Aug 7, 2010

Steps to setup a VPN on ASA/PIX

You should read the configuration guides and command references to know how to setup a VPN on ASA/PIX. However, if you don't have access to those documments, what wil you do?

If the device to be configured is running system version 8.0(3) or one earliest, you could use the command vpnsetup to review the steps needed to setup the supported VPN types.

The syntax of this command is:

vpnsetup {ipsec-remote-access | l2tp-remote-access | site-to-site | ssl-remote-access} steps

For example, if you want to review the steps to setup IPSec tunnels of the type Remote Access:

asa# vpnsetup ipsec-remote-access steps

Steps to configure a remote access IKE/IPSec connection with examples:

1. Configure Interfaces

        interface GigabitEthernet0/0
         ip address 10.10.4.200 255.255.255.0
         nameif outside
         no shutdown

        interface GigabitEthernet0/1
         ip address 192.168.0.20 255.255.255.0
         nameif inside
         no shutdown

2. Configure ISAKMP policy

        crypto isakmp policy 65535
         authentication pre-share
         encryption aes
         hash sha

3. Setup an address pool

        ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

        aaa-server MyRadius protocol radius
        aaa-server MyRadius host 192.168.0.254
         key $ecretK3y

5. Define tunnel group

        tunnel-group client type remote-access
        tunnel-group client general-attributes
         address-pool client-pool
         authentication-server-group MyRadius
        tunnel-group client ipsec-attributes
         pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

        crypto ipsec transform-set myset esp-aes esp-sha-hmac

7. Setup dynamic crypto map

        crypto dynamic-map dynmap 1 set transform-set myset
        crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

        crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

        crypto map mymap interface outside

10. Enable isakmp on interface

        crypto isakmp enable outside


asa(config)# end
asa# wr mem
Posted by at 2:49 PM
Categories: , ,

2 comments:

  1. UnknownAugust 13, 2010 at 1:35 PM

    Olá amigo, achei interessante a sua configuração, pois ela parece com uma dúvida que estou tendo. vc sita a sua outside como:

    interface GigabitEthernet0/0
    ip address 10.10.4.200 255.255.255.0
    nameif outside

    Ou seja, um IP inválido, acredito que vc tenha um bloco válido fornecido pelo seu provedor.

    Em suma, como você configura para receber a conexão VPN por um Endereço Válido do tipo 200.120.x.y através de uma rota default da operadora???

    Abraços

    lenny

    ReplyDelete
  2. Renato MoraisAugust 17, 2010 at 12:13 AM

    @lenny
    Olá Lenny,

    Na verdade a configuração apresentada no post é um exemplo que pode ser extraído de qualquer PIX/ASA usando o comando vpnsetup.

    De qualquer forma, entendo que você está trabalhando em um cenário no qual seu firewall está configurado com endereçamento privado (RFC1918). Neste caso, deve haver uma configuração de NAT no roteador conectado ao ISP que permita as conexões de VPN serem redirecionadas para o firewall.

    ReplyDelete

Subscribe to: Post Comments (Atom)