ASA5510 and ASA5505 (PPPOE get address) EzVPN Configuration

ASA5510 and ASA5505 (PPPOE get address) EzVPN configuration 1: The main purpose of this test is to show three important knowledge points 1. ASA5505 how to configure the EzVPN Hardware Client (note that ASA5510 and above can only be configured as an EzVPN server ). 2. How to configure the PPPOE client on the ASA. 3. Configure the EzVPN network extension mode on ASA5510, a configuration point that is easy to ignore. Ii. Requirement 1. ASA5505 is connected to the Internet through PPPOE, and the internal website of the security certificate can be connected to the Internet. ASA5505 is the hardware client of EzVPN and ASA5510 is used as the EzVPN server. ASA5510 if you want to protect the internal website, you can access the internet. 4. make sure that the time between ASA5505.Inside and ASA5510.Inside can pass through EzVPN. 3. Configure 1. ASA5505.InsideASA5505. inside # sh runBuilding configuration... current configuration: 648 bytes! Www.2cto.com version 12.4 service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption! Hostname ASA5505.Inside! Boot-start-markerboot-end-marker !! No aaa new-modelip cef !!!! No ip domain lookup! Multilink bundle-name authenticated !!!!! Archivelog confighidekeys !!!!!!! Interface FastEthernet0ip address 192.168.1.1 255.255.0speed auto www.2cto.com! Ip forward-protocol ndip route 0.0.0.0 0.0.0.0 192.168.1.10 !! No ip http serverno ip http secure-server !!!! Control-plane !! Line con 0exec-timeout 0 0 logging synchronousline aux 0 line vty 0 4 password ciscologin! End2. ASA5505ASA5505 (config) # sh run: Saved: ASA Version 8.0 (5 )! Hostname ASA5505enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI. 2 KYOU encryptednames! Interface Vlan30nameif outsidesecurity-level 0 pppoe client vpdn group pppoeip address pppoe setroute! Interface Vlan40nameif insidesecurity-level 100ip address 192.168.1.10 255.255.255.0! Interface Ethernet0/0 switchport access vlan 30! Interface Ethernet0/1 switchport access vlan 40! Interface Ethernet0/2 shutdown! Interface Ethernet0/3 shutdown! Interface Ethernet0/4 shutdown! Www.2cto.com interface Ethernet0/5 shutdown! Interface Ethernet0/6 shutdown! Interface Ethernet0/7 shutdown! Ftp mode passiveaccess-list out extended permit icmp any anyaccess-list bypass extended permit ip 192.168.1.0 255.255.0 restricted lines 24mtu outside 1500mtu inside 1500no quota unreachable rate-limit 1 burst-size 1no asdm history enablearp time out 14400 global (outside) 1 interfacenat (inside) 1 192.168.1.0 255.255.255.0access-group out in interface outsidetimeout xla Te 3: 00: 00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0: 00: 02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0: 05: 00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0: 02: 00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0: 01: 00dynamic-access-policy-record DfltAccessPolicyno snmp-server locationno s Nmp-server contactsnmp-server enable traps snmp authentication linkup linkdown extends ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5ssh timeout 5 console timeout 0 vpdn group pppoe request dialout pppoevpdn group pppoe localname pppoeuser1vpdn group pppoe ppp authentication papvpdn username pppoeuser1 password ** ****** Vpnclient server 64.102.51.10vpnclient mode network-extension-modevpnclient nem-st-autoconnectvpnclient vpngroup yeslab password ******* vpnclient username testuser1 password **** * *** vpnclient enablethreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn www.2cto.com! Class-map inspection_defaultmatch default-inspection-traffic !! Policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512316y-map global_policyclass extends dns extends ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect extends sipinspect netbiosinspect tftp! Service-policy global_policy globalprompt hostname contextCryptochecksum: 947bd7e354635e160ddb59a18b6d59e3: end3.PPPOE. ServerPPPOE. Server # sh runBuilding configuration... Current configuration: 1064 bytes! Version 12.4 service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption! Hostname PPPOE. Server! Boot-start-markerboot-end-marker !! No aaa new-modelip cef !!!! No ip domain lookup! Multilink bundle-name authenticatedvpdn enable !!!!!! Username pppoeuser1 password 0 ciscoarchivelog confighidekeys !!!!!! Bba-group pppoe globalvirtual-template 1 !! Interface FastEthernet0no ip addressspeed auto! Www.2cto.com interface FastEthernet0.10encapsulation dot1Q 10ip address 202.100.1.1 255.255.255.0! Interface FastEthernet0.30encapsulation dot1Q 30 pppoe enable group global! Interface Virtual-Template1ip unnumbered FastEthernet0.10peer default ip address pool ippoolppp authentication pap! Ip local pool ippool 202.100.1.100 202.100.1.200ip forward-protocol ndip route 0.0.0.0 0.0.0.0 202.100.1.254 !! No ip http serverno ip http secure-server !!!! Control-plane !! Line con 0exec-timeout 0 0 logging synchronousline aux 0 line vty 0 4 password ciscologin! End4. INTERNETInternet # sh runBuilding configuration... Current configuration: 788 bytes! Version 12.4 service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption! Hostname Internet! Boot-start-markerboot-end-marker !! No aaa new-modelmemory-size iomem 25ip cef !!!! No ip domain lookup! Multilink bundle-name authenticated! Www.2cto.com !!!! Archivelog confighidekeys !!!!!!! Interface FastEthernet0no ip addressspeed auto! Interface FastEthernet0.10encapsulation dot1Q 10ip address 202.100.1.254 255.255.255.0! Interface FastEthernet0.20encapsulation dot1Q 20ip address 64.102.51.254 255.255.255.0! Ip forward-protocol nd !! No ip http serverno ip http secure-server !!!! Control-plane !! Line con 0exec-timeout 0 0 logging synchronousline aux 0 line vty 0 4 password ciscologin! End5. ASA5510ASA5510 (config) # sh run: Saved: ASA Version 8.0 (2 )! Hostname ASA5510enable password 8Ry2YjIyt7RRXU24 encryptednames! Interface Ethernet0/0 nameif outsidesecurity-level 0ip address 64.102.51.10 255.255.255.0! Interface Ethernet0/1 nameif insidesecurity-level 100ip address 172.16.1.10 255.255.255.0! Interface Ethernet0/2 shutdownno nameifno security-levelno ip address! Interface Ethernet0/3 shutdownno nameifno security-levelno ip address! Interface Ethernet0/4 shutdownno nameifno security-levelno ip address! Interface Ethernet0/5 shutdownno nameifno security-levelno ip address! Www.2cto.com passwd 2KFQnbNIdI. 2 KYOU Authentication mode passiveaccess-list out extended permit icmp any anyaccess-list split extended permit ip 172.16.1.0 255.255.0 anyaccess-list bypass extended permit ip limit 255.255.0 192.168.1.0 255.lines 24mtu outside 1500mtu inside 1500ip local pool ezpool 123.1.1.100-123.1.1.200no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400 global (outside) 1 interfacenat (inside) 0 access-list bypassnat (inside) 1 0.0.0.0 0.0.0access-group out in interface outsideroute outside 0.0.0.0 0.0.0.0 64.102.51.254 1 timeout xlate 3: 00: 00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0: 00: 02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0: 05: 00 timeout sip 0:30:00 sip _ Media 0:02:00 sip-invite 0:03:00 sip-disconnect 0: 02: 00 timeout uauth 0:05:00 absolutedynamic-access-policy-record authentication snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set cisco esp-des esp-md5-hmaccrypto dynamic- map dymap 100 set transform-set ciscocrypto dynamic-map dymap 100 set reverse-routecry Pto map cisco 10 ipsec-isakmp dynamic comment map cisco interface comment isakmp enable comment isakmp policy 10 authentication pre-authentication 3 deshash md5group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-authentication 3 deshash shagroup 2 lifetime 86400no crypto isakmp nat-traversaltelnet timeout 5ssh timeout 5 console timeout 0threat-detection basic-threatthrea T-detection statistics access-list! Class-map inspection_defaultmatch default-inspection-traffic! Www.2cto.com! Policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512316y-map global_policyclass extends dns extends ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect extends sipinspect netbiosinspect tftp! Service-policy global_policy globalgroup-policy specified internalgroup-policy specified attributessplit-tunnel-policy attached-tunnel-network-list value splitnem enableusername testuser1 password i1lji/encrypted testuser1 attributesvpn-group-policy specified -group yeslab type remote-accesstunnel-group yeslab general-attributesaddress-pool ezpooltunnel-gro Up yeslab ipsec-attributespre-shared-key * prompt hostname contextCryptochecksum: Failed: end6. ASA5510.InsideASA5510. Inside # sh runBuilding configuration... Current configuration: 727 bytes! Www.2cto.com version 12.4 service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption! Hostname ASA5510.Inside! Boot-start-markerboot-end-marker !! No aaa new-modelmemory-size iomem 15ip cef !!!! No ip domain lookup! Multilink bundle-name authenticated !!!!! Archivelog confighidekeys !!!!!!! Interface Ethernet0no ip addressshutdownhalf-duplex! Interface FastEthernet0ip address 172.16.1.1 255.255.255.0speed auto! Ip forward-protocol ndip route 0.0.0.0 0.0.0.0 172.16.1.10 !! No ip http serverno ip http secure-server !!!! Control-plane !! Line con 0exec-timeout 0 0 logging synchronousline aux 0 line vty 0 4 password ciscologin www.2cto.com! End 4: Route route Route 1. ASA5505 IP address obtained through PPPOE. Server:


2. ASA5505.Inside login webpage:


3. ASA5505 serves as the zookeeper of the EzVPN Hardware Client:


4. the isakmp sa and ipsec sa are displayed on ASA5505:




5. ASA5510.Inside has been online:


6. the isakmp sa and ipsec sa are displayed on ASA5510:



7. Mutual Communication Between ASA5505.Inside and ASA5510.Inside:



5: Note 1. On ASA5505, the system will automatically add a bypass acl to drop the traffic of the interesting traffic caused by EzVPN.