Shulou(Shulou.com)06/01 Report--

The previous blog post wrote about the Easy virtual private network of the Cisco router (to solve the problem of traveling employees accessing the company's intranet), which is based on the fact that the company gateway device is a router, so how to configure it if it is an ASA firewall? With regard to the theoretical part, it has been written in great detail in the link to the blog post mentioned earlier. You can refer to the theoretical part of that blog post, which is directly configured here.

This blog post has less theoretical knowledge about virtual private network, because I have written several articles about virtual private network before, so I will not repeat it about the principle. If you want to understand the principle, you can refer to the following blog article (the principle of virtual private network of router and firewall is similar, please refer to):

Cisco router Easy virtual private network (to solve the problem of traveling employees accessing the company intranet) Cisco router IPSec virtual private network

1. The network environment is as follows:

2. Environmental analysis:

(1) configure the virtual private network on the ASA firewall of the company gateway, so that the client (traveler) can connect to the virtual private network and access the DNS service and HTTP (www.lvjianzhao.com) service provided by the intranet (using this domain name to access, and the DNS in the intranet is responsible for resolving the domain name). In order to simplify the environment, the services of the intranet are integrated on a server.

(2) after connecting to the virtual private network, the client can also use Internet's DNS and HTTP services to simulate the www.baidu.com website service, and use the DNS service provided by the server on Internet to resolve the domain name.

(3) configure the correct router interface and the IP, gateway and route of each server (the server configures the corresponding gateway, ASA firewall only needs to configure interface IP and a default route to R1 router, R1 router does not configure anything except interface IP, especially the routing table, otherwise it may not be able to test the effect of virtual private network).

(4) the client needs to install the client software provided by Cisco to connect.

3. Prepare before configuration:

(1) download the software used by the client and install it on the client to connect to the virtual private network. What I provide here is the client installation package for windows 7. If the client is Windows 10, please refer to the blog post: Windows 10 to install the client side of the virtual private network.

(2) configure the router interface IP address and routing by yourself (these basic configuration commands will not be shown. I have written about it in my previous blog post, or do it on my own Baidu).

(3) configure the IP and gateway of each server and client.

(4) build HTTP service and DNS service on relevant servers (these two services are not what this blog wants to introduce. I have simply set up one here. My previous blog posts have related services, you can check them yourself).

4. Start the configuration:

Configuration example:

ASA-1 (config-if) # route outside 00 200.0.0.2 # configure the ASA firewall to configure the route to the public network # the following is the configuration interface area and IP address, and open the interface ciscoasa (config-if) # in e0/1ciscoasa (config-if) # nameif outsideINFO: Security level for "outside" set to 0 by default.ciscoasa (config-if) # ip add 200.0.0.1 255.255.255.0ciscoasa (config-if) # no sh

After all the basic configurations (interface IP address, routing, gateway) have been configured, the following VPN configuration can be carried out.

(1) the ASA fire wall of the company gateway is as follows:

ASA-1 (config) # username lvjianzhao password 2019.com # configure username / password ASA-1 (config) # crypto isakmp enable outside # outside API to be used for client connection enable isakmp# the following is the configuration of "stage 1: crypto isakmp policy 10ASA-1 (config-isakmp-policy) # encryption 3des ASA-1 (config-isakmp-policy) # hash shaASA-1 (config-isakmp-policy) # authentication pre-share ASA-" 1 (config-isakmp-policy) # group 2ASA-1 (config-isakmp-policy) # exit# next "configuration Phase 1.5" It is the configuration that needs to be pushed to the client after the administrative connection is successfully established. # the following is to configure an address pool. The addresses in the pool are distributed to the client. The IP address of the address pool cannot use the same network segment as the private network, otherwise the final communication ASA-1 (config) # ip local pool test-pool 192.168.1.200-192.168.1.21 will be affected. The following is to define a named ACL, which is pushed to the client for use. Only the source address allowed by ACL is accessible to the client. / / this ACL allows 192.168.0.0 to go to any address, and when pushed to the client, it will be reversed. # changed to allow any IP address to access 192.168.0.0. Because the source address here is from the point of view of the router. ASA-1 (config) # access-list split-acl permit ip 192.168.0.0 255.255.255.0 any# below is to create a user group, and internal means that the policy definition is local Can be changed to external to represent the policy definition AAA server ASA-1 (config) # group-policy test-group internal ASA-1 (config) # group-policy test-group attributes # configure the attributes of the user group ASA-1 (config-group-policy) # dns-server value 192.168.0.1 # specify the DNS address ASA-1 (config-group-policy) # split-tunnel-policy tunnelspecified # distributed to the client # about "split-tunnel-policy" above There are three types of rules that can be followed As follows: # tunnelspecified indicates that all matching traffic goes through the tunnel. This is what I chose here. # tunnelall: all traffic must be tunneled, that is, no separate tunneling. This is the default setting, and this option is generally not used. # excludespecified: all traffic that does not match ACL is tunneled, and this option is not recommended. ASA-1 (config-group-policy) # split-tunnel-network-list value split-acl # refers to the previously created ACLASA-1 (config-group-policy) # exitASA-1 (config) # tunnel-group test-group type ipsec-ra # the specified group type is ipsec-ra (remote access) ASA-1 (config) # tunnel-group test-group general-attributes # configuration Properties ASA-1 (config-tunnel-general) # address-pool test-pool # reference Call the group policy ASA-1 (config-tunnel-general) # exit# with the "address pool" ASA-1 (config-tunnel-general) # default-group-policy test-group # just defined to configure the transfer set username and shared key ASA-1 (config) # tunnel-group test-group ipsec-attributes ASA-1 (config-tunnel-ipsec) # pre-shared-key pwd123ASA-1 (config-tunnel-ipsec) # exit# below is the configuration "phase 2color-number" According to the connection "ASA-1 (config) # crypto ipsec transform-set test-set esp-3des esp-sha-hmac ASA-1 (config) # crypto dynamic-map test-dymap 1 set transform-set test-set # configure dynamic mapASA-1 (config) # crypto map test-stamap 1000 ipsec-isakmp dynamic test-dymap # introduce dynamic map into static mapASA-1 (config) # crypto map test-stamap int outside # apply to the external network interface That is, outside port.

The configuration of the virtual private network of the company gateway ASA firewall has been completed. Now you can use the client to install the dedicated software, connect to the virtual private network, and test the access.

(2) the client is configured as follows:

Unpack the compressed package provided by me and install the client software of the virtual private network:

You also need to decompress again, and choose where to decompress:

After unzipping, the following installation wizard pops up, as follows, select the installation language:

Basically it's the next step without a brain, see for yourself!

Select the installation path:

Just wait for the installation to complete!

After the installation is complete, you can find the client software by:

Click to open client:

Add a connection:

Fill in the specific information:

Connect to virtual private network:

After the following dialog box pops up, fill in the user and password created on the gateway device:

After the connection is successful, you can see what changes have taken place in our client's network adapter.

Using the client to access www.lvjianzhao.com and www.baidu.com respectively, you can verify the http service and DNS service on the company's intranet and Internet.

At this point, the effect is achieved, the client can access not only the service of the company's intranet, but also the service of Internet, OK, done.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.