Saturday, October 16, 2021

Site-Site IPSEC Configuration ASA-CISCO




 ASA Configuration


Configure the ASA Interfaces

=============================

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 172.16.200.1 255.255.255.0

 no shutdown

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 10.1.100.10 255.255.255.0

 no shutdown

 !

 

 Configure the IKEv1 Policy and Enable IKEv1 on the Outside Interface

 ====================================================================

 !

 crypto ikev1 policy 10

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

 !

 

 crypto ikev1 enable outside

 

 Configure the Tunnel Group (LAN-to-LAN Connection Profile)

 ===============================================================

 !

 tunnel-group 172.16.202.1 type ipsec-l2l

 tunnel-group 172.16.202.1 ipsec-attributes

 ikev1 pre-shared-key cisco123

 !

 

 Configure the ACL for the VPN Traffic of Interest

 =====================================================

 !

 object-group network local-network

 network-object 10.1.100.0 255.255.255.0

object-group network remote-network

 network-object 172.16.101.0 255.255.255.0

 !

 

 access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network

 

 Configure a NAT Exemption

 ==========================

 

 nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup

 

 Configure the IKEv1 Transform Set

 =================================

 

 crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

 

 Configure a Crypto Map and Apply it to an Interface

 =====================================================

 

 crypto map outside_map 10 match address asa-router-vpn

crypto map outside_map 10 set peer 172.16.202.1

crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA


crypto map outside_map interface outside


default route

=============


ip route 0.0.0.0 0.0.0.0 172.16.200.2

=====================================================================

CISCO Router Config

Configure the Interfaces
==============================

interface GigabitEthernet0/0
 ip address 172.16.202.1 255.255.255.0
 no shutdown
 ip nat outside
!
interface GigabitEthernet2/0
 ip address 172.16.101.10 255.255.255.0
 no shutdown
 ip nat inside
 !
 
 Configure the ISAKMP (IKEv1) Policy
 ======================================
 !
 crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 !
 Configure a Crypto ISAKMP Key
 ==============================
 !
 crypto isakmp key cisco123 address 172.16.200.1
 !
 Configure an ACL for VPN Traffic of Interest
 ==============================================
 
 access-list 110 remark Interesting traffic access-list
access-list 110 permit ip 172.16.101.0 0.0.0.255 10.1.100.0 0.0.0.255 

Configure a NAT Exemption
==========================

access-list 111 remark NAT exemption access-list
access-list 111 deny   ip 172.16.101.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 111 permit ip 172.16.101.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 111

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

Configure a Transform Set
===========================

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel
 
 Configure a Crypto Map and Apply it to an Interface
 ====================================================
 
 crypto map outside_map 10 ipsec-isakmp
 set peer 172.16.200.1
 set transform-set ESP-AES-SHA
 match address 110
 
 interface GigabitEthernet0/0
 crypto map outside_map
 
 default route
=============

ip route 0.0.0.0 0.0.0.0 172.16.202.2
 
-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DMVPN Configuration || BGP || EIGRP || Step by step DMVPN Configuration on cisco IOS Routers

  DMVPN ====== DMVPN (Dynamic Multipoint VPN) is a routing technique we can use to build a VPN network with multiple sites without having to...