Basic steps for Easy VPN Configuration:
1- First configure the ASA interface
* Interface name
* Security level
* IP address
* Enable crypto isakmp on ASA
2- Configure IP pool
* Pool name
* Range of IP addresses to be used in pool
3- Configure user accounts
* Username
* Password
3- First define the ISAKMP Policy.
* Authentication
* Hash
* Encryption
* Group
4- Establish IPsec transform set.
* Esp-des
* Esp-md5-hmac
* Esp-aes
* Asp-sha-hmac
5- Configure tunnel group
* Group name
* Group policies
6- Now apply crypto map on the outside interface.
* Used to verify the outgoing interface traffic
Configuration of ASA
ASA(config)#interface GigabitEthernet 0/1
ASA(config-if)# no shutdown
ASA(config-if)# nameif outside
ASA(config-if)# ip address 20.1.1.50 255.0.0.0
ASA(config-if)#exit
ASA(config)# crypto isakmp enable outside
(To enable crypto isakmp on ASA)
ASA(config)# ip local poolname 30.1.1.1-30.1.1.50
(define IP pool)
ASA(config)# route outside 0 0 20.0.0.0
ASA(config)# username Mark password Cisco
(define username and password)
Now defined the IKE polices on ASA
ASA-(config)#crypto isakmp policy 10
(10 is isakmp policy number)
ASA(config-isakmp)#encryption des
(enable encryption des)
ASA(config-isakmp)#hash md5
(enable algorithm md5 for hashing)
ASA(config-isakmp)#authentication pre-share
(enable Pre-shared method)
ASA(config-isakmp)#group 2
(enable diffie-Helman group 2)
ASA(config-isakmp)#exit
(Exit from crypto isakmp mode)
ASA(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
(Here encryption type is des and hashing technique is md5-hmac)
ASA(config)# crypto dynamic-map dmap 10 set transform-set ts2
(apply the transform set)
ASA(config)#crypto map imap 10 ipsec-isakmp dynamic dmap
(call dynamic-map in crypto map name imap)
ASA(config)# tunnel-group marketing type ipsec-ra
(create a group for marketing department)
ASA(config)# tunnel-group marketing general-attributes
ASA(config-general)# address-pool poolname
ASA(config-general)# exit
ASA(config)# tunnel-group marketing ipsec-attributes
ASA(config-ipsec)# pre-shared-key Cisco
ASA(config-ipsec)# exit
ASA-B(config)# crypto map imap interface outside
(Apply crypto map on outside interface)
Now to verify the secure tunnel, dial connection from user end using Cisco VPN client.
1 comments:
nice work,it's useful for those who work with vpn and proxy
Post a Comment