Sunday, 19 July 2009
ASA-ASA VPN: One Static & One Dynamic address
HP side config for the VPN
!--- Make a access list for intersecting traffic which wil be exempt from NAT
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0
!--- try the second one
!-----global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
!---- All other traffic to be NAT'ed
nat (inside) 1 0.0.0.0 0.0.0.0
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.
crypto ipsec transform-set router-set esp-3des esp-md5-hmac
!--- Defines a dynamic crypto map with
!--- the specified encryption settings.
crypto dynamic-map cisco 1 set transform-set router-set
!--- Enable Reverse Route Injection (RRI), which allows the Security Appliance
!--- to learn routing information for connected clients.
crypto dynamic-map cisco 1 set reverse-route
!--- Binds the dynamic map to the IPsec/ISAKMP process.
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
!--- Specifies the interface to be used with !--- the settings defined in this configuration.
crypto map dyn-map interface outside
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.
!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!--- The security appliance provides the default tunnel groups
!--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key
!--- (cisco123) to authenticate the remote router.
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
!--- create an ACL, for more security
access-list acl1 extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0
access-list acl1 extended permit ip Southl 255.255.255.0 192.168.100.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-filter value acl1
vpn-tunnel-protocol IPSec l2tp-ipsec
========================
ST side config
This can be done via the ASDM wizard as well.
!-- create usefull ACLs
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list hp_vpn extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list hp_vpn extended permit ip haynes 255.255.255.0 192.168.200.0 255.255.255.0
!--- No NAT on VPN traffic
global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0
!-- set the route
route outside haynes 255.255.255.0 10.0.0.1 1
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- A triple single 3DES encryption with
!--- the md5 hash algorithm is used. Same as doen for HP
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 10.0.0.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.
!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used.
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!-- Group policy and apply the ACL
group-policy HP internal group-policy HP attributes vpn-filter value hp_vpn vpn-tunnel-protocol IPSec
!-- tunnel group for the connection
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 general-attributes
default-group-policy HP
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key *
Subscribe to:
Posts (Atom)