Aktuelle Version vom 16. Februar 2016, 11:09 Uhr

Accessliste anlegen

ciscoasa(config)# access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0

Phase 1

Cisco Asa ISAKMP Phase1

Festlegen das die IP als ID funkiert

ciscoasa(config)# crypto isakmp identity address

isakmp auf outside interface freischalten

ciscoasa(config)# crypto isakmp enable if-outside

Transformset festlegen

ciscoasa(config)# crypto ipsec transform-set AES256-MD5 esp-aes-256 esp-md5-hmac

Zusammenfassen

ciscoasa(config)# crypto map vpn-asa-toc 10 match address acl-asa-toc

PFS und Diffie-Hellman-Gruppe 5

ciscoasa(config)# crypto map vpn-asa-toc 10 set pfs group5

Peer setzen

ciscoasa(config)# crypto map vpn-asa-toc 10 set peer 192.168.252.5

Transformset zuordnen

ciscoasa(config)# crypto map vpn-asa-toc 10 set ikev1 transform-set AES256-MD5

Vpn Interface freischalten

ciscoasa(config)# crypto map vpn-asa-toc interface if-outside

Netz zu Netz Vpn

ciscoasa(config)# tunnel-group 192.168.252.5 type ipsec-l2l

Ipsec Attribute

ciscoasa(config)# tunnel-group 192.168.252.5 ipsec-attributes

PSK festlegen

ciscoasa(config-tunnel-ipsec)# pre-shared-key streng-geheim

Vpn pool aus nat nehmen

Festlegen der Ausnahme

object network no-nat
subnet 192.168.122.0 255.255.255.0

Ausnahme anwenden

nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat

Copy and Paste

configure terminal
access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0
crypto isakmp identity address
crypto isakmp enable if-outside
crypto ipsec transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
crypto map vpn-asa-toc 10 match address acl-asa-toc
crypto map  vpn-asa-toc 10 set pfs group5
crypto map vpn-asa-toc 10 set peer 192.168.252.5
crypto map  vpn-asa-toc 10 set ikev1 transform-set AES256-MD5
crypto map  vpn-asa-toc  interface if-outside
tunnel-group 192.168.252.5 type ipsec-l2l 
tunnel-group 192.168.252.5  ipsec-attributes 
pre-shared-key streng-geheim
object network no-nat
subnet 192.168.122.0 255.255.255.0
nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat

@@ Zeile 2: / Zeile 2: @@
 *ciscoasa(config)# access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0
 =Phase 1=
-ciscoasa(config)# crypto isakmp policy 10
+*[[Cisco Asa ISAKMP Phase1]]
-==Authentifizierung mit PSK==
+=Festlegen das die IP als ID funkiert=
-*ciscoasa(config-ikev1-policy)# authentication pre-share
+*ciscoasa(config)# crypto isakmp identity address
-==Verschlüsselung==
+=isakmp auf outside interface freischalten=
-*ciscoasa(config-ikev1-policy)# encryption aes-256
+*ciscoasa(config)# crypto isakmp enable if-outside
-==Hash Algorithmus==
+=Transformset festlegen=
-*ciscoasa(config-ikev1-policy)# hash md5
+*ciscoasa(config)# crypto ipsec transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
-==Diffie-Hellmann-Gruppe==
-*ciscoasa(config-ikev1-policy)# group 5
+=Zusammenfassen=
-==Lifetime==
+*ciscoasa(config)# crypto map vpn-asa-toc 10 match address acl-asa-toc
-*ciscoasa(config-ikev1-policy)# lifetime 28800
+==PFS und Diffie-Hellman-Gruppe 5==
+*ciscoasa(config)# crypto map  vpn-asa-toc 10 set pfs group5
+==Peer setzen==
+*ciscoasa(config)# crypto map vpn-asa-toc 10 set peer 192.168.252.5
+==Transformset zuordnen==
+*ciscoasa(config)# crypto map  vpn-asa-toc 10 set ikev1 transform-set AES256-MD5
+==Vpn Interface freischalten==
+*ciscoasa(config)# crypto map  vpn-asa-toc  interface if-outside
+==Netz zu Netz Vpn==
+*ciscoasa(config)# tunnel-group 192.168.252.5 type ipsec-l2l
+==Ipsec Attribute==
+*ciscoasa(config)# tunnel-group 192.168.252.5  ipsec-attributes
+==PSK festlegen==
+*ciscoasa(config-tunnel-ipsec)# pre-shared-key streng-geheim
+=Vpn pool aus nat nehmen=
+==Festlegen der Ausnahme==
+*object network no-nat
+*subnet 192.168.122.0 255.255.255.0
+==Ausnahme anwenden==
+*nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat
+=Copy and Paste=
+<pre>
+configure terminal
+access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0
+crypto isakmp identity address
+crypto isakmp enable if-outside
+crypto ipsec transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
+crypto map vpn-asa-toc 10 match address acl-asa-toc
+crypto map  vpn-asa-toc 10 set pfs group5
+crypto map vpn-asa-toc 10 set peer 192.168.252.5
+crypto map  vpn-asa-toc 10 set ikev1 transform-set AES256-MD5
+crypto map  vpn-asa-toc  interface if-outside
+tunnel-group 192.168.252.5 type ipsec-l2l
+tunnel-group 192.168.252.5  ipsec-attributes
+pre-shared-key streng-geheim
+object network no-nat
+subnet 192.168.122.0 255.255.255.0
+nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat
+</pre>
+=Links=
+*http://www.petenetlive.com/KB/Article/0000050
+*https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html

CISCO ASA L2L VPN PSK: Unterschied zwischen den Versionen

Aktuelle Version vom 16. Februar 2016, 11:09 Uhr

Inhaltsverzeichnis

Accessliste anlegen

Phase 1

Festlegen das die IP als ID funkiert

isakmp auf outside interface freischalten

Transformset festlegen

Zusammenfassen

PFS und Diffie-Hellman-Gruppe 5

Peer setzen

Transformset zuordnen

Vpn Interface freischalten

Netz zu Netz Vpn

Ipsec Attribute

PSK festlegen

Vpn pool aus nat nehmen

Festlegen der Ausnahme

Ausnahme anwenden

Copy and Paste

Links

Navigationsmenü

Suche