Pages

Sunday 6 May 2012

Configuring IPSec VPN on ASA

Configuring IPSec VPN on ASA



Task 1: Prepare to configure VPN support.
Task 2: Configure IKE parameters.
Task 3: Configure IPSec parameters.
Task 4: Test and verify VPN configuration.


Task 1: Prepare for IKE and IPSec

Step 1: Determine the IKE (IKE Phase 1) policy.
Step 2: Determine the IPSec (IKE Phase 2) policy.
Step 3: Ensure that the network works
without encryption.
Step 4: (Optional) Implicitly permit IPSec packets to bypass security appliance ACLs and access groups.


Determine IKE Phase 1 Policy


Determine IPSec (IKE Phase 2) Policy


Task 2: Configure IKE

Step 1: Enable or disable IKE.
Step 2: Configure IKE Phase 1 policy.
Step 3: Configure a tunnel group.
Step 4: Configure the tunnel group attributes
pre-shared key.
Step 5: Verify IKE Phase 1 policy.
Enable or Disable IKE



Configure IKE Phase 1 Policy



Configure a Tunnel Group



Configure Tunnel Group Attributes Pre-Shared Key



Verify IKE Phase 1 Policy


Task 3: Configure IPSec

Step 1: Configure interesting traffic: NAT 0 and ACL.
– access-list 101 permit
– nat 0
Step 2: Configure IPSec transform set suites.
– crypto ipsec transform-set
Step 3: Configure the crypto map.
– crypto map
Step 4: Apply the crypto map.
– crypto map map-name interface
interface-name
Configure Interesting Traffic



Example: Crypto ACLs

Configure Interesting Traffic: NAT 0

Configure an IPSec Transform Set





Available IPSec Transforms

Configure the Crypto Map

Apply the Crypto Map to an Interface





Example: Crypto Map for Security Appliance 1

Example: Crypto Map for Security Appliance 6


Task 4: Test and Verify VPN Configuration
Verify ACLs and interesting traffic.
– show run access-list
Verify correct IKE configuration.
– show run isakmp
– show run tunnel-group
Verify correct IPSec configuration.
– show run ipsec
Verify correct crypto map configuration.
– show run crypto map
Clear IPSec SA.
– clear crypto ipsec sa
Clear IKE SA.
– clear crypto isakmp sa
Debug IKE and IPSec traffic through the security appliance.
– debug crypto ipsec
– debug crypto isakmp

No comments:

Post a Comment