FreeBSD ---- CISCOASA5540 (IPsecVPN tunneling mode) CISCOASA5540 configuration 1. Port Configuration IP address ciscoasa (config) # configure (config-if) # nameifoutsideciscoasa (config-if) # security-level0ciscoasa (config-if) # ipaddh
FreeBSD ---- cisco asa 5540 (IPsec VPN tunnel mode) cisco asa 5540 configuration 1. Port Configuration IP address ciscoasa (config) # interface GigabitEthernet0/0 ciscoasa (config-if) # nameif outside ciscoasa (config-if) # security-level 0 ciscoasa (config-if) # ip addh
FreeBSD ---- cisco asa 5540 (IPsec VPN tunnel mode)
Cisco asa 5540 Configuration
1,Port Configuration IP Address
Ciscoasa (config) # interface GigabitEthernet0/0
Ciscoasa (config-if) # nameif outside
Ciscoasa (config-if) # security-level 0
Ciscoasa (config-if) # ip address 61.49.29.x zookeeper x
Ciscoasa (config-if) # q
Ciscoasa (config) # interface GigabitEthernet0/1
Ciscoasa (config-if) # nameif outside
Ciscoasa (config-if) # security-level 100
Ciscoasa (config-if) # ip address 10.1.32.5 255.255.255.0
Ciscoasa (config-if) # q
2,Add route
Ciscoasa (config) # route outside 0.0.0.0 0.0.0.0 61.49.29.x
Ciscoasa (config) # route inside 10.1.10.0 255.255.255.0 10.1.5.1
Ciscoasa (config) # route inside 10.1.254.101 255.255.255.255 10.1.32.1
Ciscoasa (config) # route inside 172.16.31.0 255.255.255.0 10.1.5.1
3,Configure IKE
Ciscoasa (config) # crypto isakmp identity auto
Ciscoasa (config) # crypto isakmp enable outside
Ciscoasa (config) # crypto isakmp policy 10
Ciscoasa (config-isakmp-policy) # authentication pre-share
Ciscoasa (config-isakmp-policy) # encryption 3des
Ciscoasa (config-isakmp-policy) # hash sha
Ciscoasa (config-isakmp-policy) # group 2
Ciscoasa (config-isakmp-policy) # lifetime 86400
Ciscoasa (config-isakmp-policy) # q
Ciscoasa (config) # crypto isakmp nat-traversal 20
4,Configure Keys
Ciscoasa (config) # crypto isakmp key Umessage-vpn address 60.247.57.x
5,Configure IPSec
Ciscoasa (config) # crypto ipsec transform-set xVPN esp-3des (esp-sha-hmac)
Ciscoasa (config) # crypto ipsec security-association lifetime seconds 28800
Ciscoasa (config) # crypto ipsec security-association lifetime kilobytes 4608000
Ciscoasa (config) # crypto ipsec security-association replay window-size 64
Ciscoasa (config) # crypto ipsec fragmentation before-encryption outside
Ciscoasa (config) # crypto ipsec fragmentation before-encryption inside
Ciscoasa (config) # crypto ipsec df-bit copy-df outside
Ciscoasa (config) # crypto ipsec df-bit copy-df inside
6,Configure the access control list
Ciscoasa (config) # object-group network local-lan
Ciscoasa (config-network) # network-object host 10.1.5.0
Ciscoasa (config-network) # q
Ciscoasa (config) # object-group network remote-lan
Ciscoasa (config-network) # network-object host 192.168.190.20
Ciscoasa (config-network) # q
Ciscoasa (config) # access-list vpnacl extended permit ip object-group local-lan object-group remote-lan
7,Configure IPSec encryption ing
Ciscoasa (config) # crypto map vpnmap 10 match address vpnacl
Ciscoasa (config) # crypto map vpnmap 10 set pfs group2
Ciscoasa (config) # crypto map vpnmap 10 set connection-type bi-directional
Ciscoasa (config) # crypto map vpnmap 10 set peer 60.247.57.x
Ciscoasa (config) # crypto map vpnmap 10 set transform-set xVPN
Ciscoasa (config) # crypto map vpnmap 10 set inheritance rule
Ciscoasa (config) # crypto map vpnmap 10 set phase1-mode main
Ciscoasa (config) # crypto map vpnmap interface outside
Seven