Firewall-based Easy VPN configuration process

Firewall-based Easy VPN configuration process

Objective: To enable a client on the remote Internet to access internal resources of the LAN through an encrypted tunnel by making Easy VPN on the gateway ASA firewall device.
The following figure shows the experiment topology. R1 is a router inside the lan. C1 connects to the VMnet1 Nic and uses the Windows 7 operating system as a PC on the network. The configuration steps are as follows.

The configuration above R1. You only need to configure the interface IP address and a default route.
R1 (config) # int fa0/0
R1 (config-if) # ip add 192.168.20.2 255.255.255.0
R1 (config-if) # no shut
R1 (config-if) # ex
R1 (config) # ip route 0.0.0.0 0.0.0.0 192.168.20.1
ISP configuration. You only need to configure the interface IP address, as shown below.
ISP (config) # int fa0/0
ISP (config-if) # ip add 10.0.0.2 255.255.255.0
ISP (config-if) # no shut
ISP (config) # int fa0/1
ISP (config-if) # ip add 255.0.0.2 255.255.255.0
ISP (config-if) # no shut
The configuration above R3 serves as a router that provides DHCP service and NAT address translation on the public network. The following parameters need to be configured.
R3 (config) # int fa0/0
R3 (config-if) # ip add 255.0.0.1 255.255.255.0
R3 (config-if) # no shut // configure the interface IP address and activate it
R3 (config) # int fa0/1
R3 (config-if) # ip add 192.168.10.1 255.255.255.0
R3 (config-if) # no shut // configure the interface IP address and activate it
R3 (config) # ip route 0.0.0.0 0.0.0.0 255.0.0.2 // configure the default route for the peripheral Network
R3 (config) # ip dhcp pool zhang // configure DHCP Parameters
R3 (dhcp-config) # network 192.168.10.0 255.255.255.0 // assign a network segment
R3 (dhcp-config) # default-router 192.168.10.1 // DHCP default Gateway
R3 (dhcp-config) # dns 8.8.8.8 // default DNS address configured by DHCP
R3 (dhcp-config) # lease 8 // lease time of the DHCP service
R3 (dhcp-config) # ex // The following is a standard access control list that needs to be applied in NAT
R3 (config) # access-list 1 permit 192.168.10.0 0.0.255
R3 (config) # ip nat inside source list 1 interface fa0/0 overloacl // port multiplexing PAT, mapped to the egress ip address of the public network.
R3 (config) # int fa0/0
R3 (config-if) # ip nat outside // the application interface is the NAT egress direction
R3 (config) # int fa0/1
R3 (config-if) # ip nat inside // the application interface is the NAT entry direction
The following is the configuration of the ASA firewall.
ASA (config) # int e0/0
ASA (config-if) # ip add 192.168.20.1 255.255.255.0
ASA (config-if) # no shut // configure the port IP address and activate
ASA (config-if) # nameif inside // is the internal inside Area
ASA (config) # int e0/1
ASA (config-if) # ip add 10.0.0.1 255.255.255.0
ASA (config-if) # no shut
ASA (config-if) # nameif outside // This interface is in the external outside area
ASA (config) # route outside 0 0 10.0.0.2 // configure a default route
After the above configuration is complete, you can open the VM. Do not forget to check the connection Nic VMnet1. Then you can open the command line tool and ping the IP address of the peer interface to check whether the IP address can be interconnected. This is the premise of the following experiment. This is a test. If the test fails, you can check the problem. Otherwise, you will find the problem and fault after all the tests are completed. It is difficult to judge the problem at one time.

Next we will start VPN encrypted tunnel transmission.
ASA (config) # crypto isakmp enable outside // enable ISAKMP/IKE (secure connection and Key Management Protocol/Internet Key Exchange)
ASA (config) # crypto isakmp policy 1 // set the management link isakmp Protocol
ASA (config-isakmp-policy) # encryption 3des // encryption Algorithm
ASA (config-isakmp-policy) # hash sha // defines the authentication method for managing connections
ASA (config-isakmp-policy) # authentication pre-share
ASA (config-isakmp-policy) # group 2 // specify the DH key group
ASA (config-isakmp-policy) # lifetime 120 // Life Cycle
ASA (config) # username zhangsan password 123123 // create the username and password used to access the internal LAN
ASA (config) # ip local pool benet-pool 192.168.20.50-192.168.20.80 // defines the ip address range allocated to the client
ASA (config) # access-list split-acl permit ip 192.168.20.0 255.255.255.0 any // define the traffic of interest to be triggered
ASA (config) # group-policy test-group internal // indicates that the policy is defined locally.
ASA (config) # group-policy test-group attributes/define group policy attributes
ASA (config-group-policy) # split-tunnel-policy tunnelspecified // defines all traffic that matches the ACL as a tunnel
ASA (config-group-policy) # split-tunnel-network-list value split-acl // call the traffic of interest to the ACL
ASA (config-group-policy) # dns-server value 9.9.9 // define the DNS address
ASA (config-group-policy) # split-dns value benet.com//tunneling dns
ASA (config-group-policy) # exit
ASA (config) # tunnel-group benet-group type ipsec-ra // define the tunnel group and specify the type as remote access
ASA (config) # tunnel-group benet-group general-attributes // specify attributes
ASA (config-tunnel-general) # address-pool benet-pool // call address pool
ASA (config-tunnel-general) # default-group-policy test-group
ASA (config-tunnel-general) # exit // The above is the call Group Policy
ASA (config) # tunnel-group benet-group ipsec-attributes
ASA (config-tunnel-ipsec) # pre-shared-key aaa123 // set the pre-shared key
ASA (config-tunnel-ipsec) # exit
ASA (config) # crypto ipsec transform-set benet-set esp-3des esp-sha-hmac // define a transport set
ASA (config) # crypto dynamic-map dymap 1 set transform-set benet-set // defines the dynamic MAP and calls the transport set

ASA (config) # crypto map stamap 1 ipsec-isakmp dynamic dymap // defines the static MAP and calls the above dynamic MAP
ASA (config) # crypto map stamap int outside // It is finally applied in the outside area. You need to be careful with the above configurations.
After the configuration is complete, install the VPN Client software, enter the relevant parameters, and click Save, as shown in.

Click the saved configuration, and then click Connect. In the prompt box, enter the user name and password defined above. For example

After the connection is successful, open the CMD command line tool and enter ipconfig to view the IP address information obtained from the firewall Easy VPN. In this case, you can perform ping test and verification, whether the PCs on the Internet and the internal LAN are interconnected (as long as they can be connected, the gateway address is not obtained ).

After the experiment is completed, the experiment has a lot of code and its principles are vague. It takes a long time to understand and remember the experiment. In addition, the network address range and ACL traffic are common errors. Pay special attention to these errors.