Version Information:
Cisco Adaptive Security Appliance Software Version 9.9(2)
Firepower Extensible Operating System Version 2.3(1.84)
Device Manager Version 7.9(2)
The old version is not the same configuration
2.1 default route
ASA-1 (config) route outside 0.0.0.0 0.0.0.0 100.0.0.2 1 # next-hop address is generally provided by the operator
2.2 ISAKMP policy configuration (the first stage of negotiation IKE)
ASA1 (config) #crypto ikev1 enable outside # interfaces enable ikev1 secret key management protocol outside
ASA1 (config) higher #crypto ikev1 policy 1 # strategy, the higher priority call
ASA1 (config-ikev1-policy) #encryption aes # encrypt both the consistent policy
ASA1 (config-ikev1-policy) #hash sha # hash algorithm to keep the two sides agreed, as a signature to ensure data consistency
ASA1 (config-ikev1-policy) #authentication pre-share # preset keys certification
ASA1(config-ikev1-policy)#group 2
ASA1 (config) # tunnel-group 200.0.0.1 type ipsec-l2l # pre-tunnel type lan to lan
ASA1 (config) # tunnel-group 200.0.0.1 ipsec-attributes # custom red part name, where the written memory in order to facilitate the peer IP address, the configuration attributes ipsec
ASA1 (config-tunnel-ipsec) # ikev1 pre-shared-key 123456 # red part of the key, both sides agreed
Configuring the ACL 2.3 (second stage begins, the specific protection data stream)
ASA1(config)# access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Here's a list of good # acl and crypto map set to be consistent (local - peer)
2.4 Configuring IPSec policy (conversion set)
ASA1(config)#crypto ipsec ikev1 transform-set new-set esp-aes esp-sha-hmac
2.5 Configuration encryption map set
(Config) #crypto map new-map 1 match address 100 # matching above ASA1 acl
ASA1 (config) #crypto map new-map 1 set peer 200.0.0.1 # Set the address of the peer
ASA1(config)#crypto map new-map 1 set ikev1 transform-set new-set
2.6 Application of the set of mappings Interface
ASA1 (config) #crypto map new-map interface outside # where no serial number label behind
2.7 NAT and NAT exemption
ASA1(config)object network inside
ASA1 (config-network-object) subnet 192.168.1.0 255.255.255.0 # defined in the local network segment
ASA1(config)object network inside
ASA1 (config-network-object)nat (inside,outside) dynamic interface #NAT重载
ASA1(config)object network remote
ASA1 (config-network-object) subnet 10.1.1.0 255.255.255.0 # define each other's internal network segment
ASA1 (config) nat (inside, outside) source static inside inside destination static remote remote #nat exemption, this means that the address inside the access network address of remote network segment to access the same address, not conversion ( global mode )
2.8 Notes
1, if the ASA same security-level interface you need to configure same-security-traffic permit inter-interface, otherwise the same level of security port can not access each other, VPN will not pass.
2, the level of security inside the mouth below the recommended level of security outside because CISICO default high security level can access the low security level interface
3, according to another server configured to re-do it again, pay attention to changes in end address, map sets and set acl name may be different, but the encryption and hashing these must be consistent.