Shulou(Shulou.com)06/01 Report--

Blog outline:

1. Network environment requirements 2. Preparation before configuration. 3. Configuration of virtual private network. 4. Summary

Foreword:

I wrote a blog post before: Cisco router IPSec virtual private network, that is in the company gateway is the use of Cisco router, to build a virtual private network, then the company gateway is Cisco's ASA firewall? Just let this blog post take you to configure it.

Note: virtual private network: (Virtual Private Network), please look at the English initials to know what it is. Because it is a sensitive / sensitive vocabulary, virtual private network is used instead of virtual private network in this paper.

About the knowledge points and related concepts, are almost introduced in the link at the beginning of the article, in the firewall and router to achieve virtual private network, the principle is similar, so here is not verbose, directly on the configuration.

The network environment is as follows:

I. requirements of the network environment

1. It is necessary to establish an IPSec virtual private network on the gateway ASA of the head office and each branch to realize the interworking of a certain network segment between the head office and the branch (usually only a certain department has the necessity of interworking).

2. Virtual private network (VPN) also needs to be configured between the two branches to realize interworking, and the interworking is realized through E0Uniq1 in the outside area of the gateway ASA of the head office (of course, it can also bypass the ASA firewall of the head office, which can be determined according to the actual needs).

3. Not only need a virtual private network between the head office and the branch, but also do not affect the host computer access to the Internet (through the port PAT, after the configuration is completed, the Telnet logs in to the R2 router for verification).

4. The router is used to test inside the company instead of the PC. The R2 router of Internet cannot configure any routing entries except for the IP address.

Second, prepare before configuration

(if it is directly configured in the production environment, and the basic interface IP, routing and so on are configured. You can ignore the preparation before configuration)

1. I use the GNS3 simulator here to build the network topology diagram by myself. When using a firewall, you need to change the interface type as follows (GNS3 does not have a firewall by default and needs to be loaded by itself. If you need help, you can trust me privately):

2. Configure the IP address and routing entries of the interface. Examples are as follows:

The router configures interface IP and routing entries (except R2, all need to configure a default route, which is equivalent to its gateway) 'R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1 (config) # in f0/0R1 (config-if) # ip add 192.168.1.1 255.255.255.0R1 (config-if) # no shR1 (config-if) # ip route 0.0.0.0 0.0.0.0 192.168.1.254' Firewall ASA configuration interface IP and routing entry: 'ciscoasa > enPassword: # No password by default Directly enter ciscoasa# conf tciscoasa (config) # in e0/0ciscoasa (config-if) # nameif inside # need to define the region INFO: Security level for "inside" set to 100 by default.ciscoasa (config-if) # ip add 192.168.1.254 255.255.255.0ciscoasa (config-if) # no shciscoasa (config) # in e0/1ciscoasa (config-if) # nameif ousideINFO: Security level for "ouside" set to 0 by default.ciscoasa (config-if) # ip add 201 .0.0.1 255.255.255.0ciscoasa (config-if) # no shciscoasa (config-if) # route ouside 0 0201.0.0.2 # configure a default route The next hop points to the R2 router on the Internet. Third, configure virtual private network

After configuring the interface IP and routing information, you can configure the virtual private network below.

1. Configure the virtual private network between the head office and branch 1:

(1) the ASA-1 configuration of the head office is as follows:

ASA-1 (config) # crypto isakmp enable outside # enable ISAKMP/IKE#' the following is to configure the ISAKMP policy (that is, the configuration for managing connections) 'ASA-1 (config) # crypto isakmp policy 1 # policy sequence number is "1", the range is 1mm 10000, the smaller the value The higher the priority, ASA-1 (config-isakmp-policy) # authentication pre-share # declares that the device authentication method is "pre-shared key" ASA-1 (config-isakmp-policy) # encryption aes # configure encryption algorithm ASA-1 (config-isakmp-policy) # hash md5 # hash command specifies the hash algorithm ASA-1 (config-isakmp-policy) # group2 # to be used in the authentication process. The strength of the DH algorithm is group2ASA- 1 (config-isakmp-policy) # lifetime 10000 # optional Manage connection lifecycle The default is 86400s (24-hour) ASA-1 (config-isakmp-policy) # crypto isakmp key 2019.com address 202.0.0.1 # configuration "pre-shared key" # 'below is the data connection configuration' ASA-1 (config) # access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.define the traffic ASA- protected by the virtual private network 1 (config) # crypto ipsec transform-set test-set esp-aes esp-md5-hmac# data connection negotiation parameters "test-set" is the custom name ASA-1 (config) # crypto map test-map 1 match address lan1_lan2 # matching ACLASA-1 (config) # crypto map test-map 1 set peer 202.0.0.1 # Virtual Private Network peer address ASA-1 (config) # crypto map test-map 1 set transform-set test-set # Associates the data connection with the transport set ASA-1 (config) # crypto map test-map interface that you just created Outside # applies crypto map to the outside interface.

The commands in the configuration are all reflected above, and most of the following configuration commands can be found on it, so I won't write comments below (be considerate of patients with advanced lazy cancer).

(2) the ASA-2 configuration of Branch 1 is as follows:

ASA-2 (config) # crypto isakmp enable outsideASA-2 (config) # crypto isakmp policy 1ASA-2 (config-isakmp-policy) # authentication pre-shareASA-2 (config-isakmp-policy) # encryption aesASA-2 (config-isakmp-policy) # hash md5ASA-2 (config-isakmp-policy) # group 2ASA-2 (config-isakmp-policy) # lifetime 10000ASA-2 (config-isakmp-policy) # crypto isakmp key 2019.com address 201.0.0.1ASA-2 (config) # access-list lan2_lan1 permit Ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0ASA-2 (config) # crypto ipsec transform-set test-set esp-aes esp-md5-hmacASA-2 (config) # crypto map test-map 1 match address lan2_lan1ASA-2 (config) # crypto map test-map 1 set peer 201.0.0.1ASA-2 (config) # crypto map test-map 1 set transform-set test-setASA-2 (config) # crypto map test-map interface outside

At this point, the virtual private network of the head office and branch 1 has been established, and R3 and R1 can be used for ping testing. it takes time for the virtual private network to establish a connection. In the case of correct routing and interface IP configuration, ping can be connected to ping two or three times. If there is no ping connection for three or five times, it will probably be cold. Let's make a mistake by ourselves. Check where the configuration is wrong through show run command.

2. Configure the virtual private network between the head office and branch 3:

(1) the ASA-1 configuration of the head office is as follows (the configuration of the management connection can be shared with the configuration of the head office to branch 1, it can be said that as long as the configuration involves the ACL and IP address, it can be configured again):

ASA-1 (config) # crypto isakmp key 2020.com address 203.0.0.1ASA-1 (config) # access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0ASA-1 (config) # crypto map test-map 2 match address lan1_lan3WARNING: The crypto map entry is incompleteAsale1 (config) # crypto map test-map 2 set peer 203.0.0.1WARNING: The crypto map entry is incompleteAsa- 1 (config) # crypto map test-map 2 set transform-set test-set

(2) the ASA-3 configuration of Branch 2 is as follows:

ASA-3 (config) # crypto isakmp enable outsideASA-3 (config) # crypto isakmp policy 1ASA-3 (config-isakmp-policy) # authentication pre-shareASA-3 (config-isakmp-policy) # encryption aesASA-3 (config-isakmp-policy) # hash md5ASA-3 (config-isakmp-policy) # group 2ASA-3 (config-isakmp-policy) # lifetime 10000ASA-3 (config-isakmp-policy) # crypto isakmp key 2020.com address 201.0.0.1ASA-3 (config) # access-list lan3_lan1 permit Ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0ASA-3 (config) # crypto ipsec transform-set test-set esp-aes esp-md5-hmacASA-3 (config) # crypto map test-map 1 match address lan3_lan1ASA-3 (config) # crypto map test-map 1 set peer 201.0.0.1ASA-3 (config) # crypto map test-map 1 set transform-set test-setASA-3 (config) # crypto map test-map interface outside

At this point, the R4 router of Branch 2 can ping the R1 router of the head office.

3. Configure the virtual private network of Branch 2 and Branch 3 (in fact, you can configure several ACL):

# 'the ASA-1 configuration of the head office is as follows:' ASA-1 (config) # same-security-traffic permit intra-interface # allows traffic to enter and leave the same interface The default is to disable ASA-1 (config) # access-list lan1_lan2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0ASA-1 (config) # access-list lan1_lan3 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 Branch 1 ASA-2 configuration is as follows: 'ASA-2 (config) # access-list Lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 Branch 2 ASA-3 configuration is as follows: 'ASA-3 (config) # access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

At this point, the virtual private network between the head office, branch 1 and branch 2 has been established successfully. It should be noted that the establishment of the virtual private network between branch 1 and branch 2 is based on the firewall of the head office, once the firewall of the head office breaks down, then the virtual private network between branch 1 and branch 2 no longer exists. You can also choose to establish a virtual private network directly between branch 1 and branch 2, and the traffic between them no longer passes through the firewall of the head office, which can be determined according to the actual situation.

So, how can the traffic protected by virtual private network access Internet resources? Let's do it through PAT now. So that the hosts within each company can not only access the internal resources of another company through the virtual private network, but also enable the hosts within each company to access Internet resources.

Note: the information I checked shows that it is necessary to enable NAT control and exempt virtual private network traffic, but my test found that it is not necessary to do PAT port mapping on ASA directly to achieve the desired effect. I originally wanted to verify my idea again, but the network environment has been closed by me. Forget it. If you are interested, you can verify it yourself.

4. Configure PAT port mapping on each firewall:

Head office firewall configuration:

ASA-1 (config) # nat-control ASA-1 (config) # nat (inside) 1 0ASA-1 (config) # global (outside) 1 interfaceINFO: outside interface address added to PAT poolASA-1 (config) # access-list vpm permit ip 192.168.1.0 255.255.255.0 192.168.2.0$ ASA-1 (config) # access-list vpm permit ip 192.168.1.0 255.255.255.0 192.168.3.$ASA-1 (config) # nat (inside) 0 access-list vpm

Branch 1 firewall configuration:

ASA-2 (config) # nat-control ASA-2 (config) # nat (inside) 1 0 0ASA-2 (config) # global (outside) 1 interfaceINFO: outside interface address added to PAT poolASA-2 (config) # nat (inside) 0 access-list lan2_lan1

Branch 2 firewall configuration:

ASA-3 (config) # nat-control ASA-3 (config) # nat (inside) 1 0 0ASA-3 (config) # global (outside) 1 interfaceINFO: outside interface address added to PAT poolASA-3 (config) # nat (inside) 0 access-list lan3_lan1

5. Enable the Telnet function of the R2 router in Internet for access testing within the company:

R2 (config) # line vty 0 4R2 (config-line) # password 123R2 (config-line) # loginR2 (config-line) # exitR2 (config) # enable secret 123456

6. Verification (during the verification process, it is found that the ping will not be fully connected until once or twice, and it will be blocked or lost at the beginning, which is a normal phenomenon, because it takes time for the VPN to establish a connection):

IV. Summary

1. In the process of establishing data connection, ASA firewall only supports ESP protocol. Therefore, if the opposite end is a router and uses AH protocol to achieve data verification, it will not be able to successfully establish a data connection with ASA.

2. IKE negotiation is enabled by default on the router, but the mode is turned off on ASA and needs to be turned on by using the command "crypto isakmp enable outside".

3. When configuring a pre-shared key on ASA, the tunnel group is generally used to configure the key. The process of configuring the key of the tunnel group will be written at the end of the following article. The configuration method I use above is the same as that on the router. ASA will automatically identify and change the tunnel group configuration.

4. There is a restriction in the firewall that if traffic enters through an interface, it cannot flow out of a port with the same security level. Of course, you can not enter and leave the same interface, you can use the command "same-security-traffic permit intra-interface". In the above configuration, when configuring branch 1 and branch 2, this command is configured on the head office firewall because traffic needs to enter and leave the e0scarp 1 interface of the head office.

5. ASA allows all traffic of virtual private network by default, because the traffic of virtual private network is already secure, so ASA gives it the green light.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.