We can generate some traffic from a host in subnet 192.168.1.0/24 connected to ASA1 to a host in subnet 10.0.0.0/24 connected to ASA2. ! Exclude traffic from LAN2 to LAN1 from NAT operationĪSA2(config)# nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remoteĪSA2(config-network-object)# nat (inside,outside) dynamic interfaceĪt this point our IPsec configuration is complete. This will perform dynamic NAT on internal LAN hosts so that they can access the Internet.ĪSA1(config-network-object)# nat (inside,outside) dynamic interfaceĪSA2(config-network-object)# subnet 10.0.0.0 255.255.255.0ĪSA2(config-network-object)# subnet 192.168.1.0 255.255.255.0ĪSA2(config)# object network internal-lan ! Configure Port Address Translation (PAT) using the outside ASA interface.
! Exclude traffic from LAN1 to LAN2 from NAT operationĪSA1(config)# nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote That is, traffic that will pass through the VPN tunnel (i.e traffic between the LAN networks 192.168.1.0/24 10.0.0.0/24) must be excluded from NAT operation.ĪSA1(config-network-object)# subnet 192.168.1.0 255.255.255.0ĪSA1(config-network-object)# subnet 10.0.0.0 255.255.255.0ĪSA1(config)# object network internal-lan We must configure NAT exemption for VPN traffic. However, if we have NAT in our network (which is true most of the times), we still have some way to go. The above commands conclude the IPSEC VPN configuration. Tunnel-group DefaultL2LGroup ipsec-attributesĪccess-list BLUE permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0Ĭrypto dynamic-map DYN-MAP 20 match address BLUE (OPTIONAL)Ĭrypto dynamic-map DYN-MAP 20 set ikev1 transform-set ESP-AES128-SHAĬrypto map VPN-MAP 10 ipsec-isakmp dynamic DYN-MAP ! Define the pre-shared key within the dynamic map tunnel group Table 1 Configuration Checklist: ISAKMP/Phase-1 AttributesĪccess-list RED permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0Ĭrypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmacĬrypto map VPN-MAP 10 set peer 173.199.183.2Ĭrypto map VPN-MAP 10 set ikev1 transform-set ESP-AES128-SHA This checklist would serve as a reference for configuration and troubleshooting. We will start with a preconfiguration checklist to make our life easier. Therefore, it is mandatory to make sure that all these parameters are identical on the two appliances we are using as IPsec peers. If any one of the attributes is misconfigured, the IPsec tunnel fails to establish. IKE involves a combination of ISAKMP/Phase 1 and IPsec/Phase 2 attributes that are negotiated between peers. IP Security (IPsec) can use Internet Key Exchange (IKE) for key management and tunnel negotiation. Although this tutorial was tested on ASA5520, the configuration commands are exactly the same for the other ASA models with no difference.įigure 2 Cisco ASA-ASA IPsec Implementation Basic IP address configuration and connectivity exists and we will build IPsec configuration on top of this. The outside interface of ASA1 is assigned a dynamic IP address by the service provider over DHCP, while the outside interface of ASA2 is configured with a static IP address. In this article, we will focus on site-to-site IPsec implementation between two Cisco ASA 5520 appliances, as shown in Figure 2. Cisco ASA 5520, a member of the Cisco ASA 5500 Series, is shown in Figure 1 below.įigure 1 Cisco Adaptive Security Appliance (ASA)
#2 lan 2 wan asa 5505 cisco how to series
Cisco ASA 5500 Series appliances deliver IPsec and SSL VPN, firewall, and several other networking services on a single platform.
0 kommentar(er)
