CISCO ASA L2L VPN PSK: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(2 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 2: Zeile 2:
 
*ciscoasa(config)# access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0
 
*ciscoasa(config)# access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0
 
=Phase 1=
 
=Phase 1=
ciscoasa(config)# crypto isakmp policy 10
+
*[[Cisco Asa ISAKMP Phase1]]
==Authentifizierung mit PSK==
 
*ciscoasa(config-ikev1-policy)# authentication pre-share
 
==Verschlüsselung==
 
*ciscoasa(config-ikev1-policy)# encryption aes-256
 
==Hash Algorithmus==
 
*ciscoasa(config-ikev1-policy)# hash md5
 
==Diffie-Hellmann-Gruppe==
 
*ciscoasa(config-ikev1-policy)# group 5
 
==Lifetime==
 
*ciscoasa(config-ikev1-policy)# lifetime 28800
 
 
=Festlegen das die IP als ID funkiert=
 
=Festlegen das die IP als ID funkiert=
 
*ciscoasa(config)# crypto isakmp identity address
 
*ciscoasa(config)# crypto isakmp identity address
Zeile 43: Zeile 33:
 
==Ausnahme anwenden==
 
==Ausnahme anwenden==
 
*nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat
 
*nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat
 +
 +
=Copy and Paste=
 +
<pre>
 +
configure terminal
 +
access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0
 +
crypto isakmp identity address
 +
crypto isakmp enable if-outside
 +
crypto ipsec transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
 +
crypto map vpn-asa-toc 10 match address acl-asa-toc
 +
crypto map  vpn-asa-toc 10 set pfs group5
 +
crypto map vpn-asa-toc 10 set peer 192.168.252.5
 +
crypto map  vpn-asa-toc 10 set ikev1 transform-set AES256-MD5
 +
crypto map  vpn-asa-toc  interface if-outside
 +
tunnel-group 192.168.252.5 type ipsec-l2l
 +
tunnel-group 192.168.252.5  ipsec-attributes
 +
pre-shared-key streng-geheim
 +
object network no-nat
 +
subnet 192.168.122.0 255.255.255.0
 +
nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat
 +
</pre>
  
 
=Links=
 
=Links=
 
*http://www.petenetlive.com/KB/Article/0000050
 
*http://www.petenetlive.com/KB/Article/0000050
 
*https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html
 
*https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html

Aktuelle Version vom 16. Februar 2016, 11:09 Uhr

Accessliste anlegen

  • ciscoasa(config)# access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0

Phase 1

Festlegen das die IP als ID funkiert

  • ciscoasa(config)# crypto isakmp identity address

isakmp auf outside interface freischalten

  • ciscoasa(config)# crypto isakmp enable if-outside

Transformset festlegen

  • ciscoasa(config)# crypto ipsec transform-set AES256-MD5 esp-aes-256 esp-md5-hmac

Zusammenfassen

  • ciscoasa(config)# crypto map vpn-asa-toc 10 match address acl-asa-toc

PFS und Diffie-Hellman-Gruppe 5

  • ciscoasa(config)# crypto map vpn-asa-toc 10 set pfs group5

Peer setzen

  • ciscoasa(config)# crypto map vpn-asa-toc 10 set peer 192.168.252.5

Transformset zuordnen

  • ciscoasa(config)# crypto map vpn-asa-toc 10 set ikev1 transform-set AES256-MD5

Vpn Interface freischalten

  • ciscoasa(config)# crypto map vpn-asa-toc interface if-outside

Netz zu Netz Vpn

  • ciscoasa(config)# tunnel-group 192.168.252.5 type ipsec-l2l

Ipsec Attribute

  • ciscoasa(config)# tunnel-group 192.168.252.5 ipsec-attributes

PSK festlegen

  • ciscoasa(config-tunnel-ipsec)# pre-shared-key streng-geheim

Vpn pool aus nat nehmen

Festlegen der Ausnahme

  • object network no-nat
  • subnet 192.168.122.0 255.255.255.0

Ausnahme anwenden

  • nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat

Copy and Paste

configure terminal
access-list acl-asa-toc extended permit ip 172.18.122.0 255.255.255.0 192.168.122.0 255.255.255.0
crypto isakmp identity address
crypto isakmp enable if-outside
crypto ipsec transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
crypto map vpn-asa-toc 10 match address acl-asa-toc
crypto map  vpn-asa-toc 10 set pfs group5
crypto map vpn-asa-toc 10 set peer 192.168.252.5
crypto map  vpn-asa-toc 10 set ikev1 transform-set AES256-MD5
crypto map  vpn-asa-toc  interface if-outside
tunnel-group 192.168.252.5 type ipsec-l2l 
tunnel-group 192.168.252.5  ipsec-attributes 
pre-shared-key streng-geheim
object network no-nat
subnet 192.168.122.0 255.255.255.0
nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat no-nat

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=CISCO_ASA_L2L_VPN_PSK&oldid=8428