Currently, ASA8.4 VPN test series I: IKEv1 L2L

Source: Internet
Author: User
Tags hmac domain lookup ikev2

I have been studying CCNP Security Firewall v1.0 recently. Now the research is complete! It is found that Cisco ASA 8.4 has changed a lot. It is more and more like the checkpoint firewall. The global access control list, whether it is NAT or recently, is exactly the same as that of the cp firewall. After the Firewall v1.0 study is completed, the next research goal is VPN v1.0, which mainly introduces VPN on the ASA. The VPN changes after ASA8.4 are also very large, mainly because of the introduction of IKEv2. IOS15.1T does not seem to be able to be downloaded yet.) IKEv2 is also supported. It can be seen that IKEv2 is an inevitable trend, so I will spend a lot of time studying it recently. Before studying new technologies, it is necessary to know how to configure the traditional IKEv1 VPN in ASA8.4. Next I will introduce the traditional IKEv1 L2LVPN in ASA8.4.(ASA8.4 subsequent VPN trials will be launched soon)

Test topology:

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0S433E61-0.png "/>


Outside router configuration:

Hostname Outside
!
Boot-start-marker
Boot-end-marker
!
Enable password cisco
!
No aaa new-model
Memory-size iomem 25
Ip cef
!
!
!
!
No ip domain lookup
!
Multilink bundle-name authenticated
!
!
!
!
!
Archive
Log config
Hidekeys
!
!
Crypto isakmp policy 10
Authentication pre-share
Crypto isakmp key cisco address 202.100.1.10
!
!
Crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
Crypto map cisco 10 ipsec-isakmp
Set peer 202.100.1.10
Set transform-set cisco
Match address vpn
!
!
!
!
!
!
Interface Loopback0
Ip address 1.1.1.1 255.255.255.255
!
Interface FastEthernet0
Ip address 202.100.1.1 255.255.255.0
Speed auto
Crypto map cisco
!
Ip forward-protocol nd
Ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
!
No ip http server
No ip http secure-server
!
Ip access-list extended vpn
Permit ip host 1.1.1.1 host 2.2.2.2
!
!
!
!
Control-plane
!
!
Line con 0
Line aux 0
Line vty 0 4
Password cisco
Login
Line vty 5 15
Password cisco
Login
!
End

ASA Configuration:

Hostname ASA
Enable password 8Ry2YjIyt7RRXU24 encrypted
Passwd 2KFQnbNIdI. 2 KYOU encrypted
Names
!
Interface Ethernet0/0
Nameif Outside
Security-level 0
Ip address 202.100.1.10 255.255.255.0
!
Interface Ethernet0/1
Nameif Inside
Security-level 100
Ip address 10.1.1.10 255.255.255.0
!
Interface Ethernet0/2
Shutdown
No nameif
No security-level
No ip address
!
Interface Ethernet0/3
Shutdown
No nameif
No security-level
No ip address
!
Interface Management0/0
Shutdown
No nameif
No security-level
No ip address
Management-only
!
Ftp mode passive
Object network Inside-Router-Loop0
Subnet 2.2.2.0 255.255.255.255.0
Object network Remote-vpn-address
Subnet 1.1.1.0 255.255.255.0
Access-list vpn extended permit ip host 2.2.2.2 host 1.1.1.1Streams of interest)
Pager lines 24
Mtu outgoing side 1500
Mtu Inside 1500
No failover
Icmp unreachable rate-limit 1 burst-size 1
No asdm history enable
Arp timeout 14400
Nat (Inside, Outside) source static Inside-Router-Loop0 Inside-Router-Loop0 destination static Remote-vpn-address use Twice identity NAT to bypass a VPN-interested stream)
!
Object network Inside-Router-Loop0 regular Internet PAT)
Nat (Inside, Outside) dynamic interface

Route Outside 0.0.0.0 0.0.0.0 202.100.1.1 1 solve the Routing Problem)
Route Inside 2.2.2.2 255.255.255.255.255 10.1.1.1 1


Timeout xlate 3:00:00
Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Timeout tcp-proxy-reassembly 0:01:00
Dynamic-access-policy-record DfltAccessPolicy
No snmp-server location
No snmp-server contact
Crypto ipsec ikev1 transform-set cisco esp-des esp-md5-hmac Phase 2 conversion set)
Crypto map cry-map 10 match address vpn crypto map configuration)
Crypto map cry-map 10 set peer 202.100.1.1
Crypto map cry-map 10 set ikev1 transform-set cisco
Crypto map cry-map interface Outside calls crypto map to external interface)
Crypto ikev1 enable Outside external interface to activate IKEv1)

Crypto ikev1 policy 1 IKEv1 first-stage policy)
Authentication pre-share
Encryption des
Hash sha
Group 1
Lifectime 86400
Telnet timeout 5
Ssh timeout 5
Console timeout 0
Threat-detection basic-threat
Threat-detection statistics access-list
No threat-detection statistics tcp-intercept
Webvpn
Anyconnect-essenessen
Tunnel-group 202.100.1.1 type ipsec-l2l tunnel-group configuration)
Tunnel-group 202.100.1.1 ipsec-attributes
Ikev1 pre-shared-key cisco

!
Class-map inspection_default
Match default-inspection-traffic
!
!
Policy-map type inspect dns preset_dns_map
Parameters
Message-length maximum client auto
Message-length max imum 512
Policy-map global_policy
Class inspection_default
Inspect dns preset_dns_map
Inspect ftp
Inspect h323 h225
Inspect h323 ras
Inspect rsh
Inspect rtsp
Inspect esmtp
Inspect sqlnet
Inspect skinny
Inspect sunrpc
Inspect xdmcp
Inspect sip
Inspect netbios
Inspect tftp
Inspect ip-options
!
Service-policy global_policy global
Prompt hostname context
Cryptochecksum: 1b%154bb6ceb038c%77aE2b15c67
: End

Inside router configuration:

Hostname Inside
!
Boot-start-marker
Boot-end-marker
!
!
No aaa new-model
Ip cef
!
!
!
!
!
Multilink bundle-name authenticated
!
!
!
!
!
Archive
Log config
Hidekeys
!
!
!
!
!
!
!
Interface Loopback0
Ip address 2.2.2.2 255.255.255.255
!
Interface FastEthernet0
Ip address 10.1.1.1 255.255.255.0
Speed auto
!
Ip forward-protocol nd
Ip route 0.0.0.0 0.0.0.0 10.1.1.10
!
!
No ip http server
No ip http secure-server
!
!
!
!
Control-plane
!
!
Line con 0
Line aux 0
Line vty 0 4
!
End
 

This article is from the "current teacher" blog, please be sure to keep this source http://xrmjjz.blog.51cto.com/3689370/686366

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.