same way. 24:00.680 --> 24:03.610 I need to make sure that it is bound to net zero. 24:04.420 --> 24:05.410 I also need to configure. 24:16.890 --> 24:17.850 VM zero has what? 24:17.880 --> 24:18.500 150. 24:18.530 --> 24:19.540 No, not this one. 24:19.550 --> 24:20.660 I need to change this. 24:26.790 --> 24:27.230 Two. 24:28.380 --> 24:29.760 151. 24:29.790 --> 24:35.490 This is 35.101 and the XP machine is going to be 35 point, let's say 25. 24:40.500 --> 24:41.370 Again, zero is correct. 24:51.740 --> 24:55.310 In the meantime, I'll go to the Just create the split tunnel. 24:55.610 --> 24:56.390 I'll keep it there. 24:56.900 --> 24:57.620 Access list. 24:57.620 --> 25:00.800 I'll call it split permit IP. 25:02.050 --> 25:04.150 From which network? 25:04.180 --> 25:04.930 Ten, 11. 25:04.930 --> 25:07.840 11.1 or 0. 25:07.930 --> 25:08.630 Let's say one only. 25:12.520 --> 25:13.240 Going anywhere. 25:16.260 --> 25:16.890 I'll just create. 25:16.890 --> 25:19.200 This is the split tunnel that I'll be using later. 25:19.200 --> 25:20.730 But right now I don't need it. 25:21.750 --> 25:24.630 Right now I just need to make sure that my VPN is working properly. 25:24.630 --> 25:27.150 So let's go here. 25:30.200 --> 25:32.180 First of all, let's change the IP address. 25:34.380 --> 25:34.800 Right here. 25:58.500 --> 26:03.210 Is 35.25 and the next hop is 35.3. 26:06.610 --> 26:07.300 Correct or not? 26:08.920 --> 26:09.400 Close. 26:10.420 --> 26:10.930 Close. 26:11.770 --> 26:13.660 Check if you have connectivity. 26:14.970 --> 26:16.620 By bringing these. 26:21.490 --> 26:26.110 151 point 30.10 is the as I am getting a reply from the ESA. 26:26.350 --> 26:28.450 All I need to do to connect up is what? 26:29.500 --> 26:30.510 Open my client. 26:39.850 --> 26:41.050 Create a new connection. 26:42.890 --> 26:44.270 What is the name of the server? 26:45.530 --> 26:46.580 This is RSA. 26:47.990 --> 26:50.570 The address is 151 .33. ten. 26:51.050 --> 26:52.310 Group name is. 26:53.310 --> 26:54.120 He is. 26:55.320 --> 26:55.770 Cisco. 26:58.240 --> 26:58.720 Connect up. 26:59.690 --> 27:01.000 Securing connections. 27:01.010 --> 27:01.700 You're done. 27:03.240 --> 27:04.200 Connection has been formed. 27:04.200 --> 27:04.500 Right? 27:06.110 --> 27:07.250 Now if you go here. 27:10.070 --> 27:14.210 And you check the statistics, you will see that this is a tunnel. 27:14.240 --> 27:18.410 Everything right now and tunnel details are right here. 27:18.410 --> 27:18.940 Same. 27:18.950 --> 27:20.120 How many packets are encrypted? 27:20.120 --> 27:22.340 How many decrypted can you go to? 27:22.340 --> 27:25.400 The question is, can you go to the servers right now? 27:28.020 --> 27:29.460 1011 11.1. 27:29.460 --> 27:30.270 Yes, I can. 27:30.540 --> 27:32.670 I can also go to ten, 11 11.2. 27:32.670 --> 27:39.180 But I have lost connectivity to the internet, so I cannot go to 151 dot 30 5.3, which is directly 27:39.180 --> 27:45.660 connected to me because this traffic is also going where to the VPN server tunnel everything. 27:46.430 --> 27:48.070 Everything is going to the server. 27:48.080 --> 27:49.280 How do I fix this? 27:49.400 --> 27:52.910 I'll go to I'll go to the server. 27:52.910 --> 27:55.910 I'll go again to group policy. 27:55.940 --> 27:58.700 It's called sales attributes. 28:00.280 --> 28:02.350 I'll say split. 28:03.210 --> 28:06.570 Tunnel network list is called. 28:08.000 --> 28:09.050 I'll call it split. 28:09.830 --> 28:11.090 I'll also say split tunnel. 28:12.960 --> 28:14.550 We have tunnel policy. 28:16.420 --> 28:18.460 Return policy by default. 28:18.460 --> 28:19.090 It's done all. 28:19.090 --> 28:20.080 I'll change it to tunnel. 28:21.160 --> 28:21.700 Specified. 28:23.500 --> 28:23.800 Correct. 28:25.870 --> 28:26.560 Exit. 28:28.650 --> 28:30.270 Disconnect and connect up again. 28:35.330 --> 28:36.570 Disconnect and connect again. 28:37.230 --> 28:37.890 You're up. 28:41.940 --> 28:43.320 What are the roots that have come down? 28:43.320 --> 28:45.360 Only one 1011 11.1. 28:45.360 --> 28:47.820 You can only go to 1011 11.1. 28:47.820 --> 28:53.940 So if you go here now and you try to go to ten, 11, 11.2, you should not be allowed because you're 28:53.940 --> 28:56.720 going where to the Internet to look for this address. 28:56.730 --> 28:58.680 If you go to one, this should go through the tunnel. 28:58.980 --> 29:02.220 If you go to your Internet, your connectivity should not be stopped. 29:02.220 --> 29:02.370 So. 29:03.610 --> 29:05.230 Got got You can still go to the. 29:08.810 --> 29:09.260 Okay. 29:09.970 --> 29:10.780 Any questions? 29:14.070 --> 29:14.400 Nothing. 29:14.400 --> 29:15.080 Same thing. 29:15.090 --> 29:16.200 Same thing as yesterday. 29:16.200 --> 29:16.680 Yesterday. 29:16.680 --> 29:22.710 In day before yesterday in VPN, we applied the split tunnel exact same way, copied the split tunnel, 29:22.950 --> 29:25.290 put it in the group policy there. 29:25.290 --> 29:28.230 The group policy work was called in the username here. 29:28.230 --> 29:30.090 The group policy is called in the Tunnel Group. 29:30.600 --> 29:30.940 Why? 29:31.050 --> 29:35.730 Tunnel group Because you have the group key and the name group is sales key is. 29:37.770 --> 29:38.730 Call the policy there. 29:39.490 --> 29:39.790 Correct. 29:40.300 --> 29:43.480 This is the client mode, right? 29:43.690 --> 29:45.790 Right now our for wasn't mode client. 29:45.790 --> 29:46.750 What is the other mode? 29:50.060 --> 29:52.400 Mode network extension. 29:52.790 --> 29:56.030 The moment you do this, you will see that it will not work. 29:58.340 --> 29:59.840 It's down, is it? 29:59.870 --> 30:00.670 It will not work. 30:00.680 --> 30:01.220 Why? 30:01.250 --> 30:06.290 Because by default name is disabled on a on a firewall. 30:06.290 --> 30:10.070 You have to enable it by yourself by going on the firewall. 30:10.070 --> 30:11.870 Network extension mode is disabled. 30:12.080 --> 30:14.330 You have to enable it in the group policy. 30:16.850 --> 30:18.290 Sales attributes. 30:18.320 --> 30:23.810 It's called Nem network extension mode, enabled by default. 30:23.810 --> 30:24.500 It's not allowed. 30:25.430 --> 30:31.370 The moment you enable it, you'll see that network extension was enabled and the networks have gone 30:31.370 --> 30:31.520 up. 30:31.520 --> 30:32.270 Which networks? 30:32.270 --> 30:34.550 Ten 440, if you check. 30:34.850 --> 30:41.210 If you check your AC show route, you have the route to 192 168 10.2, which is the other side. 30:41.210 --> 30:43.190 You don't have the right to ten .4.4. 30:43.190 --> 30:44.270 Why don't you have the route? 30:46.650 --> 30:51.600 The networks have come up, if you check remote subnets, have gone up ten, four, four zero. 30:52.110 --> 30:54.380 But the route is not on a say. 30:54.420 --> 30:55.020 Why not? 31:02.340 --> 31:03.750 Dynamic ten set. 31:05.180 --> 31:05.600 It was. 31:09.090 --> 31:09.330 Remember? 31:09.390 --> 31:09.920 Reverse rout. 31:10.860 --> 31:12.120 Then clear it now. 31:12.120 --> 31:12.570 Clear. 31:12.570 --> 31:14.030 Crypto IPsec client is. 31:18.240 --> 31:18.840 Down. 31:18.870 --> 31:19.890 Back up again. 31:25.900 --> 31:26.160 Okay. 31:28.740 --> 31:29.420 For this guy. 31:29.430 --> 31:31.050 Also when I give you my address. 31:31.050 --> 31:31.570 Right. 31:31.590 --> 31:33.630 I'm giving the server my address. 31:34.590 --> 31:35.310 Network extension. 31:35.310 --> 31:36.270 He doesn't have the IP. 31:36.660 --> 31:38.130 I'm giving you my address. 31:38.610 --> 31:39.890 You need to find out the route. 31:39.900 --> 31:41.770 You need to insert a route towards that address. 31:41.790 --> 31:43.140 That's reverse route rejection. 31:43.380 --> 31:44.640 You have reverse route. 31:44.670 --> 31:47.310 Now you can go to ten .4.4.4. 31:48.990 --> 31:52.830 Obviously you'll have to use an address because this site will not know you. 31:56.800 --> 31:57.490 So. 32:00.090 --> 32:04.650 So crypto type exec and with anything that is sourced. 32:04.650 --> 32:06.210 Okay any obviously. 32:06.210 --> 32:11.010 So you will not be able to ping who would be who will be the only guy will be able to ping our. 32:11.080 --> 32:13.110 110 .4.4.4. 32:14.300 --> 32:15.670 Any network extension. 32:17.080 --> 32:18.340 And with split tunnel. 32:19.180 --> 32:23.680 So this guy is allowed access to 10.4 from both ends. 32:25.030 --> 32:27.490 Now, earlier, you didn't have access from the server to the client. 32:27.490 --> 32:29.890 Only the client could access the server's resources. 32:29.920 --> 32:37.030 Now, the server can also access the client's resources used for small sites to connect up to the headquarters. 32:37.600 --> 32:43.300 Small sites with 50, 60, 70 users to connect them up, they can go up and the servers can also come 32:43.300 --> 32:44.560 down and communicate with them. 32:46.020 --> 32:46.980 Just like you land to land. 32:48.410 --> 32:48.770 Correct. 32:48.770 --> 32:51.800 So let's enable X off. 32:53.770 --> 32:56.800 Crypt tunnel group sales. 32:58.090 --> 32:59.560 IPsec attributes. 33:00.460 --> 33:00.850 Right. 33:01.120 --> 33:02.890 I camp right here. 33:04.460 --> 33:06.460 Icon authentication should be. 33:37.950 --> 33:39.930 Username Cisco Password. 33:40.170 --> 33:41.910 Cisco Securing it. 33:42.710 --> 33:43.700 And connecting up. 33:43.850 --> 33:46.250 So now you have that extra authentication. 33:47.390 --> 33:49.610 You will require the username and password to connect. 33:51.530 --> 33:51.740 Okay. 33:51.860 --> 33:52.970 Similarly on here. 33:55.150 --> 34:00.970 Not always do this on the global user Exact username Cisco Password. 34:00.970 --> 34:02.610 Cisco connect up. 34:05.550 --> 34:07.140 You still have the remote subnets right here. 34:07.140 --> 34:09.090 So you go here, show shout out. 34:13.050 --> 34:17.040 The other guy is the client and I'm the one is remote access. 34:17.250 --> 34:19.380 Sorry, one is network extension, the other is mode. 34:21.320 --> 34:21.590 But. 34:24.040 --> 34:25.300 Everybody okay with this? 34:26.830 --> 34:30.970 This is easy VPN with dynamic maps only.