Virtual private network through a virtual private network theory and configure IPSec understand virtual private network
2.IPsec Virtual Private Network Troubleshooting
(Show crypto isakmp) which can understand the connection state management in which the
(Debug crypto isakmp) command is a command by the actual work is most commonly used to diagnose and troubleshoot problems with the connection management
3. the difference between a firewall and router
-
Default IKE negotiation is turned on
by default, IKE negotiation in the router is turned on, and the ASA firewall is turned off -
Tunnel group features introduced
- Interface Safety Levels for IPSec traffic impact
ASA(config)#same-security-traffic permit intra-interface
intra-interface parameters allow traffic to enter and leave are the same interface, the center apparatus more L2L session
4. Configuration Examples as follows:
Requirements: whole network interworking, and the pc to access the Internet (R1)
Actually simplifies Pictured:
(1) configure the IP address of
R2, R3, R4, and ASA-1, ASA-2, ASA-3 will take a default ( Rl on the allocation IP )
as R2:
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
The other two routers do the above
The firewall configuration ASA-1:
ciscoasa(config)# int e0/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config)# int e0/0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config)# route outside 0 0 201.0.0.2 //默认路由
Other two firewall configuration such as this, a different IP address, be careful not to mismatch
(2) ASA1 configuration: (lan1_lan2)
Configuration management connection
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 10000
设置共享密钥:
ciscoasa(config-isakmp-policy)# crypto isakmp key 2008.cn address 202.0.0.1
It may also be
to use an alternative method
tunnel-group 202.0.0.1 type ipsec-l2l
tunnel-group 202.0.0.1 ipsec-attributes
pre-shared-key 2008.cn
Configuration data connection
ciscoasa(config)# access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan1_lan2
ciscoasa(config)# crypto map test-map 1 set peer 202.0.0.1 //对端的IP
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside //应用到外接口上
ASA-2 in the configuration is as follows:
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config-isakmp-policy)# crypto isakmp key 2008.cn address 201.0.0.1
Configuration data connection
ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan2_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.1
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside //应用到外接口
Then lan1 lan2 can communicate with the
R2#ping 192.168.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 72/156/296 ms
Lan1 exchange started with lan3
ASA-1 as follows :( slightly modified configuration can)
ciscoasa(config)# tunnel-group 203.0.0.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 203.0.0.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key 2008.cn
Configuring ACL
ciscoasa(config)# access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
ciscoasa(config)# crypto map test-map 2 match address lan1_lan3
ciscoasa(config)# crypto map test-map 2 set peer 203.0.0.1
ciscoasa(config)# crypto map test-map 2 set transform-set test-set
ASA-3 is configured as follows:
ciscoasa(config)#crypto isakmp enable outside //开启IKE协商功能
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config-isakmp-policy)# crypto isakmp key 2008.cn address 203.0.0.2
ciscoasa(config)# access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan3_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.1
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-mao interface outside
Achieve lan2_lan3 virtual private network communications through the middle lan1 forward
On ASA1 need to add configurations:
ciscoasa(config)# same-security-traffic permit intra-interface //允许流量进入和离开同一个接口
iscoasa(config)#access-list lan1_lan2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
iscoasa(config)#access-list lan1_lan3 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
On ASA2 Configuration:
Adding ACL
ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
On ASA3 configuration:
Add ACL
ciscoasa(config)#access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
If you need to let other network companies can access the Internet, PAT needs to be done on the ASA, and enable nat control, flow exemption virtual private network
enabled
nat-control
ciscoasa(config)#nat (inside) 1 0 0
ciscoasa(config)#global (outside) 1 interface
ciscoasa(config)#access-list asd permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)#access-list asd permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list asd
On ASA2 configuration:
ciscoasa(config)#nat (inside) 1 0 0
ciscoasa(config)#global (outside) 1 interface
ciscoasa(config)#nat (inside) 0 access-list lan2_lan1
On ASA3 configuration:
ciscoasa(config)#nat (inside) 1 0 0
ciscoasa(config)#global (outside) 1 interface
ciscoasa(config)#nat (inside) 0 access-list lan3_lan1
The whole network interworking