In preparation of our CCNP exam, we want to make sure we cover the various concepts that we could see on our Cisco CCNP exam. So to assist you, below we will discuss Context-based Access Control: Introduction and Configuration.

Introduction

This document describes a fully meshed configuration with three routers that use private addresses. The example illustrates these features:

• Encapsulating Security Payload (ESP) - Data Encryption Standard (DES) only
• Pre-shared keys
• Private networks behind each router: 192.168.1.0, 192.168.2.0, and 192.168.3.0
• isakmp policy and crypto map configuration
• Tunnel traffic defined with the access-list and route-map commands. In addition to Port Address Translation (PAT), route maps can be applied to a one-to-one static Network Address Translation (NAT) on Cisco IOS® Software Release 12.2(4)T2 and later. For more information refer to NAT - Ability to Use Route Maps with Static Translations Feature Overview.

Note: Encryption technology is subject to export controls. It is your responsibility to know the law regarding export of encryption technology. See the Bureau of Export Administration home page for more information. If you have any questions regarding export control, please send an email to export@cisco.com.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco IOS Software Release 12.3.(7)T.
• Cisco routers configured with IPSec.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses this network setup:

Configurations

This document uses these configurations:

• Router 1
• Router 2
• Router 3

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

• show crypto engine connections active Shows encrypted and decrypted packets between IPSec peers.
• show crypto isakmp sa Shows all current IKE security associations (SAs) at a peer.
• show crypto ipsec sa Shows the settings used by current (IPSec) SAs.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

Note: The following debugs must be running on both IPSec routers (peers). Clearing SAs must be done on both peers.

• debug crypto isakmp Displays errors during Phase 1.
• debug crypto ipsec Displays errors during Phase 2.
• debug crypto engine Displays information from the crypto engine.
• clear crypto connection connection-id [slot | rsm | vip] Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to learn the connection-id value.
• clear crypto isakmp Clears the Phase 1 SAs.
• clear crypto sa Clears the Phase 2 SAs.

I hope you found this article to be of use and it helps you prepare for your Cisco CCNP certification. Achieving your CCNP certification is much more than just memorizing Cisco exam material. It is having the real world knowledge to configure your Cisco equipment and be able to methodically troubleshoot Cisco issues. So I encourage you to continue in your studies for your CCNP exam certification.