Achieve IPSec VPN on ASA firewall

Enterprise 2019-11-09 06:20:26 views: null

Virtual private network through a virtual private network theory and configure IPSec understand virtual private network

2.IPsec Virtual Private Network Troubleshooting

(Show crypto isakmp) which can understand the connection state management in which the

Achieve IPSec VPN on ASA firewall

(Debug crypto isakmp) command is a command by the actual work is most commonly used to diagnose and troubleshoot problems with the connection management

3. the difference between a firewall and router

  • Default IKE negotiation is turned on
    by default, IKE negotiation in the router is turned on, and the ASA firewall is turned off

  • Tunnel group features introduced

  • Interface Safety Levels for IPSec traffic impact

ASA(config)#same-security-traffic permit intra-interface

intra-interface parameters allow traffic to enter and leave are the same interface, the center apparatus more L2L session

4. Configuration Examples as follows:
Requirements: whole network interworking, and the pc to access the Internet (R1)

Achieve IPSec VPN on ASA firewall

Actually simplifies Pictured:

Achieve IPSec VPN on ASA firewall

(1) configure the IP address of
R2, R3, R4, and ASA-1, ASA-2, ASA-3 will take a default ( Rl on the allocation IP )
as R2:

R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

The other two routers do the above

The firewall configuration ASA-1:

ciscoasa(config)# int e0/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config)# int e0/0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config)# route outside 0 0 201.0.0.2   //默认路由

Other two firewall configuration such as this, a different IP address, be careful not to mismatch

(2) ASA1 configuration: (lan1_lan2)

Configuration management connection

ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 10000
设置共享密钥:

ciscoasa(config-isakmp-policy)# crypto isakmp key 2008.cn address 202.0.0.1

It may also be
to use an alternative method

 tunnel-group 202.0.0.1 type ipsec-l2l
  tunnel-group 202.0.0.1 ipsec-attributes
  pre-shared-key 2008.cn

Configuration data connection

ciscoasa(config)#   access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set test-set esp-aes esp-md5-hmac 
ciscoasa(config)# crypto map test-map 1 match address lan1_lan2
ciscoasa(config)# crypto map test-map 1 set peer 202.0.0.1   //对端的IP
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside   //应用到外接口上

ASA-2 in the configuration is as follows:

ciscoasa(config)# crypto isakmp enable outside 
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config-isakmp-policy)# crypto isakmp key 2008.cn address 201.0.0.1

Configuration data connection

ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan2_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.1  
ciscoasa(config)# crypto map  test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside   //应用到外接口

Then lan1 lan2 can communicate with the

R2#ping 192.168.2.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 72/156/296 ms

Lan1 exchange started with lan3

ASA-1 as follows :( slightly modified configuration can)

ciscoasa(config)# tunnel-group 203.0.0.1 type ipsec-l2l 
ciscoasa(config)# tunnel-group 203.0.0.1 ipsec-attributes 
ciscoasa(config-tunnel-ipsec)# pre-shared-key 2008.cn

Configuring ACL

ciscoasa(config)#  access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
ciscoasa(config)# crypto map test-map 2 match address lan1_lan3
ciscoasa(config)# crypto map test-map 2 set peer 203.0.0.1
ciscoasa(config)# crypto map test-map 2 set transform-set test-set

ASA-3 is configured as follows:

ciscoasa(config)#crypto isakmp enable outside   //开启IKE协商功能
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share 
ciscoasa(config-isakmp-policy)# encryption aes 
ciscoasa(config-isakmp-policy)# hash md5 
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config-isakmp-policy)# crypto isakmp key 2008.cn address 203.0.0.2
ciscoasa(config)# access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan3_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.1
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-mao interface outside

Achieve lan2_lan3 virtual private network communications through the middle lan1 forward

On ASA1 need to add configurations:

ciscoasa(config)# same-security-traffic permit intra-interface  //允许流量进入和离开同一个接口
iscoasa(config)#access-list lan1_lan2  permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
iscoasa(config)#access-list lan1_lan3  permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On ASA2 Configuration:
Adding ACL


ciscoasa(config)# access-list lan2_lan1  permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On ASA3 configuration:

Add ACL

ciscoasa(config)#access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

If you need to let other network companies can access the Internet, PAT needs to be done on the ASA, and enable nat control, flow exemption virtual private network
enabled


nat-control
ciscoasa(config)#nat (inside) 1  0  0
ciscoasa(config)#global (outside) 1 interface
ciscoasa(config)#access-list asd  permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
ciscoasa(config)#access-list asd  permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list asd

On ASA2 configuration:

ciscoasa(config)#nat (inside) 1  0  0
ciscoasa(config)#global (outside) 1 interface
ciscoasa(config)#nat (inside) 0 access-list lan2_lan1

On ASA3 configuration:

ciscoasa(config)#nat (inside) 1  0  0
ciscoasa(config)#global (outside) 1 interface
ciscoasa(config)#nat (inside) 0 access-list lan3_lan1

The whole network interworking

Guess you like

Origin blog.51cto.com/14400213/2448913
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com