Shulou(Shulou.com)06/01 Report--

The principle of configuring remote access virtual private network (Easy virtual private network) on Cisco ASA firewall is the same as that of routers. Friends who are not clear about the principle of Easy virtual private network can refer to the blog Cisco router to realize remote access to virtual private network-- Easy virtual private network (to solve the problem of employees on business trips to access the intranet) there will be a difference between configuring on the router and configuring on the firewall. Here to start the configuration directly, no longer detailed introduction!

To realize the IPSec virtual private network technology on the firewall, you can refer to the blog Cisco ASA firewall to realize the IPSec virtual private network, you can do it!

I. case environment

Due to the simulator, the firewall can not be connected to the terminal device, so there is a switch in the middle!

II. Case requirements

(1) users visit internal websites via domain name (www.yinuo.com) through Easy virtual private network

(2) users normally access websites on the public network through the domain name (www.xiaojiang.com).

(3) users configure their own IP addresses and corresponding services according to the requirements of the extension map.

3. Case implementation (1) configuration of the gateway ASA firewall: ASA (config) # int e0amp 0 ASA (config-if) # nameif insideASA (config-if) # ip add 192.168.1.1 255.255.255.0ASA (config-if) # no shASA (config-if) # int e0/1ASA (config-if) # nameif outsideASA (config-if) # ip add 100.1.1.1 255.255.255.0ASA (config-if) # no shASA (config-if) # exitASA (config) # route outside 00 100.1.1.2 / / configure IP address And set the default gateway ASA (config) # username lvzhenjiang password jianjian// protection wall has been enabled by default AAA, and is verified locally So ASA (config) # crypto isakmp enable outside / / enable ISAKMP/IKE protocol ASA (config) # crypto isakmp policy 10ASA (config-isakmp-policy) # encryption 3desASA (config-isakmp-policy) # hash shaASA (config-isakmp-policy) # authentication pre-share ASA (config-isakmp-policy) # group 2ASA (config-isakmp-policy) # exit stage 1 configuration is complete! ASA (config) # ip local pool lv-pool 192.168.2.10-192.168.2.50 account / configure the address pool to distribute the IP address to the virtual private network client (not the same network segment as the intranet IP address) ASA (config) # access-list lv-acl permit ip 192.168.1.0 255.255.255.0 any// defines a named ACL to allow 192.168.1.0 to go to any address when pushed to the client It turns out / / that any IP address is allowed to access 192.168.1.0. Because the source address here is ASA (config) # group-policy lv-group internal// that defines the policy from the router's point of view and places it locally (external means defined on another AAA server) ASA (config) # group-policy lv-group attributes / / defines the attribute of the user group ASA (config-group-policy) # dns-server value 192.168.1.100amp / defines the DNS service published to the client Device address ASA (config-group-policy) # address-pool value lv-pool// calls the address pool ASA (config-group-policy) # split-tunnel-policy tunnelspecified / / about "split-tunnel-policy" above can be followed by three types of rules As follows: * tunnelspecified indicates that all matching traffic goes through the tunnel. This is what I chose here. * tunnelall: all traffic must be tunneled, that is, no separate tunneling. This is the default setting, and generally this option is not used. * excludespecified: all traffic that does not match ACL is tunneled, and this option is not recommended. ASA (config-group-policy) # split-tunnel-network-list value lv-acl// calls ACLASA (config-group-policy) # exitASA (config) # tunnel-group lv-group type ipsec-ra / / specifies that the type of tunnel group is remote access ASA (config) # tunnel-group lv-group general-attributes / / configure the attribute ASA (config-tunnel-general) # address-pool lv of the tunnel group -pool / / call the address pool ASA (config-tunnel-general) # default-group-policy lv-group / / call the user group policy ASA (config-tunnel-general) # exitASA (config) # tunnel-group lv-group ipsec-attributes / / define the tunnel group name ASA (config-tunnel-ipsec) # pre-shared-key lv-key / / define tunnel group password ASA (config-tunnel-ipsec) # exit stage 1.5Configuration completed ASA (config) # crypto ipsec transform-set lv-set esp-3des esp-sha-hmac / / define transfer set name And encryption verification method ASA (config) # crypto dynamic-map lv-dymap 1 set transform-set lv-set// defines the dynamic map name as lv-dymap, priority 1, and calls the transport set ASA (config) # crypto map lv-stamap 1000 ipsec-isakmp dynamic lv-dymap// just defined to define static map with priority 1000. Call dynamic mapASA (config) # crypto map lv-stamap int outside// to apply static map to the interface on which the gateway connects to the extranet. Phase 2 configuration is completed (2) client is used for testing

Use the windows 7 client tool for testing here! If you use windows 10 system friends, it will be relatively troublesome to install client tools. You can refer to the blog Windows 10 system to install virtual private network client tools.

Next, mindless, the next step is! After installation is complete

After the connection is successful, check the IP address of the generated VPN

Access to the company's internal, public network server test access!

The visit was successful!

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.