Shulou(Shulou.com)06/01 Report--

Through the blog post CIsco router to achieve IPSec virtual private network principle and configuration detailed explanation has been a preliminary understanding of the principle of IPSec virtual private network and how to implement IPSec virtual private network technology on the Cisco router. Do not think that the IPSec virtual private network can be realized in the CIsco router or in the CIsco ASA firewall. Although the principle is consistent, the configuration process is slightly different. The following is mainly about how to implement IPSec virtual private network on Cisco ASA firewall.

Blog outline:

I. case extension

II. Case requirements

III. Case implementation

IV. The difference between Cisco firewall and Cisco router.

Fifth, troubleshooting of IPSec virtual private network

I. case extension

II. Case requirements

1.PC1 uses IPSec virtual private network to access PC3

2.PC1 can telnetPC2

3. Case implementation 1) basic settings of ASA firewall ASA (config) # int e0/0ASA (config-if) # nameif inside INFO: Security level for "inside" set to 100 by default.//Cisco ASA firewall inside area default priority is 100ASA (config-if) # ip add 192.168.1.1 255.255.255.0ASA (config-if) # no shASA (config-if) # int e0/1ASA (config-if) # nameif outsideINFO: Security level for "outside" set to The default priority of 0 by default.//Cisco ASA firewall outside zone is 0ASA (config-if) # ip add 100.1.1.1 255.255.255.0ASA (config-if) # no shASA (config-if) # route outside 00 100.1.1.2 move / configure default route ASA (config) # nat-control / / indicates that all data packets passing through ASA firewall must use NAT address translation technology ASA ( Config) # nat (inside) 1 0 0ASA (config) # global (outside) 1 intINFO: outside interface address added to PAT pool// translates all internal addresses to external interface addresses Enable PAT means 2) configure NAT exemption (nat 0 with ACL)

There are some conflicts between virtual private network and NAT. If you want to be able to access both the Internet and virtual private network, you need to configure NAT exemption so that the traffic accessing virtual private network does not do NAT conversion.

ASA (config) # access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0ASA (config) # nat (inside) 0 access-list nonat// Note that a nat-id of 0 indicates the use of NAT exemption, with the highest priority 3) establishing ISAKMP

The ISAKMP/IKE protocol is enabled by default on the router, but not enabled by default in the ASA firewall! The ISAKMP/IKE protocol needs to be enabled using the following command.

ASA (config) # crypto isakmp enable outside// enables ISAKMP/IKE protocol 4) configure management connection policy ASA (config) # crypto isakmp policy 1 move / configure ISAKMP/IKE policy, serial number is 1 The smaller the value, the more priority ASA (config-isakmp-policy) # encryption aes// specifies for authentication using aes encryption algorithm (firewall cannot use des by default) ASA (config-isakmp-policy) # hash sha// to verify data integrity using sha algorithm ASA (config-isakmp-policy) # authentication pre-share / / device authentication uses pre-shared key ASA (config-isakmp-policy) # group 1 / specify DH key group 5) configure pre-shared key ASA (config) # crypto isakmp key 123456 address 200.1.1.2 / specify peer 200.1.1.2 The key is 123456.

Firewalls above the IOS7.0 version generally use tunnel groups to configure keys

6) configure Crypto ACL

In fact, ACL with NAT exemption can be used! It is limited to the extension of this post.

7) configure transfer set ASA (config) # crypto ipsec transform-set ASA-set esp-aes esp-sha-hmac / / Firewall encryption authentication must use esp, not AH authentication 8) configure Crypto MAP

The configuration commands here are slightly different from those of the router! The command is as follows:

ASA (config) # crypto map ASA-map 1 match address nonat// creates a Crypto-Map with the name ASA-map and serial number 1 Call ACLASA (config) # crypto map ASA-map 1 set peer 200.1.1.2 / / ASA-map corresponding to 200.1.1.2ASA (config) # crypto map ASA-map 1 set transform-set ASA-set//ASA-map call the just defined transfer set (ASA-set) 9) apply Crypto map to the outside interface ASA (config) # crypto map ASA-map int outside

The configuration of the firewall here has been basically completed!

10) R1 (config) # int f1/0R1 (config-if) # ip add 100.1.1.2 255.255.255.0R1 (config-if) # no shR1 (config-if) # int f0/0R1 (config-if) # ip add 11.1.1.1 255.255.255.0R1 (config-if) # no shR1 (config-if) # int f2/0R1 (config-if) # ip add 200.1.1.1 255.255.255.0R1 (config-if) # no sh// just configure the IP address! 11) R2 routing configuration R2 (config) # int f2/0R2 (config-if) # ip add 200.1.1.2 255.255.255.0R2 (config-if) # no shR2 (config-if) # int f0/0R2 (config-if) # ip add 192.168.2.1 255.255.255.0R2 (config-if) # no shR2 (config) # ip route 0.0.0.0 0.0.0.0 200.1.1.1 Default route R2 (config) # crypto isakmp policy 1R2 (config-isakmp) # encryption aesR2 (config-isakmp) # hash shaR2 (config-isakmp) # authentication pre-share R2 (config-isakmp) # group 1R2 (config-isakmp) # exitR2 (config) # crypto isakmp key 123456 address 100.1.1.1 / must guarantee the algorithm, Authentication method, shared key, The DH key group number is the same as the firewall setting R2 (config) # access-list 100 permit ip 192.168.2.0 0.0.255 192.168.1.0 0.0.255 / set ACLR2 (config) # crypto ipsec transform-set R2-set esp-aes esp-sha-hmac / / same authentication method as the firewall R2 (config) # crypto map R2-map 1 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer And a valid access list have been configured.R2 (config-crypto-map) # set peer 100.1.1.1R2 (config-crypto-map) # set transform-set R2-setR2 (config-crypto-map) # match address 100R2 (config-crypto-map) # int f2/0R2 (config-if) # crypto map R2-map// create map, Set the community, define the transport mode, and call ACL Finally, the application of the external interface / / this will not be introduced in detail! 12) configuration of PC

Configuration of PC1:

PC1 (config) # int f0/0PC1 (config-if) # ip add 192.168.1.100 255.255.255.0PC1 (config-if) # no shPC1 (config-if) # exitPC1 (config) # ip route 0.0.0.0 0.0.0.0 192.168.1.1 Universe / configure IP address and default route

Configuration of PC2:

PC2 (config) # int f0/0PC2 (config-if) # ip add 11.1.1.100 255.255.255.0PC2 (config-if) # no shPC2 (config) # ip route 0.0.0.0 0.0.0.0 11.1.1.1PC2 (config) # line vty 0 4PC2 (config-line) # pass 123456PC2 (config-line) # login// configure the default route and enable Telnet

Configuration of PC3:

PC3 (config) # int f0amp 0 PC3 (config-if) # ip add 192.168.2.100 255.255.255.0PC3 (config-if) # no shPC3 (config) # ip route 0.0.0.0 0.0.0.0 192.168.2.1 IP address and default Route 13) Verification

Verify on PC1:

PC1#telnet 11.1.1.100Trying 11.1.1.100... OpenUser Access VerificationPassword: PC2 > / / telnet login successful! PC1#ping 192.168.2.100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 secondsrate is success rate is 100 percent (5 percent), round-trip min/avg/max = 44, 75, 112 ms//PC1 uses virtual private network to communicate with PC3, 4. The difference between Cisco firewall and Cisco router

Because of the firewall's own IOS, there are some differences between the firewall and the router in terms of configuration commands, but it is not obvious!

1) the difference between default configuration

Cisco ASA firewalls and routers use different parameters by default in the process of establishing a management connection.

The default parameters used by Cisco ASA Firewall are as follows:

ASA (config) # show run crypto / / View the default parameters of the management connection. / / omit part of the content crypto isakmp policy 65535 authentication pre-share encryption 3des / / encryption algorithm is 3des hash sha group 2 / / default to use DH group 2 lifetime 86400

The default parameters used by Cisco routers are as follows:

R2#show crypto isakmp policy / / View the default parameters of the administrative connection. / / omit part Default protection suite encryption algorithm: DES-Data Encryption Standard (56 bit keys). / / encryption algorithm is des hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: # 1 (768 bit) / / default is DH group 1 lifetime: 86400 seconds, no volume limit

In the process of establishing a data connection, the ASA firewall only supports the ESP protocol. Therefore, if the router uses AH for data authentication, it will not be able to successfully establish a data connection with ASA.

2) IKE negotiates whether to enable it by default.

By default, IKE negotiation is turned on in the router and turned off in the ASA firewall. Therefore, IKE negotiation must be turned on with the command "crypto isakmp enable outside" in the ASA firewall.

3) the introduction of tunnel mode characteristics.

Strictly speaking, this is not a configuration difference between firewall and router, but a feature introduced by firewall upgrade from version 6.x to version 7.0. it is mainly used to simplify the configuration and management of IPSec sessions. And the command that the router configures the shared key key is also supported by ASA Firewall by default.

4) the impact of interface security level on IPSec traffic

There is a restriction in the firewall that if traffic enters through an interface, it cannot flow out a port with the same level of security. Traffic cannot be transmitted between ports of the same security level, which is mainly a characteristic set in terms of security. However, it will have a certain impact on IPSec traffic. If you encounter this situation in a real-world environment, you can use the following command:

ASA (config) # same-security-traffic permit intra-interface / / allow traffic to enter and leave the same interface (prohibited by default) ASA (config) # same-security-traffic permit inter-interface / / allow traffic to pass through two different interfaces with the same level of security

Note: ASA firewall releases all traffic of virtual private network by default!

Fifth, troubleshooting of IPSec virtual private network

Common commands are:

1) show crypto isakmp sa command

Through the command, you can understand the state of the administrative connection (the main mode is mainly introduced here)! Common states, as shown in the figure:

2) debug crypto isakmp command

If you want to know the whole process, you can use this command, which is the most common command used to diagnose and troubleshoot administrative connections in practice.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.