Author Archives: ACR 2014

About ACR 2014

Network Enthusiast

WIP: Building Viptela Lab on Eve-ng

Work in progress….

Some key point of Viptela SD-WAN Architecture:
Cisco Viptela have following components
1. vOchestrator
2. vBond
3. Vcontroller
4. vEdge
connect each other as a overlays using underlay media like LTE,MPLS ,4G etc. They use OMP protocol,TLOC to identify each other locations and peer.

Benefits
1. Cost Reduction
2. Zero touch provision
3. Cloud readiness
4. Control over segregated network
5. Secure VPN based services Readiness – different private cloud and SAAS can be added or integrate easily

1st Run:
CPUs: 4
Mem: 24gb
1strun

set to.. CPUs: 12 Mem: 24gb
Viptela Output
Issue on Vedge and Vmgmt…

My HP Proliant DL380 G6 (2u)

Hp

Due to the lack of resources of my Lab-station (Amd ryzen3 with 16gb) build, I have decided to build a new Lab-station for Data Center, SD-WAN, Virtualization, Net-dev & Cloud reps. Package includes 5-extra sas drive and door-to-door delivery. With this server I can get 6core/12threads per cpu, total of 24t. It has 18 ram slots(max) but I’m only using 6 slots 8gb per slot (48gb in total) and with supported raid 0, 1, 5, 10 feature.

Specs: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c01714721

71644076_241911193413618_4127634412370132992_n

Powering-up HP Proliant DL380 G6. After the post you need to configure/setup the raid(redundant array of independent disks).

I. RAID Configuration

> Press F8 to move to Option Rom Configuration for Array (ORCA). If after pressing the F8 and you get redirected to the bios option you’ll just need to exit and press the F8 again.

Issue pops up regarding “Invalid drive movement” this was possible due to missing old raid config, So I just tried clearing the existing raid config and re-create a new one for the installed drives. Select raid 5.

Once the raid configuration has been completed. I moved to OS/ESXI installation.

II. ESXI Installation

a. Download esxi 6.7 version from exsi website (need to register to download).

b. Create a bootable usb drive using rufus 2.7 version.
https://rufus.ie/

c. Connect the USB drive onto server usb port then select F11 to manually specify the boot option. Select 3.

d. Read the installation Guide for reference.71394848_771652239923983_5570224591776776192_n.jpg
https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-67-installation-setup-guide.pdf

Once completed, You can now access you esxi server using the web management. From my old lab-station I have exported all my Virtual machine and import to the new ESXI server.

HP2.jpg

Pending: Next, I need to convert my Physical machine w/ Ubuntu OS to OVF. This can be done using Vmware vCenter Converter Standalone.

Converter.PNGFrom my old lab-station, I have created a new root acct. and make sure to run the sudo command w/out password prompt.

visudo or sudo visudo
sudoer ALL=(ALL) NOPASSWD:ALL
%sys ALL=(ALL) NOPASSWD: ALL
sudoer ALL=(ALL) NOPASSWD: /bin/kill
https://linuxize.com/post/how-to-create-a-sudo-user-on-ubuntu/

How to Run ‘sudo’ Command Without Entering a Password in Linux

My New Lab Station:

HP3

 

Converter.PNG

Network Address Translation (NAT) & Scenario

Configuration Notes:
Defining NAT Inside and Outside Interfaces
The first step to deploy NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. This figure shows an example of this.

NAT Overloading
Also called Port Address Translation (PAT) is form of dynamic NAT where we have is just a single inside global IP address providing Internet access to all inside hosts. As a general case, NAT Overload is used in scenarios where the number of inside local addresses is greater than the number of inside global addresses.

Clearing Static NAT Entry
Clear command will just delete dynamic entries. If you don’t need a static entry anymore, delete it in the config.
It will not be possible to clear static NAT entry that’s the reason why error message is seen “Translation not dynamic”. If the static NAT entry is not useful/not doing intended purpose, why not just editing or removing it.


NAT Order of Operation:

  1. When a packet arrives on an interface which is configured as ‘ip nat inside’,
    • The Packet is first checked if it qualifies as per the NAT access-list aka interested traffic.
    • The packet is then checked for the destination address.
    • If the destination is reachable via an interface which is configured ‘ip nat outside’ then before sending the actual packet out on the egress interface, the source address will be masked/NATed.
  2. When the return packet arrives on an interface which is configured as ‘ip nat outside’,
    • The packet is first compared with a matching entry in the NAT translation table.
    • If a matching entry is found then the destination IP and port will be replaced as per the entry before being routed toward the internal port.

NAT Terminology:

Inside Local – The IP address of the inside network as viewed locally (e.g. your LAN network or private network)
Inside Global – The IP address of the inside network as viewed by outside world (e.g. your public IP on WAN interface)
Outside Local – The IP address of the outside network as viewed you
Outside Global – The IP address of the outside network as viewed outside world

IP NAT OUTSIDE SOURCE STATIC SCENARIO:

  1. Translating the output public IP to reach the LAN network.

nat120190923

Note: Outside perform translation before routing and inside perform routing then translation.

acnat20190923

Configure loopback on R3 and R2, make sure the route is correct on all routers.

R2#sh run int loop 30
interface Loopback30
ip address 171.68.1.1 255.255.255.255

R3#sh run int loop 30
interface Loopback30
ip address 172.16.89.32 255.255.255.255

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 171.68.1.1 255.255.255.255 192.168.1.1

R1# ip nat outside source static 172.16.89.32 171.68.16.5  -> This translate the outside global source to outside local. 

R5#sh run | sec ip route
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

Results:

R3#ping 171.68.1.1 source loop 30

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 171.68.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.89.32
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/64 ms

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 171.68.16.5 172.16.89.32
icmp 171.68.1.1:0 171.68.1.1:0 171.68.16.5:0 172.16.89.32:0

R1#sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Peak translations: 2, occurred 00:00:26 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 10 Misses: 0
CEF Translated packets: 9, CEF Punted packets: 1
Expired translations: 0
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

2. Overlapping Network

natops120190923.PNG

acnatops20190923.PNG

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 9.9.9.0 255.255.255.0 122.1.1.2
ip route 123.12.12.0 255.255.255.0 192.168.1.1
ip route 171.68.1.1 255.255.255.255 192.168.1.1
R1#sh run | sec ip nat
ip nat outside
ip nat inside
ip nat inside source static 123.12.12.3 8.8.8.1
ip nat inside source static 192.168.1.1 8.8.8.2
ip nat outside source static 123.12.12.1 9.9.9.1
ip nat outside source static 172.16.89.32 9.9.9.2

R2#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 192.168.1.254
R2#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.3 255.255.255.255

R3#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 221.0.0.2
R3#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.1 255.255.255.255

R5#sh run | sec ip route
ip route 8.8.8.0 255.255.255.0 122.1.1.1
ip route 123.12.12.0 255.255.255.0 221.0.0.1
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

R3#ping 8.8.8.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/65/76 ms

R2#ping 9.9.9.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/68 ms

Note: In troubleshooting, Make sure route is correct and all the routers that included on the path should route from both Global/Local In and out.

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 9.9.9.1 123.12.12.1
— — — 9.9.9.2 172.16.89.32
— 8.8.8.1 123.12.12.3 — —
— 8.8.8.2 192.168.1.1 — —
R1#sh ip nat stat
Total active translations: 4 (4 static, 0 dynamic; 0 extended)
Peak translations: 53, occurred 00:19:08 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 299 Misses: 0
CEF Translated packets: 233, CEF Punted packets: 30
Expired translations: 36
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

What is CEF Punt?

https://learningnetwork.cisco.com/thread/123503

Troubleshoot/Verify NAT Configuration

1. The command: “show ip nat translations” display the details of NAT assignments; it will enable you to verify that correct translations exist in the translation table. It’s recommended that you clear any dynamic NAT translation entries that might still be on the router.

2. To view additional details about each translation us the following command;

R1#show ip nat translations verbose

This command will display additions information, which includes creation dates and usage of each translation.

To clear NAT translations use the command: clear ip nat translation.

Note: “show ip nat translations verbose” command doesn’t work in packet tracer.

3. Verify the operations of NAT by checking details about every packet that is translated by the router. To view this information use the:

R1#debug ip nat or

R1#debug ip nat detailed

The later command debug ip nat detailed Provide a description of each packet that had been considered for translation. It also displays information on some errors such as failure to assign a global IP address.

4. The show ip nat statistics command display:

a) Details of all the active translation entries
b) NAT configuration parameters
c) Number of IP addresses in the pool
d) Total number of assigned IP addresses.

http://academy.delmar.edu/Courses/download/CiscoIOS/NAT_ip_nat_outside_source_static.pdf
https://cciepursuit.wordpress.com/2007/10/07/hits-and-misses-in-ip-nat-statistics/
http://brbccie.blogspot.com/2013/06/everything-nat.html

3 ways to NAT on a Cisco Router


https://learningnetwork.cisco.com/thread/96145

3850 switch – IOS XE upgrade Detailed

By default, the switches are shipped in Install mode.

Bundle mode: Bundle mode is where we boot the switch/stack using the .bin file. This is the traditional method of booting the switch where the switch extracts the .bin file to the RAM of the switch and run from there.

Install Mode: Install mode is where we pre-extract the .bin file in the flash and boot the witch/stack using the packages.conf file created during the extraction.

Note:
Install mode is the recommended mode of running the switch. Not all features may be available in this Bundle mode

Upgrading a stand-alone switch:
For example: boot flash:cat3k_caa-universalk9.SSA.03.08.83.EMD.150-8.83.EMD.bin

Hence, the boot variable should not be pointing to the .bin file. If so, the switch will boot in Bundle mode. The boot variable should be pointing to the “packages.conf” file in order for the switch to boot in Install mode.

Before doing the upgrade, we need to check the mode in which the switch is currently booted in.
show version | begin Switch Port

Switch Ports Model SW Version SW Image Mode
—— —– —– ———- ———- —-
* 1 32 WS-C3850-24T 03.03.01SE cat3k_caa-universalk9 INSTALL •ß Install mode

https://community.cisco.com/t5/networking-documents/3850-switch-ios-xe-upgrade-detailed-standalone/ta-p/3138609
https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/c/en/us/td/docs/switches/lan/Denali_16-1/ConfigExamples_Technotes/Config_Examples/Misc/qos/m_install_vs_bundle.html.xml

Cisco 3850 covert from bundle to install mode:
Current mode: BUNDLE MODE

1. dir flash: – Current running IOS version should be visible.
2. Expand the file to the flash file system.
#software expand running to flash:
it take running .bin file and expand the content to the flash file system so we
can then convert from bundle to install mode.

3. Verify once expanded, All pkg file should be expanded including the very important packages.conf file.
#dir flash:

4. Change the boot variable to point to the packages.conf file.
#boot system switch all flash:packages.conf
This will cover single to multiple switches in a stack.

5. Verify the boot
#show boot
verify the boot variable and build

6. wr mem
7. reload
8. show version | begin Switch Port
9. clean the bin file
#software clean
#wr mem

Replace a Failed Cisco 3850 Switch in a Stack
I.
1. Connect to the new switch
2. Verify the license level and IOS version.
a. In order to avoid the license mismatch.
#license right-to-use activate ipbase all acceptEULA
3. Restart

II.
On your stack, you need to make sure the new switch come up with the same software version.
Master(global)# software auto-upgrade auto
So when we connect the new switch it will auto upgrade the same version as
the stack.

III.
Connect the stacking cable and the power of the new switch.

Cisco Catalyst 3850 IOS Upgrade on All Stack Members – Version Mismatch

1. Connect the switches to the stack
2. Verify the license level
3. On master
#request platform software package install auto-upgrade
Auto upgrade has been initiated for the following incompatible switch
4. Reload the new member

Cisco 3850 IOS switch stack 3.x.x to 16.x.x upgrade install mode
1. We need to make sure the we do have space available on the flash:
#software clean
2. Copy the bin file active switch flash
3. Once the file is copied over we are going to regenerate rsa cryto key use for SSH and the 16.x.x release notes if your upgrading from 3.x.x to 16.x.x to generate a new crypto key.
#crypto key generate key 1024
4. Begin the software upgrade
#software install file flash:filename switch verbose new force

New – we need to create a new packages.conf to be used by the boot up process.
force – this will force actual process, 1 major code to another.. otherwise package compatibility will fail.

Troubleshooting:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/switch_stacks.html
https://community.cisco.com/t5/switching/new-3850-stack-upgrade-problem-3-x-gt-16-x/td-p/3208779
https://community.cisco.com/t5/networking-documents/using-the-auto-upgrade-feature-on-the-cisco-catalyst-3850/ta-p/3140319

Easy VPN (EZVPN) with Dynamic Virtual Tunnel Interface (DVTI)

R14 –CLOUD– R15

R14#sh ip int brief | ex ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 1.1.1.10 YES manual up up
FastEthernet0/1 172.16.32.1 YES manual up up
Virtual-Access2 172.16.0.4 YES TFTP up up
Virtual-Template11 172.16.0.4 YES TFTP down down
Loopback0 172.16.0.4 YES manual up up

========= CONFIGURATION

R14#sh run
Building configuration…

Current configuration : 2505 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R14
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login AUTHEN local
aaa authorization network AUTHOR local
!
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
username site secret 5 $1$fsT/$wFlStpOW8qr1EKH2v3q9j/
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group EZVPN_GROUP
key cisco
dns 172.16.32.40
domain LABMINUTES.COM
acl EZVPN_ST_ACL
save-password
pfs
crypto isakmp profile EZVPN_ISAKMP_PROFILE
self-identity address
match identity group EZVPN_GROUP
client authentication list AUTHEN
isakmp authorization list AUTHOR
client configuration address respond
keepalive 10 retry 3
virtual-template 11
!
!
crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile EZVPN_IPSEC_PROFILE
set security-association lifetime kilobytes 1024000
set security-association lifetime seconds 28800
set transform-set ESP_AES256_SHA
set pfs group2
set isakmp-profile EZVPN_ISAKMP_PROFILE
!
!
!
!
!
interface Loopback0
ip address 172.16.0.4 255.255.255.255
!
interface FastEthernet0/0
ip address 1.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.32.1 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template10
no ip address
!
interface Virtual-Template11 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZVPN_IPSEC_PROFILE
!
ip route 2.2.2.0 255.255.255.0 1.1.1.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended EZVPN_ST_ACL
permit ip 172.16.32.0 0.0.0.255 any
!
no cdp log mismatch duplex
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
!
end

========= ROUTE

R14#sh ip route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 [1/0] via 1.1.1.1
[1/0] via 0.0.0.0, Virtual-Access2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.128.0/24 [1/0] via 0.0.0.0, Virtual-Access2
C 172.16.32.0/24 is directly connected, FastEthernet0/1
C 172.16.0.4/32 is directly connected, Loopback0

Note: routes automatically installed to each router pointing to the virtual access interface that was dynamically created.

===================================================
R15#sh ip int brief | ex ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.128.1 YES manual up up
FastEthernet0/1 2.2.2.10 YES manual up up
Virtual-Access2 2.2.2.10 YES TFTP up up
Virtual-Template10 172.16.0.2 YES TFTP down down
Loopback0 172.16.0.2 YES manual up up

R15#sh run
Building configuration…

Current configuration : 1981 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R15
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
!
!
!
!
crypto ipsec client ezvpn EZVPN
connect auto
group EZVPN_GROUP key cisco
mode network-extension
peer 1.1.1.10 default
idletime 3600
virtual-interface 10
username site password cisco
xauth userid mode local
!
!
!
!
!
interface Loopback0
ip address 172.16.0.2 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.128.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN inside
!
interface FastEthernet0/1
ip address 2.2.2.10 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN
crypto ipsec client ezvpn EZVPN inside
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template10 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
!
ip route 1.1.1.0 255.255.255.0 2.2.2.1
!
!
no ip http server
no ip http secure-server
ip dns view
domain name-server 172.16.32.40
ip dns view-list ezvpn-internal-viewlist
view 10
restrict name-group 1
view 20
ip dns name-list 1 permit P^B
ip dns server view-group ezvpn-internal-viewlist
!
no cdp log mismatch duplex
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 2.2.2.1
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.128.0/24 is directly connected, FastEthernet0/0
S 172.16.32.0/24 [1/0] via 0.0.0.0, Virtual-Access2
C 172.16.0.2/32 is directly connected, Loopback0
R15#

======================== TEST PING (LAN TO LAN)
R14#ping 172.16.128.1 source 172.16.32.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.128.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.32.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/56 ms

R15#ping 172.16.32.1 source 172.16.128.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.32.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.128.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/79/188 ms
R15#

EZ VPN

Configuring EasyVPN Between Cisco Routers

Site2Site IPSec VPN Tunnel with Cisco EasyVPN

Configuring EZVPN

Server (7 Steps)
1. AAA –
2. Pool for the client –
3. Phase 1 – ISAKMP –
4. Phase 2 – IPsec transformset –
5. Crypto Dynamic map – For client that will be learn dnamically.. Transform set will be dynamically downloaded to the client.
6. Crypto Dynamic map
7. Apply to the interface

Client
1. Group name
2. Key
– Wil be use to talk to the server.

http://www.ciscopress.com/articles/article.asp?p=421514&seqNum=3

The Cisco Easy VPN feature, also known as EzVPN, eases IPSec configuration by allowing an almost no-touch configuration of the IPSec client.

EzVPN uses the Unity client protocol, which allows most IPSec VPN parameters to be defined at an IPSec gateway, which is also the EzVPN server. When an EzVPN client initiates an IPSec tunnel connection, the EzVPN server pushes the IPSec policies and other attributes required to form the IPSec tunnel to the EzVPN client and creates the corresponding IPSec tunnel connection. The tunnel on the EzVPN client can be initiated automatically or manually, or it could be traffic triggered, depending on the configuration or type of EzVPN client used. Minimal configuration is required at the EzVPN client. EzVPN provides the following general functions in order to simplify the configuration process:

Negotiating tunnel parameters— This is done with encryption algorithms, SA lifetimes, and so on.
User authentication— This entails validating user credentials by way of XAUTH.
Automatic configuration— Performed by pushing attributes such as IP address, DNS, WINs, and so on, using MODECFG.
The term EzVPN client is used for both Cisco Unity VPN clients, called EzVPN software clients, and the Unity client protocol running on smaller Cisco routers like the 800, 1700, and 2600 series, commonly referred to as EzVPN hardware clients.

Configuration:

aaa new-model
aaa authorization network AUTH local
!
ip local pool ezp 20.20.20.1 20.20.20.20
!
crypto isakmp client configuration group ezc
key cciesec
pool ezp
!
crypto isakmp policy 10
encr 3des
authentication pre-share
hash sha
group 2
!
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
!
crypto dynamic-map dmap 10
set transform-set t-set
reverse-route
!
crypto map cmap isakmp authorization list AUTH
crypto map cmap client configuration address respond
crypto map cmap 10 ipsec-isakmp dynamic dmap
!
int f0/0
crypto map cmap

! CLIENT
crypto ipsec client ezvpn ez
group ezc key cciesec
peer 123.0.0.1
connect auto
mode client
int loop 0
crypto ipsec client ezvpn ez inside

int g1/0
crypto ipsec client ezvpn ez outside

NAT Basics

static nat
ip nat inside source static 10.0.0.2 112.1.1.5

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— 112.1.1.5 10.0.0.2 — —

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 112.1.1.5:5 10.0.0.2:5 112.1.1.2:5 112.1.1.2:5
icmp 112.1.1.5:6 10.0.0.2:6 112.1.1.2:6 112.1.1.2:6
icmp 112.1.1.5:7 10.0.0.2:7 112.1.1.2:7 112.1.1.2:7

Dynamic nat
access-list 10 permit any
ip nat inside source list 10 interface g2/0 overload

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 112.1.1.1:8 10.0.0.2:8 112.1.1.2:8 112.1.1.2:8
icmp 112.1.1.1:9 172.1.1.1:9 112.1.1.2:9 112.1.1.2:9
icmp 112.1.1.1:10 172.1.1.1:10 112.1.1.2:10 112.1.1.2:10

https://learningnetwork.cisco.com/thread/41202