CISCO ASA REMOTE ACCESS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(8 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=Cisco Asa ISAKMP Phase1=
 +
*[[Cisco Asa ISAKMP Phase1]]
 +
=Configuring an Address Pool=
 +
*ciscoasa(config)# ip local pool vpn-roadwarrior-pool 172.28.28.10-172.28.28.30 mask 255.255.255.0
 +
=User anlegen=
 +
*ciscoasa(config)# username thomas password oimel
 +
*ciscoasa(config)# username david password suxer
 +
*ciscoasa(config)# username janning password schmeich
 +
=Transformset=
 +
*ciscoasa(config)# crypto ipsec ikev1 transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
 +
=Typ der Tunnelgruppe festlegen=
 +
*ciscoasa(config)# tunnel-group vpn-roadwarrior type remote-access
 +
=Attribute der Tunnelgruppe festlegen=
 +
*ciscoasa(config)# tunnel-group vpn-roadwarrior general-attributes
 +
==Addresspool zuweisen==
 +
*ciscoasa(config-tunnel-general)# address-pool vpn-roadwarrior-pool
 +
=PSK festlegen=
 +
*ciscoasa(config)# tunnel-group vpn-roadwarrior ipsec-attributes
 +
*ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key sau-geheim
  
 +
=Zusammenfassen dyn-vpn-roadwarrior Transformset AES256-MD5 =
 +
;bezogen auf Policy 10 aus [[Cisco Asa ISAKMP Phase1]]
 +
*ciscoasa(config)# crypto dynamic-map dyn-vpn-roadwarrior 10 set ikev1 transform-set AES256-MD5
  
hostname(config)# interface ethernet0
+
=Enables Reverse Route Injection=
 
+
*ciscoasa(config)# crypto dynamic-map dyn-vpn-roadwarrior 10 set reverse-route
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
+
=Creates a crypto map entry that uses a dynamic crypto=
 
+
*ciscoasa(config)# crypto map my-vpn-roadwarrior-map 10 ipsec-isakmp dynamic dyn-vpn-roadwarrior
hostname(config-if)# nameif outside
+
=Anwenden der crypto map auf das outside interface=
 
+
*ciscoasa(config)# crypto map my-vpn-roadwarrior-map interface if-outside
hostname(config-if)# no shutdown
 
 
 
hostname(config)# crypto ikev1 policy 1
 
 
 
hostname(config-ikev1-policy)# authentication pre-share
 
 
 
hostname(config-ikev1-policy)# encryption 3des
 
 
 
hostname(config-ikev1-policy)# hash sha
 
 
 
hostname(config-ikev1-policy)# group 2
 
 
 
hostname(config-ikev1-policy)# lifetime 43200
 
 
 
hostname(config)# crypto ikev1 enable outside
 
 
 
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
 
 
 
hostname(config)# username testuser password 12345678
 
 
 
hostname(config)# crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
 
 
 
hostname(config)# tunnel-group testgroup type remote-access
 
 
 
hostname(config)# tunnel-group testgroup general-attributes
 
 
 
hostname(config-general)# address-pool testpool
 
 
 
hostname(config)# tunnel-group testgroup ipsec-attributes
 
 
 
hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx
 
 
 
hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
 
 
 
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
 
 
 
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
 
 
 
hostname(config)# crypto map mymap interface outside
 
 
 
hostname(config)# write memory
 
 
 
 
 
 
 
 
 
  
 +
=Vpn pool aus nat nehmen=
 +
==Festlegen der Ausnahme==
 +
*object network no-nat-roadwarrior
 +
*subnet 172.28.28.0 255.255.255.0
 +
==Ausnahme anwenden==
 +
*nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat-roadwarrior no-nat-roadwarrior
 +
=Copy and Paste=
 +
<pre>
 +
configure terminal
 +
ip local pool vpn-roadwarrior-pool 172.28.28.10-172.28.28.30 mask 255.255.255.0
 +
username thomas password oimel
 +
username david password suxer
 +
username janning password schmeich
 +
crypto ipsec ikev1 transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
 +
tunnel-group vpn-roadwarrior type remote-access
 +
tunnel-group vpn-roadwarrior general-attributes
 +
address-pool vpn-roadwarrior-pool
 +
exit
 +
tunnel-group vpn-roadwarrior ipsec-attributes
 +
ikev1 pre-shared-key sau-geheim
 +
exit
 +
crypto dynamic-map dyn-vpn-roadwarrior 10 set ikev1 transform-set AES256-MD5
 +
crypto dynamic-map dyn-vpn-roadwarrior 10 set reverse-route
 +
crypto map my-vpn-roadwarrior-map 10 ipsec-isakmp dynamic dyn-vpn-roadwarrior
 +
crypto map my-vpn-roadwarrior-map interface if-outside
 +
object network no-nat-roadwarrior
 +
subnet 172.28.28.0 255.255.255.0
 +
nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat-roadwarrior no-nat-roadwarrior
 +
exit
 +
</pre>
  
 +
=Quellen=
 
*http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_remote_access.html
 
*http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_remote_access.html
 +
*http://www.databasemart.com/HowTo/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx

Aktuelle Version vom 16. Februar 2016, 11:23 Uhr

Cisco Asa ISAKMP Phase1

Configuring an Address Pool

  • ciscoasa(config)# ip local pool vpn-roadwarrior-pool 172.28.28.10-172.28.28.30 mask 255.255.255.0

User anlegen

  • ciscoasa(config)# username thomas password oimel
  • ciscoasa(config)# username david password suxer
  • ciscoasa(config)# username janning password schmeich

Transformset

  • ciscoasa(config)# crypto ipsec ikev1 transform-set AES256-MD5 esp-aes-256 esp-md5-hmac

Typ der Tunnelgruppe festlegen

  • ciscoasa(config)# tunnel-group vpn-roadwarrior type remote-access

Attribute der Tunnelgruppe festlegen

  • ciscoasa(config)# tunnel-group vpn-roadwarrior general-attributes

Addresspool zuweisen

  • ciscoasa(config-tunnel-general)# address-pool vpn-roadwarrior-pool

PSK festlegen

  • ciscoasa(config)# tunnel-group vpn-roadwarrior ipsec-attributes
  • ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key sau-geheim

Zusammenfassen dyn-vpn-roadwarrior Transformset AES256-MD5

bezogen auf Policy 10 aus Cisco Asa ISAKMP Phase1
  • ciscoasa(config)# crypto dynamic-map dyn-vpn-roadwarrior 10 set ikev1 transform-set AES256-MD5

Enables Reverse Route Injection

  • ciscoasa(config)# crypto dynamic-map dyn-vpn-roadwarrior 10 set reverse-route

Creates a crypto map entry that uses a dynamic crypto

  • ciscoasa(config)# crypto map my-vpn-roadwarrior-map 10 ipsec-isakmp dynamic dyn-vpn-roadwarrior

Anwenden der crypto map auf das outside interface

  • ciscoasa(config)# crypto map my-vpn-roadwarrior-map interface if-outside

Vpn pool aus nat nehmen

Festlegen der Ausnahme

  • object network no-nat-roadwarrior
  • subnet 172.28.28.0 255.255.255.0

Ausnahme anwenden

  • nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat-roadwarrior no-nat-roadwarrior

Copy and Paste

configure terminal
ip local pool vpn-roadwarrior-pool 172.28.28.10-172.28.28.30 mask 255.255.255.0
username thomas password oimel
username david password suxer 
username janning password schmeich
crypto ipsec ikev1 transform-set AES256-MD5 esp-aes-256 esp-md5-hmac
tunnel-group vpn-roadwarrior type remote-access
tunnel-group vpn-roadwarrior general-attributes 
address-pool vpn-roadwarrior-pool
exit
tunnel-group vpn-roadwarrior ipsec-attributes 
ikev1 pre-shared-key sau-geheim
exit
crypto dynamic-map dyn-vpn-roadwarrior 10 set ikev1 transform-set AES256-MD5
crypto dynamic-map dyn-vpn-roadwarrior 10 set reverse-route
crypto map my-vpn-roadwarrior-map 10 ipsec-isakmp dynamic dyn-vpn-roadwarrior
crypto map my-vpn-roadwarrior-map interface if-outside
object network no-nat-roadwarrior
 subnet 172.28.28.0 255.255.255.0
 nat (if-inside,if-outside) source static obj-lan obj-lan destination static no-nat-roadwarrior no-nat-roadwarrior
exit

Quellen

Abgerufen von „http://wiki.ixheim.de/index.php?title=CISCO_ASA_REMOTE_ACCESS&oldid=8430