Cisco vpn site to site

Solo disponible en BuenasTareas
  • Páginas : 5 (1201 palabras )
  • Descarga(s) : 0
  • Publicado : 8 de diciembre de 2011
Leer documento completo
Vista previa del texto
onfigure Cisco ASA Site-to-Site IPsec VPN
VERSION 1 
It's not that hard to configure a site-to-site IPsec VPN on a ASA , just need to know a few basic thinks.
Possible values of phase 1 attributes :
ISAKMP Attributes:
 
Attribute | Possible Values | Default Value |
Encryption | DES 56-bit3DES 168-bitAES 128-bitAES 192-bitAES 256-bit | 3DES 168-bit orDES 56-bit, if 3DES feature is notactive |
Hashing | MD5 or SHA | SHA |
Authentication method | Preshared keysRSA signatureDSA signature | Preshared keys |
DH group | Group 1 768-bit fieldGroup 2 1024-bit fieldGroup 5 1536-bit fieldGroup 7 ECC 163-bit field | Group 2 1024-bit field |
Lifetime | 120–2,147,483,647 seconds | 86,400 seconds |
 
 
Possible values of phase 2 attributes:
IPSec Attributes:

 
 
 
Attribute| Possible Values | Default Values |
Encryption | NoneDES 56-bit3DES 168-bitAES 128-bitAES 192-bitAES 256-bit | 3DES 168-bit orDES 56-bit, if 3DES feature is not active |
Hashing | MD5, SHA or None | None |
Identity information | Network protocol and/or port number | No default parameter |
Lifetime | 120–2,147,483,647 seconds10–2,147,483,647 KB | 28800 seconds4,608,000 KB |
Mode |Tunnel or transport | Tunnel |
PFS group | NoneGroup 1 768-bit DH prime modulusGroup 2 1024-bit DH prime modulusGroup 5 1536-bit DH prime modulusGroup 7 ECC 163-bit field | None |
 
 
Values that can be used in a transform set:
 
Type | Available Options | Default Option |
Encryption | esp-3desesp-aesesp-aes-192esp-aes-256esp-desesp-null | esp-3DES, or esp-des if 3DES, feature is not active |Hashing | esp-md5-hmacesp-sha-hmacesp-none | esp-none |
 
 
After you decide on what values to use it's time to configure the devices in 7 easy steps( make sure that on both sides you have the same values)
1. Configure Interfaces
2. Configure ISAKMP policy
3. Configure transform-set
4. Configure ACL
5. Configure Tunnel group
6. Configure crypto map and attach to interface
7. Enableisakmp on interface
 
To allow VPN traffic to bypass interface ACL :
   sysopt connection permit-vpn
If you want to manage the remote device over vpn by default Cisco ASA does not allow access to the inside interface if the traffic is coming over the VPN tunnel , to enable use:
     management-access inside
For bypassing NAT :
SITE_A
access-list nonat extended permit ip 192.168.10.0255.255.255.0 192.168.20.0 255.255.255.0
 
SITE_B
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
and on both sites
nat (inside) 0 access-list nonat
 
 
 
 
A example between two cisco asa devices:
 

 
SITE_A
 
1. Configure Interfaces
 
        interface GigabitEthernet0/0
          ip address 195.42.2.51 255.255.255.0
          nameifoutside
          no shutdown
        interface GigabitEthernet0/1
          ip address 192.168.10.1 255.255.255.0
          nameif inside
          no shutdown
2. Configure ISAKMP policy
 
       crypto isakmp policy 1
               authentication pre-share
               encryption aes-256
               hash sha
               group 2
               lifetime 86400
 
3. Configuretransform-set
       crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
 
4. Configure ACL
access-list encrypt_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0  255.255.255.0
 
5. Configure Tunnel group
 
       tunnel-group 195.42.1.50 type ipsec-l2l
       tunnel-group 195.42.1.50 ipsec-attributes
            pre-shared-key my_secret_key
 
6. Configure crypto map andattach to interface
          crypto map IPSec_map 10 match address encrypt_acl
          crypto map IPSec_map 10 set peer 195.42.1.50
          crypto map IPSec_map 10 set transform-set myset
          crypto map IPSec_map interface outside
          crypto isakmp enable outside
 
 
7. Enable isakmp on interface
        crypto isakmp enable outside
 
SITE_B
1. Configure Interfaces...
tracking img