Difference between revisions of "Cisco ASA VPN"
From HackerNet
Helikopter (talk | contribs) (Created page with "Huvudartikel: Cisco ASA =Site-to-site= Förutsättningar för att sätta upp VPN-tunnlar är att klocka måste gå rätt och att NAT-regler måste ligga i rätt...") |
Helikopter (talk | contribs) |
||
| Line 50: | Line 50: | ||
=Remote Access= | =Remote Access= | ||
==AnyConnect== | ==AnyConnect== | ||
| − | AnyConnect SSL split tunnel | + | AnyConnect SSL split tunnel <br/> |
| − | object network | + | Objekt och pool |
| − | + | ip local pool AnyConnect-Pool 172.20.0.51-172.20.0.100 mask 255.255.255.0 | |
| + | object network VPN_POOL | ||
| + | subnet 172.20.0.0 255.255.255.0 | ||
| + | ACL | ||
| + | access-list AnyConnect-SplitTunnel standard permit 10.0.0.0 255.255.255.0 # LAN | ||
| + | access-list OUTSIDE-V1 remark ----- Allow AnyConnect to LAN | ||
| + | access-list OUTSIDE-V1 extended permit ip object VPN_POOL object LAN | ||
| + | Enable anyconnect | ||
webvpn | webvpn | ||
| − | + | enable OUTSIDE | |
| − | + | anyconnect image disk0:/anyconnect-win-3.1.10010-k9.pkg 1 | |
| − | + | anyconnect enable | |
| − | group-policy | + | tunnel-group-list enable |
| − | group-policy | + | cache |
| + | disable | ||
| + | error-recovery disable | ||
| + | Group policy | ||
| + | group-policy GroupPolicy_Hackernet internal | ||
| + | group-policy GroupPolicy_Hackernet attributes | ||
| + | wins-server none | ||
| + | dns-server value 10.0.0.10 | ||
| + | vpn-tunnel-protocol ssl-client | ||
split-tunnel-policy tunnelspecified | split-tunnel-policy tunnelspecified | ||
| − | split-tunnel-network-list value | + | split-tunnel-network-list value AnyConnect-SplitTunnel |
| − | |||
| − | |||
| − | |||
| − | |||
default-domain value hackernet.se | default-domain value hackernet.se | ||
| − | + | Tunnel group | |
| − | tunnel-group | + | tunnel-group Hackernet type remote-access |
| − | tunnel-group | + | tunnel-group Hackernet general-attributes |
| − | default-group-policy | + | address-pool AnyConnect-Pool |
| − | + | default-group-policy GroupPolicy_Hackernet | |
| − | tunnel-group | + | tunnel-group Hackernet webvpn-attributes |
| − | group-alias | + | group-alias Hackernet enable |
| − | nat ( | + | no nat |
| − | username juan password cisco | + | nat (INSIDE,OUTSIDE) 5 source static any any destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup |
| + | Skapa lokala users | ||
| + | username juan password cisco | ||
username juan attributes | username juan attributes | ||
service-type remote-access | service-type remote-access | ||
| − | vpn-group-policy | + | vpn-group-policy GroupPolicy_Hackernet |
| − | |||
[[Category:Cisco]] | [[Category:Cisco]] | ||
Revision as of 18:38, 1 February 2016
Huvudartikel: Cisco ASA
Contents
Site-to-site
Förutsättningar för att sätta upp VPN-tunnlar är att klocka måste gå rätt och att NAT-regler måste ligga i rätt ordning.
Kolla hur man gör på aktuell version
vpnsetup site-to-site steps vpnsetup ipsec-remote-access steps
IKEv2 behåller inte riktigt nomenklaturen med faser men ändå.
Fas 1
crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha lifetime 28800 group 2
PSK
tunnel-group <other-side> type ipsec-l2l tunnel-group <other-side> ipsec-attributes ikev1 pre-shared-key ***** crypto map VPNMAP 10 set peer <other-side>
Fas 2
crypto ipsec ikev1 transform-set SITE2-FAS2 esp-aes-256 esp-sha-hmac crypto map VPNMAP 10 set transform-set SITE2-FAS2 access-list CRYPTO-to-SITE2 extended permit ip 172.16.20.0 255.255.255.0 172.16.40.0 255.255.255.0 crypto map VPNMAP 10 match address CRYPTO-to-SITE2 crypto map VPNMAP 10 set security-association lifetime seconds 3600
NAT Exempt
object network LAN1 subnet 172.16.20.0 255.255.255.0 object network LAN2 subnet 172.16.40.0 255.255.255.0 nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
Övrigt
Tillåt trafik in från andra sidan.
access-list OUTSIDE-IN extended permit ip object LAN2 object LAN1
Behöver endast göras vid första VPN-tunneluppsättningen.
crypto map VPNMAP interface OUTSIDE crypto isakmp enable OUTSIDE
Troubleshoot
show crypto isakmp sa detail show vpn-sessiondb detail l2l
Remote Access
AnyConnect
AnyConnect SSL split tunnel
Objekt och pool
ip local pool AnyConnect-Pool 172.20.0.51-172.20.0.100 mask 255.255.255.0 object network VPN_POOL subnet 172.20.0.0 255.255.255.0
ACL
access-list AnyConnect-SplitTunnel standard permit 10.0.0.0 255.255.255.0 # LAN access-list OUTSIDE-V1 remark ----- Allow AnyConnect to LAN access-list OUTSIDE-V1 extended permit ip object VPN_POOL object LAN
Enable anyconnect
webvpn enable OUTSIDE anyconnect image disk0:/anyconnect-win-3.1.10010-k9.pkg 1 anyconnect enable tunnel-group-list enable cache disable error-recovery disable
Group policy
group-policy GroupPolicy_Hackernet internal group-policy GroupPolicy_Hackernet attributes wins-server none dns-server value 10.0.0.10 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value AnyConnect-SplitTunnel default-domain value hackernet.se
Tunnel group
tunnel-group Hackernet type remote-access tunnel-group Hackernet general-attributes address-pool AnyConnect-Pool default-group-policy GroupPolicy_Hackernet tunnel-group Hackernet webvpn-attributes group-alias Hackernet enable
no nat
nat (INSIDE,OUTSIDE) 5 source static any any destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup
Skapa lokala users
username juan password cisco username juan attributes service-type remote-access vpn-group-policy GroupPolicy_Hackernet
