Tải bản đầy đủ - 0 (trang)
Chapter 21. VPN Management Using ASDM

Chapter 21. VPN Management Using ASDM

Tải bản đầy đủ - 0trang

Site-to-SiteVPNSetupUsingPresharedKeys

Tosetupasite-to-siteVPNtunnel,launchtheVPNWizard.TheVPNWizard

guidesyouthroughaneasytofollowsetofconfigurationstepsthatresultsina

properlyconfiguredVPNtunnel.

Figure21-2illustratesaVPNtopologybetweentwosites,ChicagoandLondon.

TheinsideinterfaceofCiscoASAinChicagoisdirectlyconnectedtothe

192.168.10.0/24subnet,whilethereisanotherinsidenetwork,192.168.20.0/24,

behindRouter1.Thepublicinterface'sIPaddressis209.165.200.225/27,andthe

defaultroutesendsalltraffictothenext-hoproutertowardtheInternet.The

ASDMclientwithanIPaddressof172.18.124.100isconnectedtothemgmt

interfaceofthesecurityCiscoASA,whichhasanIPaddressof172.18.124.205.

Figure21-2.Site-to-SiteASASetup

[Viewfullsizeimage]



CiscoASAinLondonissetupinasimilarwaywithtwoinsidenetworks,

192.168.30.0/24and192.168.40.0/24.Thepublicinterface'sIPaddressis

209.165.201.1/27.

UsethefollowingconfigurationstepstosetupCiscoASAinChicagoforasite-



to-sitetunnelusingthepresharedkeysforIKEauthentication:

Step1. LaunchtheVPNWizardbychoosingWizards>VPNWizard,as

showninFigure21-3.



Figure21-3.LaunchingtheVPNWizardThroughtheMenu

Bar

[Viewfullsizeimage]



YoucanalsolaunchtheVPNWizardbynavigatingtoConfiguration

>Wizards>VPN.

ASDMlaunchestheVPNWizardwiththeoptiontochooseatunnel

type.ClicktheSite-to-Siteradiobutton,asshowninFigure21-4.



Figure21-4.ChoosingtheSite-to-SiteTunnelType



[Viewfullsizeimage]



Becausetheremotepeerofthesite-to-siteVPNtunnelresidestoward

theoutsideinterfaceofCiscoASA,theOutsideinterfaceischosen

fromthedrop-downmenuintheVPNTunnelInterfacefield.Click

NexttomovetotheRemoteSitePeerwindow.

Step2. Specifythepeer'sidentity.

TheVPNWizardpromptsyoutospecifypeerinformation,suchasits

publicIPaddressandISAKMPauthenticationmethod.Intheexample,

thepublicIPaddressofCiscoASAinLondonis209.165.201.1,as

specifiedinthePeerIPAddressfieldinFigure21-5.



Figure21-5.Site-to-SiteASASetup

[Viewfullsizeimage]



AsmentionedinChapter15,"Site-to-SiteIPSecVPNs,"CiscoASA

supportstwoauthenticationmethods:presharedkeysandRSA

signatures(PKI).Inthistopology,presharedkeysareusedto

authenticatetheVPNpeer.Theadministratorhaschosentouse

cisco123asthepresharedsecretkeyforpeerauthentication.Click

NexttomovetotheIKEPolicywindow.

Step3. SelecttheIKEpolicy.

CiscoASAallowsyoutochoosetheIKEparameterssuchasthe

encryptionandauthenticationtypesandtheDiffie-Hellman(DH)

group.InFigure21-6,theadministratorhasselected3DESfor

encryption,SHAforauthentication,andDHgroup2forkey

generation.ClickNexttomovetotheIPSecEncryptionand

Authenticationwindow.



Figure21-6.SelectingtheIKEPolicy



[Viewfullsizeimage]



Note

ItisrecommendedtouseAES-256asanencryption

algorithm.However,AESisanewstandardandisnot

supportedbyallVPNdevices.CheckwiththeremoteVPN

deviceadministratortoconfirmwhetheritsupportsthis

standard.

Step4. SetuptheIPSectransformset.

ConfiguringtheIPSectransformsetisaccomplishedbyselectingan

encryptionandauthenticationalgorithm.InFigure21-7,the

administratorhaschosen3DESforencryptionandSHAforhash

authentication.ClickNexttomovetotheLocalHostsandNetworks

window.



Figure21-7.SelectingtheIPSecTransformSet

[Viewfullsizeimage]



Step5. Identifylocalnetworks.

Selectthehosts/subnetsornetworkstobeusedasthelocalproxy

duringtheIPSecnegotiation.CiscoASArecognizesallthelocal

networks,iftheirroutesareintheroutingtable.Youcanclickthe...

buttontoseealistofthelocalnetworks,asshowninFigure21-8.



Figure21-8.SelectingNetworksfromtheList

[Viewfullsizeimage]



Optionally,youmaymanuallyaddanaddressintheIPAddressfield

withtheappropriatesubnetmask.AfteryouentertheIPaddress,click

AddtomovetheaddresstotheSelectedHosts/Networkspane,as

illustratedinFigure21-9.Inthisexample,theadministratorhasadded

192.168.10.0/24and192.168.20.0/24aslocalnetworks.



Figure21-9.AddingSelectedNetworksastheLocalProxy

[Viewfullsizeimage]



CiscoASAalsoallowsyoutospecifytheinterfacenameoratunnel

groupthatidentifiestraffic.Theseoptionsarehardlyusedinrealworldsite-to-siteVPNdeployments.ClickNexttomovetothenext

window.

Step6. Defineremotenetworks.

TheRemoteHostsandNetworkswindowallowsyoutoidentifythe

remoteprivatenetwork.Thiswindowlooksverysimilartotheonein

Step5.InFigure21-10,theadministratorhasidentifiedtworemote

privatenetworks:192.168.30.0/24and192.168.40.0/24.ClickNext.



Figure21-10.AddingSelectedNetworksastheRemote

Proxy

[Viewfullsizeimage]



Step7. Verifythesite-to-siteconfiguration.

Thelaststepinsettingupasite-to-siteVPNtunnelistoverifythatall

theparametersareaccurate.Iftheylookcorrect,clickFinishto

completetheVPNWizard.



IfthePreviewCommandBeforeSendingtotheDeviceoptionisenabledon

ASDM,theentiresite-to-siteconfigurationisdisplayedbeforebeingsenttothe

securityCiscoASA.Iftheconfigurationlooksaccurate,clickSendtopushitto

CiscoASA.Example21-1showsthesite-to-siteconfigurationgeneratedby

ASDM.ASDMdoesnotaddcomments,buttheyareaddedhereforeaseof

understanding.

Example21-1.CompleteSite-to-SiteConfigurationSentbyASDM

!Access-listtobypassAddressTranslation



access-listinside_nat0_outboundextendedpermitip192.168.10.

192.168.30.0255.255.255.0



access-listinside_nat0_outboundextendedpermitip192.168.10.

192.168.40.0255.255.255.0



access-listinside_nat0_outboundextendedpermitip192.168.20.

192.168.30.0255.255.255.0



access-listinside_nat0_outboundextendedpermitip192.168.20.

192.168.40.0255.255.255.0

!Access-listislinkedtoNAT0

nat(inside)0access-listinside_nat0_outbound

!IPSectransform-setfordataencryption

cryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmac



!Access-listtodefineinterestingtrafficfortheencryptionp



access-listoutside_cryptomap_20extendedpermitip192.168.10.

192.168.30.0255.255.255.0



access-listoutside_cryptomap_20extendedpermitip192.168.10.

192.168.40.0255.255.255.0



access-listoutside_cryptomap_20extendedpermitip192.168.20.

192.168.30.0255.255.255.0



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 21. VPN Management Using ASDM

Tải bản đầy đủ ngay(0 tr)

×