Cisco ASA VPN
From HackerNet
Revision as of 16:27, 8 March 2016 by Helikopter (talk | contribs)
Huvudartikel: Cisco ASA
Contents
Site-to-site
Förutsättningar för att sätta upp VPN-tunnlar är att klocka måste gå rätt och att NAT-regler måste ligga i rätt ordning.
Kolla hur man gör på aktuell version
vpnsetup site-to-site steps vpnsetup ipsec-remote-access steps
IKEv2 behåller inte riktigt nomenklaturen med faser men ändå.
Fas 1
crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha lifetime 28800 group 2
PSK
tunnel-group <other-side> type ipsec-l2l tunnel-group <other-side> ipsec-attributes ikev1 pre-shared-key ***** crypto map VPNMAP 10 set peer <other-side>
Fas 2
crypto ipsec ikev1 transform-set SITE2-FAS2 esp-aes-256 esp-sha-hmac crypto map VPNMAP 10 set transform-set SITE2-FAS2 access-list CRYPTO-to-SITE2 extended permit ip 172.16.20.0 255.255.255.0 172.16.40.0 255.255.255.0 crypto map VPNMAP 10 match address CRYPTO-to-SITE2 crypto map VPNMAP 10 set security-association lifetime seconds 3600 crypto map VPNMAP 10 set pfs group5
NAT Exempt
object network LAN1 subnet 172.16.20.0 255.255.255.0 object network LAN2 subnet 172.16.40.0 255.255.255.0 nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
Övrigt
Tillåt trafik in från andra sidan.
access-list OUTSIDE-IN extended permit ip object LAN2 object LAN1
Behöver endast göras vid första VPN-tunneluppsättningen.
crypto map VPNMAP interface OUTSIDE crypto ikev1 enable OUTSIDE
Troubleshoot
show crypto isakmp sa detail show vpn-sessiondb detail l2l
Remote Access
AnyConnect
AnyConnect SSL split tunnel
Objekt och pool
ip local pool AnyConnect-Pool 172.20.0.51-172.20.0.100 mask 255.255.255.0 object network VPN_POOL subnet 172.20.0.0 255.255.255.0
ACL
access-list AnyConnect-SplitTunnel standard permit 10.0.0.0 255.255.255.0 # LAN access-list OUTSIDE-V1 remark ----- Allow AnyConnect to LAN access-list OUTSIDE-V1 extended permit ip object VPN_POOL object LAN
Enable anyconnect
webvpn enable OUTSIDE anyconnect image disk0:/anyconnect-win-3.1.10010-k9.pkg 1 anyconnect enable tunnel-group-list enable cache disable error-recovery disable
Group policy
group-policy GroupPolicy_Hackernet internal group-policy GroupPolicy_Hackernet attributes wins-server none dns-server value 10.0.0.10 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value AnyConnect-SplitTunnel default-domain value hackernet.se
Tunnel group
tunnel-group Hackernet type remote-access tunnel-group Hackernet general-attributes address-pool AnyConnect-Pool default-group-policy GroupPolicy_Hackernet tunnel-group Hackernet webvpn-attributes group-alias Hackernet enable
no nat
nat (INSIDE,OUTSIDE) 5 source static any any destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup
Skapa lokala users
username juan password cisco username juan attributes service-type remote-access vpn-group-policy GroupPolicy_Hackernet