Scribd Logo
Upload

Welcome to Scribd!

  • 4 views

    ASA VPNs

    Uploaded by

    igrowrajesh

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    ASA VPNs

    Uploaded by

    igrowrajesh
    4 views6 pages

    Original Title

    ASA+VPNs (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    4 views6 pages

    ASA VPNs

    Uploaded by

    igrowrajesh

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 6

    ***********************************************************************************

    ***********
    Configuring a LAN - TO - LAN IPSec VPN between the ASA & R5
    ***********************************************************************************
    ***********

    R5

    ! 1. Phase I

    crypto isakmp policy 10


    auth pre-share
    hash md5
    encryption 3des
    group 2
    crypto isakmp key cisco123 address 192.1.20.10

    ! 2. Phase II

    crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac

    ! 3. ACL

    Access-list 101 permit ip 10.5.5.0 0.0.0.255 10.1.1.0 0.0.0.255

    ! 4. Crypto Map

    crypto map CMAP 10 ipsec-isakmp


    set peer 192.1.20.10
    set transform-set TSET1
    match address 101

    ! 5. Apply it to the outgoing interface

    Interface E 0/0
    crypto map CMAP

    ASA1

    ! 0. Enable the Service on the Interface

    crypto ikev1 enable outside

    ! 1. Phase I

    crypto ikev1 policy 10


    auth pre-share
    hash md5
    encryption 3des
    group 2
    !
    tunnel-group 192.1.25.5 type ipsec-l2l
    tunnel-group 192.1.25.5 ipsec-attributes
    ikev1 pre-shared-key cisco123

    ! 2. Phase II

    crypto ipsec ikev1 transform-set TSET1 esp-3des esp-md5-hmac


    ! 3. ACL

    Access-list 101 permit ip 10.1.1.0 255.255.255.0 10.5.5.0 255.255.255.0

    ! 4. Crypto Map

    crypto map CMAP 10 set peer 192.1.25.5


    crypto map CMAP 10 set ikev1 transform-set TSET1
    crypto map CMAP 10 match address 101

    ! 5. Apply it to the outgoing interface

    crypto map CMAP interface Outside

    ***********************************************************************************
    ***********
    Configuring a LAN - TO - LAN IPSec VPN between the R4 & R6 thru the ASA
    ***********************************************************************************
    ***********

    R4

    ! 1. Phase I

    crypto isakmp policy 10


    auth pre-share
    hash md5
    encryption 3des
    group 2
    crypto isakmp key cisco123 address 192.1.60.6

    ! 2. Phase II

    crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac

    ! 3. ACL

    Access-list 101 permit ip 10.4.4.0 0.0.0.255 10.6.6.0 0.0.0.255

    ! 4. Crypto Map

    crypto map CMAP 10 ipsec-isakmp


    set peer 192.1.60.6
    set transform-set TSET1
    match address 101

    ! 5. Apply it to the outgoing interface

    Interface E 0/0
    crypto map CMAP

    R6

    ! 1. Phase I

    crypto isakmp policy 10


    auth pre-share
    hash md5
    encryption 3des
    group 2
    crypto isakmp key cisco123 address 192.1.24.4

    ! 2. Phase II

    crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac

    ! 3. ACL

    Access-list 101 permit ip 10.6.6.0 0.0.0.255 10.4.4.0 0.0.0.255

    ! 4. Crypto Map

    crypto map CMAP 10 ipsec-isakmp


    set peer 192.1.24.4
    set transform-set TSET1
    match address 101

    ! 5. Apply it to the outgoing interface

    Interface E 0/0
    crypto map CMAP

    ASA

    access-list OUTSIDE permit udp host 192.1.24.4 host 192.1.60.6 eq 500


    access-list OUTSIDE permit esp host 192.1.24.4 host 192.1.60.6
    !
    access-group OUTSIDE in interface Outside

    ***********************************************************************************
    ************
    Configuring a LAN - TO - LAN IPSec VPN between the R3 & R7 thru the ASA - NAT - T
    ***********************************************************************************
    ************

    R3

    ! 1. Phase I

    crypto isakmp policy 10


    auth pre-share
    hash md5
    encryption 3des
    group 2
    crypto isakmp key cisco123 address 192.1.20.7

    ! 2. Phase II

    crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac

    ! 3. ACL

    Access-list 101 permit ip 10.3.3.0 0.0.0.255 10.7.7.0 0.0.0.255

    ! 4. Crypto Map

    crypto map CMAP 10 ipsec-isakmp


    set peer 192.1.20.7
    set transform-set TSET1
    match address 101

    ! 5. Apply it to the outgoing interface

    Interface E 0/0
    crypto map CMAP

    R7

    ! 1. Phase I

    crypto isakmp policy 10


    auth pre-share
    hash md5
    encryption 3des
    group 2
    crypto isakmp key cisco123 address 192.1.23.3

    ! 2. Phase II

    crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac

    ! 3. ACL

    Access-list 101 permit ip 10.7.7.0 0.0.0.255 10.3.3.0 0.0.0.255

    ! 4. Crypto Map

    crypto map CMAP 10 ipsec-isakmp


    set peer 192.1.23.3
    set transform-set TSET1
    match address 101

    ! 5. Apply it to the outgoing interface

    Interface E 0/0
    crypto map CMAP

    ASA

    object network R7
    host 192.168.70.7
    nat (DMZ7,outside) static 192.1.20.7
    !
    access-list OUTSIDE permit udp host 192.1.23.3 host 192.168.70.7 eq 500
    access-list OUTSIDE permit udp host 192.1.23.3 host 192.168.70.7 eq 4500

    ***********************************************************************************
    *
    Configuring the ASA for ASDM
    ***********************************************************************************
    *

    - Allows you to manage the ASA from a graphical tool.


    - This gives you a good perspective of the performance of the ASA.
    - It also allows you to run Wizards for different types of VPNs.
    ! 1. Enable the Service

    http server enable


    http 10.10.10.0 255.255.255.0 inside

    ! 2. Create a Database for Admin Users

    username admin password cisco123 privilege 15

    ! 3. Specify the authentication method for HTTP authentication as the Local


    Database

    aaa authentication http console LOCAL

    ***********************
    Web VPN
    ***********************

    - Allowed you the ability to connect using a Browser as a Client.


    - This was also called a Clientless VPN.
    - It used SSL as the Encryption protocol.
    - It only allowed the following 3 protocols by default:
    - Web (HTTP,HTTPS)
    - FTP
    - CIFS

    ***********************************************************************************
    *
    Configuring the Web VPN on the ASA
    ***********************************************************************************
    *

    ! 1. Enable the Service to allow TO traffic

    webvpn
    enable outside

    ! 2. Create a Group for the Remote-Users and specify characteristics:

    group-policy SALES internal


    group-policy SALES attributes
    vpn-tunnel-protocol ssl-clientless
    banner value "Authorized Users Only........"

    ! 3. Create a User and link it to the Group

    username khawar password cisco123


    username khawar attributes
    vpn-group-policy SALES

    ! 4. Configure Port-Forwarding for Non-Native WebVPN applications

    webvpn
    port-forward SALES-APPS 30001 10.11.11.1 23
    port-forward SALES-APPS 30002 10.11.11.5 1521
    !
    group-policy SALES attributes
    webvpn
    port-forward value SALES-APPS
    ***********************************************************************************
    *
    Configuring the Remote Access VPN using Any Connect Client
    ***********************************************************************************
    *

    Lab on Video

    You might also like