As mentioned in a previous POST IPSEC VPN's are used to ensure that data that is being transmitted over the public network between devices that are geographically apart from each other is keept private and secure.
On the following topology, the client that is on the 192.168.10.0/24 network wants to access the webserver that is on the 192.168.20.0/24 over the network 10.0.0.0/8 which represents the public network.
The configuration of a VPN can be done in the following steps:
- Configure an ACL to identify the traffic that is being sent over the VPN
- Configure IKEV1 or 2 phase 1
- Configure IKEV1 or 2 phase 2
- Configure tunnel group
- Configure tunnel group
- Configure a Crypto map and assign it the outside interface
ASA1: ACL configuration.
ASA1(config)#access-list L2L extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
ASA1: IKEV1 phase 1 configuration.
ASA1(config)#crypto ikev1 policy 10 ASA1(config-ikev1-policy)#authentication pre-share ASA1(config-ikev1-policy)#encryption aes ASA1(config-ikev1-policy)#hash sha ASA1(config-ikev1-policy)#group 2 ASA1(config-ikev1-policy)#lifetime 8600 ASA1(config-ikev1-policy)#exit ASA1(config)#crypto ikev1 enable outside
ASA1: IKEV1 phase 2 configuration.
ASA1(config)#crypto ipsec ikev1 transform-set DATAENC esp-aes esp-sha-hmac
ASA1: tunnel group configuration.
ASA1(config)#tunnel-group 10.2.2.254 type ipsec-l2l ASA1(config)#tunnel-group 10.2.2.254 ipsec-attributes ASA1(config-tunnel-ipsec)#ikev1 pre-shared-key ciscokey
ASA1: Crypto Map configuration.
ASA1(config)#crypto map THISMAP 10 match address L2L ASA1(config)#crypto map THISMAP 10 set peer 10.2.2.254 ASA1(config)#crypto map THISMAP 10 set ikev1 transform-set DATAENC ASA1(config)#crypto map THISMAP interface outside
ASA2: ACL configuration.
ASA2(config)#access-list L2L extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
ASA2: IKEV1 phase 1 configuration.
ASA2(config)#crypto ikev1 policy 10 ASA2(config-ikev1-policy)#authentication pre-share ASA2(config-ikev1-policy)#encryption aes ASA2(config-ikev1-policy)#hash sha ASA2(config-ikev1-policy)#group 2 ASA2(config-ikev1-policy)#lifetime 8600 ASA2(config-ikev1-policy)#exit ASA2(config)#crypto ikev1 enable outside
ASA2: IKEV1 phase 2 configuration.
ASA2(config)#crypto ipsec ikev1 transform-set DATAENC esp-aes esp-sha-hmac
ASA2: tunnel group configuration.
ASA2(config)#tunnel-group 10.1.1.254 type ipsec-l2l ASA2(config)#tunnel-group 10.1.1.254 ipsec-attributes ASA2(config-tunnel-ipsec)#ikev1 pre-shared-key ciscokey
ASA2: Crypto Map configuration.
ASA2(config)#crypto map THISMAP 10 match address L2L ASA2(config)#crypto map THISMAP 10 set peer 10.1.1.254 ASA2(config)#crypto map THISMAP 10 set ikev1 transform-set DATAENC ASA2(config)#crypto map THISMAP interface outside
grt
ReplyDelete