Cisco VPN Lab Series:
Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPNCisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software
1. Topology:
2. Configurations:
!=== start from a clean default configuration on ASA=== configure factory-default 10.1.1.1 255.255.255.0
2.1 EZ VPN Server configuration
asa242-1(config)# sh run
ASA Version 8.4(2)!
hostname asa242-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif Internet
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif Internal
security-level 100
ip address 10.1.1.1 255.255.255.0
!
ftp mode passive
!Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel.
access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.0.0.0
pager lines 24
mtu Internet 1500
mtu Internal 1500
! for VPN Software Clients to get an ip address
ip local pool remoteuserspool 10.10.230.5-10.10.230.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Internet 22.22.22.0 255.255.255.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!setup your Phase 2 parameters and apply it to the interface.
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
!by default xp vpn client will use following ipsec parameters
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map OUTDIDE_CRYPTO 65500 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTDIDE_CRYPTO 65535 set ikev1 transform-set ESP-DES-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTDIDE_CRYPTO
crypto map OUTSIDE_MAP interface Internet
!setup the PHASE 1 encryption parameters.
crypto ikev1 enable Internet
crypto ikev1 policy 9
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!by default xp vpn client will use following ikev1 isakmp parameters
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel.
group-policy EZVPN1 internal
group-policy EZVPN1 attributes
dns-server value 10.3.128.7 10.1.0.92
vpn-tunnel-protocol ikev1 ikev2
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN_SPLIT_TUNNEL
default-domain value domain.local
secure-unit-authentication disable
user-authentication disable
nem enable
!Create a username that you will be using on the client to connect to the server. Like the software VPN, this is the user credentials supplied for additional authentication.
username cisco password 3USUcOPFUiMCO4Jk encrypted
username EZVPN_USER password k.2ZLTNcTBoL6bHt encrypted
!
!Apply the group policy settings in a tunnel-group. This is where you enter the preshared key for your phase 1 authentication.
tunnel-group EZVPN1 type remote-access
tunnel-group EZVPN1 general-attributes
default-group-policy EZVPN1
tunnel-group EZVPN1 ipsec-attributes
ikev1 pre-shared-key *****
!
! tunnel group remoteusers will be used for remote xp vpn clients configuration
tunnel-group remoteusers type remote-access
tunnel-group remoteusers general-attributes
address-pool remoteuserspool
tunnel-group remoteusers ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:f02ff90081d91a0971999b5ce038c737
: end
asa242-1(config)#
2.2 EZ VPN Client IOS Router:
R10#sh runBuilding configuration...
Current configuration : 1609 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R10
!
boot-start-marker
boot-end-marker
!
security passwords min-length 1
!
no aaa new-model
clock timezone CET 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
ip cef
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
username cisco password 0 cisco
!
redundancy
!
crypto isakmp key cisco123 hostname asa242-1
!--- Set the parameters to connect to the
!--- appropriate Easy VPN group on the Easy VPN server.
crypto ipsec client ezvpn ezconnect auto
group EZVPN1 key cisco123
mode network-extension
peer 1.1.1.1
username cisco password cisco
xauth userid mode local
!--- Use the crypto ipsec client ezvpn <name> command on the
!--- interface that connects to the Easy VPN server
!--- in order to complete the Easy VPN.
interface Ethernet0/0ip address 1.1.1.3 255.255.255.0
crypto ipsec client ezvpn ez
!
!--- Define the inside interfaces that will access
!--- and can be accessed via Easy VPN.
interface Ethernet0/1description inside
ip address 10.10.10.10 255.255.255.0
crypto ipsec client ezvpn ez inside
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
exception data-corruption buffer truncate
end
2.3 XP VPN Client Configuration:
2.4 Test
2.4.1 Ping test between hub and Spokes are working fine
2.4.2 Ping test between spokes failed. Solution is in the Notes 3.3
3. Notes:
3.1. The vpnclient command (Easy VPN client) only works on 5505 model; since ASA VM emulates a 5520 or generic F1, that feature isn't available.
3.2. ESXi vSwitch Configuration. Promiscuous mode was used in my ESXi ASA vm network card to communicate with other VMs.
3.3. Enable Communication between Remote Sites.
By default with this configuration, the traffic between spokes are dropped by firewalls, although the traffic between hub and spokes are working well. On ASA, enter following command:same-security-traffic permit intra-interface
This command will make traffic between spokes working.
No comments:
Post a Comment