Cisco vpn site to site
VERSION 1
It's not that hard to configure a site-to-site IPsec VPN on a ASA , just need to know a few basic thinks.
Possible values of phase 1 attributes :
ISAKMP Attributes:
Attribute | Possible Values | Default Value |
Encryption | DES 56-bit3DES 168-bitAES 128-bitAES 192-bitAES 256-bit | 3DES 168-bit orDES 56-bit, if 3DES feature is notactive |
Hashing | MD5 or SHA | SHA |
Authentication method | Preshared keysRSA signatureDSA signature | Preshared keys |
DH group | Group 1 768-bit fieldGroup 2 1024-bit fieldGroup 5 1536-bit fieldGroup 7 ECC 163-bit field | Group 2 1024-bit field |
Lifetime | 120–2,147,483,647 seconds | 86,400 seconds |
Possible values of phase 2 attributes:
IPSec Attributes:
Attribute| Possible Values | Default Values |
Encryption | NoneDES 56-bit3DES 168-bitAES 128-bitAES 192-bitAES 256-bit | 3DES 168-bit orDES 56-bit, if 3DES feature is not active |
Hashing | MD5, SHA or None | None |
Identity information | Network protocol and/or port number | No default parameter |
Lifetime | 120–2,147,483,647 seconds10–2,147,483,647 KB | 28800 seconds4,608,000 KB |
Mode |Tunnel or transport | Tunnel |
PFS group | NoneGroup 1 768-bit DH prime modulusGroup 2 1024-bit DH prime modulusGroup 5 1536-bit DH prime modulusGroup 7 ECC 163-bit field | None |
Values that can be used in a transform set:
Type | Available Options | Default Option |
Encryption | esp-3desesp-aesesp-aes-192esp-aes-256esp-desesp-null | esp-3DES, or esp-des if 3DES, feature is not active |Hashing | esp-md5-hmacesp-sha-hmacesp-none | esp-none |
After you decide on what values to use it's time to configure the devices in 7 easy steps( make sure that on both sides you have the same values)
1. Configure Interfaces
2. Configure ISAKMP policy
3. Configure transform-set
4. Configure ACL
5. Configure Tunnel group
6. Configure crypto map and attach to interface
7. Enableisakmp on interface
To allow VPN traffic to bypass interface ACL :
sysopt connection permit-vpn
If you want to manage the remote device over vpn by default Cisco ASA does not allow access to the inside interface if the traffic is coming over the VPN tunnel , to enable use:
management-access inside
For bypassing NAT :
SITE_A
access-list nonat extended permit ip 192.168.10.0255.255.255.0 192.168.20.0 255.255.255.0
SITE_B
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
and on both sites
nat (inside) 0 access-list nonat
A example between two cisco asa devices:
SITE_A
1. Configure Interfaces
interface GigabitEthernet0/0
ip address 195.42.2.51 255.255.255.0
nameifoutside
no shutdown
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
nameif inside
no shutdown
2. Configure ISAKMP policy
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
3. Configuretransform-set
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
4. Configure ACL
access-list encrypt_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
5. Configure Tunnel group
tunnel-group 195.42.1.50 type ipsec-l2l
tunnel-group 195.42.1.50 ipsec-attributes
pre-shared-key my_secret_key
6. Configure crypto map andattach to interface
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 195.42.1.50
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
7. Enable isakmp on interface
crypto isakmp enable outside
SITE_B
1. Configure Interfaces...
Regístrate para leer el documento completo.