Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

Konfigurácia VPN medzi Cisco ASA a Cisco VPN klient



Topológia:

====private (192.168.10.0/24) ====ASA====Public (158.193.138.0/24)
                                                           |
                                              ==== DMZ ====
                                             (158.193.152.0/24)

Klientom na IPsec VPN tunneli bude priradená adresa 192.168.10.0/24. Povolený prístup z Public aj DMZ.

Konfigurácia na strane ASA:

1) Zadefinuj ACL, kde definuješ prevádzku, ktorá nespadá pod NAT (Networ AddressTranslation)

access-list no_NAT line 1 remark Define_IPSec_trafficnot_Nated_
access-list no_NAT line 2 extended permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0

2) Vytvor pool adries, ktoré budú prideľované dynamicky pre VPN klientov (môže byť AAA server, DHCP server, local pool)

ip local pool VPN_Clients_pool 192.168.10.200-192.168.10.254

3) Zakáž NAT-ovanie pre IPsec traffic, ktorý bude vystupovať cez NAT do IPSec tunela (private priestor)

nat (inside) 0 access-list no_NAT

4) Povoľ prechod paketov z IPSec tunnela cez NAT bez opätovnej kontroly voči ACL filtrom

sysopt connection permit-ipsec

5) Nastavenie IPSec-u (manual)

!--- Define the transform set to be used during IPsec
!--- security association (SA) negotiation. Specify AES as the encryption algorithm.

crypto ipsec transform-set Moj_VPN_SET esp-aes-256 esp-sha-hmac
crypto dynamic-map Moja_dynamic_mapa 10 set transform-set Moj_VPN_SET
crypto map Moja_mapa 10 ipsec-isakmp dynamic Moja_dynamic_mapa

! implementuj mapu na rozhranie

crypto map Moja_mapa interface outside
crypto map Moja_mapa interface dmz

6)

!--- Enable Internet Security Association and Key Management
!--- Protocol (ISAKMP) negotiation on the interface on which the IPsec
!--- peer communicates with the ASA Firewall.

isakmp enable outside
isakmp enable dmz
isakmp identity address

9) ako je v manuali

!--- Define an ISAKMP policy to be used while

!--- negotiating the ISAKMP SA. Specify
!--- AES as the encryption algorithm. The configurable AES
!--- options are aes, aes-192 and aes-256.
!--- Note: AES 192 is not supported by the VPN Client.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp disconnect-notify

10) zadefinuj tunnel group:

tunnel-group KIS_outside type ipsec-ra
tunnel-group KIS_outside general-attributes
address-pool (inside) VPN_Clients_pool
address-pool VPN_Clients_pool
default-group-policy KIS_outside
dhcp-server 192.168.10.2

tunnel-group KIS_outside ipsec-attributes
pre-shared-key *

11) Konfiguracia skupinových politík (Group policy) pre splitting (its configuration allows VPN Clients secure access to corporate resources via IPsec while giving unsecured access to the Internet.)

group-policy KIS_outside internal
group-policy KIS_outside attributes
dns-server value 158.193.152.1
vpn-idle-timeout 30

access-list Split-tunnel-policy remark KIS net behind ASA, inside interface.
access-list Split-tunnel-policy standard permit 192.168.10.0 255.255.255.0

split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-tunnel-policy
 

Link1
Link2

Link3 (PIX/ASA 7.x: Allow Local LAN Access for VPN Clients Configuration Example)