Sunday 19 July 2009

ASA-ASA VPN: One Static & One Dynamic address







HP side config for the VPN

!--- Make a access list for intersecting traffic which wil be exempt from NAT
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0

!--- try the second one
!-----global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound


nat (inside) 0 access-list inside_nat0_outbound



!---- All other traffic to be NAT'ed

nat (inside) 1 0.0.0.0 0.0.0.0


!--- PHASE 2 CONFIGURATION ---!

!--- The encryption types for Phase 2 are defined here.
!--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.


crypto ipsec transform-set router-set esp-3des esp-md5-hmac

!--- Defines a dynamic crypto map with
!--- the specified encryption settings.


crypto dynamic-map cisco 1 set transform-set router-set

!--- Enable Reverse Route Injection (RRI), which allows the Security Appliance
!--- to learn routing information for connected clients.

crypto dynamic-map cisco 1 set reverse-route

!--- Binds the dynamic map to the IPsec/ISAKMP process.

crypto map dyn-map 10 ipsec-isakmp dynamic cisco

!--- Specifies the interface to be used with !--- the settings defined in this configuration.

crypto map dyn-map interface outside

!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.
!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used.

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


!--- The security appliance provides the default tunnel groups
!--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key
!--- (cisco123) to authenticate the remote router.

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *


!--- create an ACL, for more security

access-list acl1 extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0

access-list acl1 extended permit ip Southl 255.255.255.0 192.168.100.0 255.255.255.0


group-policy DfltGrpPolicy attributes
vpn-filter value acl1
vpn-tunnel-protocol IPSec l2tp-ipsec




========================
ST side config

This can be done via the ASDM wizard as well.

!-- create usefull ACLs

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0

access-list hp_vpn extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0

access-list hp_vpn extended permit ip haynes 255.255.255.0 192.168.200.0 255.255.255.0

!--- No NAT on VPN traffic

global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0

!-- set the route

route outside haynes 255.255.255.0 10.0.0.1 1

!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- A triple single 3DES encryption with
!--- the md5 hash algorithm is used. Same as doen for HP



crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 10.0.0.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.
!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used.


crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5
group 2

lifetime 86400

!-- Group policy and apply the ACL

group-policy HP internal
group-policy HP attributes vpn-filter value hp_vpn vpn-tunnel-protocol IPSec

!-- tunnel group for the connection

tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 general-attributes
default-group-policy HP
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key *

No comments:

Post a Comment