You can check the tunnel with the following commands: Check the VPN tunnelĪfter we create the mirror configuration on the branch office’s Cisco 881, next step is to check whether the VPN tunnel works by sending a ping from a workstation in the main office to a workstation at the branch office. If this won’t be done, the tunnel will be established, but packets will not be transmitted. Nat ( any,any) source static any any destination static NET_PRIVATE_IP NET_PRIVATE_IP no-proxy-arp description NO-NATĪccess-list NO-NAT extended permit ip any 10.0.0.0 255.0.0.0Īccess-list NO-NAT extended permit ip any 192.168.0.0 255.255.0.0Īccess-list NO-NAT extended permit ip any 172.16.0.0 255.240.0.0 If the Cisco ASA is used for user access to the Internet ( Dynamic NAT is configured to translate internal addresses to the outside), you need to prevent unneccessary translation of packets which should be routed to the private ip networks through the tunnel. Avoiding unneccessary translation (NO-NAT) Ikev1 pre-shared-key XXXXX Step 5. Routingĭirectly define the route to the branch LAN network through the outside interface and the gateway, provided by the ISP ( 1.1.1.1) : I recommend making it complex, no less than 50 symbols, using digits, letters and special characters.Īll the same but for IOS version greater than 9.0Ĭrypto map SECMAP 1 set ikev1 transform-set ESP-3DES-SHA It needs to be identical on both the Cisco ASA in the main office and the Cisco 881 at the branch office. Instead of XXXXX enter the key you wish to use for the VPN with the remote peer. Create the encryption policyĬreate the encryption policy, also known as a “ crypto map“, in which we will reference all the rules and encryption parameters that were created in steps 2 and 3:Ĭrypto map SECMAP 1 match address ACL_CRYPTO_DOĬrypto map SECMAP 1 set transform-set ESP-3DES-SHAĪpply the created policy to the outside interface:Ĭreate the encryption key that is exchanged between peers: Define the “interesting traffic” that should be encrypted and sent into the tunnelĬreate an access list named ACL_CRYPTO_DO, in which we define the traffic that needs to be encrypted into the VPN tunnel, this is called “interesting traffic” in Cisco. These parameters are identical to the ones used on the Cisco 881 router at the remote site:Ĭrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmacĬrypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac Here we configure the encryption parameters for the VPN tunnel between the main office and the branch location and turn on the VPN on the outside interface. The inside interface for the internal LAN:
The IP addresses and other parameters are assigned directly to the physical interfaces Ethernet0 and Ethenet1 instead of the virtual VLAN interface. Since we are working on Cisco ASA 5510 model (as opposed to 5505), this configuration is slightly different than the one mentioned in the initial article.
Interface configuration checkįirst, let’s check that our firewall has correctly configured outside and inside interfaces.
If your ASA IOS version is older than 8.3 (you can check the current version with the “ sh ver” command), then turn off nat-control option for the ease of configuration: Internet access article: it is accessible for remote administration and the office LAN can reach the Internet. The firewall is already configured with the basic settings outlined in Cisco ASA. The process of configuring the Cisco 881 router has been described in the “second universal method” section for configuring VPN tunnels in the article Configuring VPN between two Cisco routers, so here we will focus only on configuring the Cisco ASA firewall. External static IP address is 2.2.2.2 /30.External static IP address is 1.1.1.2 /30.The task will again consist of connecting a main and a branch office through VPN, but this time the main office works on a Cisco ASA 5510 firewall instead of a Cisco 2800 router.Ĭisco ASA 5510 firewall in the main office This material follows up on the topic covered in the Configuring VPN between two Cisco routers, but is being dedicated an entirely separate article, since it deals explicitly with configuring Cisco ASA devices.
0 kommentar(er)
