tag:blogger.com,1999:blog-82636956882093175302024-02-19T23:28:35.631-08:00Cisco-Firewallashwinisidhuhttp://www.blogger.com/profile/17713744492444519771noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-8263695688209317530.post-84028697777762897822009-07-19T12:56:00.000-07:002009-08-31T06:53:11.492-07:00ASA-ASA VPN: One Static & One Dynamic address<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_DZF_TkhtR2IFLTEWZhaMVp6b8zbiL7tkjkVRCtgBUGG7Xp47EnUs33kIpV8khFNyB2ckzwOc2A3FKlu6HdusP1rbQRVx0FTL8DP9mq1c7mGjC3i2XbL2EwEyL8U0ZNy_SKVP2ReBp_c/s1600-h/HP-ST_VPN2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 216px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_DZF_TkhtR2IFLTEWZhaMVp6b8zbiL7tkjkVRCtgBUGG7Xp47EnUs33kIpV8khFNyB2ckzwOc2A3FKlu6HdusP1rbQRVx0FTL8DP9mq1c7mGjC3i2XbL2EwEyL8U0ZNy_SKVP2ReBp_c/s400/HP-ST_VPN2.JPG" alt="" id="BLOGGER_PHOTO_ID_5360263316255457298" border="0" /></a><br /><br /><br /><br /><br /><br />HP side config for the VPN<br /><br /><span style="color: rgb(0, 0, 255);font-size:85%;" >!--- Make a access list for intersecting traffic which wil be exempt from NAT</span><br /><span style="font-size:85%;"> <span style="font-family:Comic Sans MS;"> access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0<br /><br /><span style="color: rgb(0, 0, 153);">!--- try the second one</span><br /></span><span style="color: rgb(0, 0, 153);font-family:Comic Sans MS;" >!-----global (outside) 1 interface</span><span style="color: rgb(0, 0, 153);"> </span><span style="color: rgb(0, 0, 153);font-family:Comic Sans MS;" >nat (inside) 0 access-list inside_nat0_outbound</span><br /><br /><br />nat (inside) 0 access-list inside_nat0_outbound<br /><br /><br /><br /><span style="font-family:Comic Sans MS;"><span style="color: rgb(0, 0, 255);font-family:Verdana;" >!---- All other traffic to be NAT'ed</span><br /><br />nat (inside) 1 0.0.0.0 0.0.0.0</span><br /></span><span style="font-size:85%;"><span style="color: rgb(0, 0, 255);"><br />!--- PHASE 2 CONFIGURATION ---!</span><br /><span style="color: rgb(0, 0, 255);">!--- The encryption types for Phase 2 are defined here.<br /></span><span style="color: rgb(0, 0, 255);">!--- A triple single 3DES encryption with</span> <span style="color: rgb(0, 0, 255);">!--- the md5 hash algorithm is used.</span></span><br /><br /><span style="font-size:85%;"><span style="font-family:Comic Sans MS;">crypto ipsec transform-set router-set esp-3des esp-md5-hmac</span></span><br /><br /><span style="color: rgb(0, 0, 255);font-size:85%;" >!--- Defines a dynamic crypto map with<br />!--- the specified encryption settings.</span><br /><br /><span style=";font-family:Comic Sans MS;font-size:85%;" >crypto dynamic-map cisco 1 set transform-set router-set</span><br /><br /><span style="color: rgb(0, 0, 255);font-size:85%;" >!--- Enable Reverse Route Injection (RRI), which allows the Security Appliance<br />!--- to learn routing information for connected clients.<br /><br /></span><span style=";font-family:Comic Sans MS;font-size:85%;" >crypto dynamic-map cisco 1 set reverse-route</span><br /><br /><span style="font-size:85%;"><span style="color: rgb(0, 0, 255);">!--- Binds the dynamic map to the IPsec/ISAKMP process.</span></span><br /><br /><span style=";font-family:Comic Sans MS;font-size:85%;" >crypto map dyn-map 10 ipsec-isakmp dynamic cisco</span><br /><br /><span style="font-size:85%;"><span style="color: rgb(0, 0, 255);">!--- Specifies the interface to be used with </span> <span style="color: rgb(0, 0, 255);">!--- the settings defined in this configuration.</span></span><br /><br /><span style=";font-family:Comic Sans MS;font-size:85%;" >crypto map dyn-map interface outside</span><br /><br /><span style="font-size:85%;"><span style="color: rgb(0, 0, 255);">!--- PHASE 1 CONFIGURATION ---!</span><br /><span style="color: rgb(0, 0, 255);">!--- This configuration uses isakmp policy 10.<br /></span> <span style="color: rgb(0, 0, 255);">!--- Policy 65535 is included in the config by default.</span><br /><span style="color: rgb(0, 0, 255);">!--- The configuration commands here define the Phase </span> <span style="color: rgb(0, 0, 255);"><br />!--- 1 policy parameters that are used.</span></span><br /><span style=";font-family:Comic Sans MS;font-size:85%;" > crypto isakmp policy 10<br />authentication pre-share<br />encryption 3des<br />hash md5<br />group 2<br />lifetime 86400<br /><br />crypto isakmp policy 65535<br />authentication pre-share<br />encryption 3des<br />hash sha<br />group 2<br />lifetime 86400</span><br /><br /><span style="font-size:85%;"><span style="color: rgb(0, 0, 255);">!--- The security appliance provides the default tunnel groups</span> <span style="color: rgb(0, 0, 255);"><br />!--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key<br /></span> <span style="color: rgb(0, 0, 255);">!--- (cisco123) to authenticate the remote router. </span><br /></span><span style=";font-family:Comic Sans MS;font-size:85%;" ><br />tunnel-group DefaultL2LGroup ipsec-attributes<br />pre-shared-key *</span> <span style=";font-family:Comic Sans MS;font-size:85%;" ><br /><br /><span style="color: rgb(0, 0, 255);font-family:Verdana;" >!--- create an ACL, for more security</span><br /></span><span style="font-size:85%;"><span style="font-family:Comic Sans MS;"><br />access-list acl1 extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0</span> <span style="font-family:Comic Sans MS;"><br />access-list acl1 extended permit ip Southl 255.255.255.0 192.168.100.0 255.255.255.0</span></span><br /><span style=";font-family:Comic Sans MS;font-size:85%;" ><br />group-policy DfltGrpPolicy attributes<br />vpn-filter value acl1<br />vpn-tunnel-protocol IPSec l2tp-ipsec</span><br /><br /><br /><br />========================<br />ST side config<br /><br />This can be done via the ASDM wizard as well.<br /><br /><span style="font-size:85%;"> <span style="color: rgb(0, 0, 255);font-family:Verdana;" > !-- create usefull ACLs</span><br /><br /><span style="font-family:Comic Sans MS;">access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0</span> <span style="font-family:Comic Sans MS;"><br /><br />access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0<br /></span> <span style="font-family:Comic Sans MS;"><br />access-list hp_vpn extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0</span> <span style="font-family:Comic Sans MS;"><br />access-list hp_vpn extended permit ip haynes 255.255.255.0 192.168.200.0 255.255.255.0<br /><br /></span><span style="color: rgb(0, 0, 255);font-family:Verdana;" >!--- No NAT on VPN traffic<br /><br /></span><span style="font-family:Comic Sans MS;">global (outside) 1 interface</span> <span style="font-family:Comic Sans MS;">nat (inside) 0 access-list inside_nat0_outbound</span> <span style="font-family:Comic Sans MS;">nat (inside) 1 0.0.0.0 0.0.0.0</span> <span style="color: rgb(0, 0, 255);font-family:Verdana;" ><br /><br />!-- set the route<br /><br /></span><span style="font-family:Comic Sans MS;">route outside haynes 255.255.255.0 10.0.0.1 1</span><br /><br /></span><span style="font-size:85%;"><span style="color: rgb(0, 0, 255);">!--- PHASE 2 CONFIGURATION ---!</span><br /><span style="color: rgb(0, 0, 255);">!--- The encryption types for Phase 2 are defined here.<br /></span><span style="color: rgb(0, 0, 255);">!--- A triple single 3DES encryption with<br /></span><span style="color: rgb(0, 0, 255);">!--- the md5 hash algorithm is used. Same as doen for HP</span></span><br /><br /><br /><span style="font-size:85%;"> <span style="font-family:Comic Sans MS;">crypto map outside_map 1 match address outside_1_cryptomap</span><br /><span style="font-family:Comic Sans MS;">crypto map outside_map 1 set peer 10.0.0.1</span> <span style="font-family:Comic Sans MS;"><br />crypto map outside_map 1 set transform-set ESP-3DES-MD5</span> <span style="font-family:Comic Sans MS;"><br />crypto map outside_map 1 set security-association lifetime seconds 28800</span> <span style="font-family:Comic Sans MS;"><br />crypto map outside_map 1 set security-association lifetime kilobytes 4608000</span> <span style="font-family:Comic Sans MS;"><br />crypto map outside_map interface outside<br /><br /></span></span><span style="font-size:85%;"><span style="color: rgb(0, 0, 255);">!--- PHASE 1 CONFIGURATION ---!</span> <span style="color: rgb(0, 0, 255);"><br />!--- This configuration uses isakmp policy 10.<br /></span> <span style="color: rgb(0, 0, 255);">!--- Policy 65535 is included in the config by default.</span> <span style="color: rgb(0, 0, 255);"><br />!--- The configuration commands here define the Phase<br /></span> <span style="color: rgb(0, 0, 255);">!--- 1 policy parameters that are used.</span></span> <span style="font-size:85%;"><span style="font-family:Comic Sans MS;"> </span> <span style="font-family:Comic Sans MS;"><br /><br />crypto isakmp enable outside</span> <span style="font-family:Comic Sans MS;"><br />crypto isakmp policy 10</span> <span style="font-family:Comic Sans MS;"><br />authentication pre-share</span> <span style="font-family:Comic Sans MS;"><br />encryption 3des</span><br /><span style="font-family:Comic Sans MS;"> hash md5</span> <span style="font-family:Comic Sans MS;"><br />group 2</span><br /><span style="font-family:Comic Sans MS;"> lifetime 86400<br /><br /></span><span style="color: rgb(0, 0, 255);font-family:Verdana;" >!-- Group policy and apply the ACL </span> <span style="font-family:Comic Sans MS;"><br /><br />group-policy HP internal</span> <span style="font-family:Comic Sans MS;">group-policy HP attributes</span> <span style="font-family:Comic Sans MS;"> vpn-filter value hp_vpn</span> <span style="font-family:Comic Sans MS;"> vpn-tunnel-protocol IPSec<br /><br /></span><span style="color: rgb(0, 0, 255);font-family:Verdana;" >!-- tunnel group for the connection<br /><br /></span></span><span style=";font-family:Comic Sans MS;font-size:85%;" >tunnel-group 10.0.0.1 type ipsec-l2l<br />tunnel-group 10.0.0.1 general-attributes<br />default-group-policy HP<br />tunnel-group 10.0.0.1 ipsec-attributes<br />pre-shared-key *</span>ashwinisidhuhttp://www.blogger.com/profile/17713744492444519771noreply@blogger.com0