Topológia:
====private (192.168.10.0/24) ====ASA====Public (158.193.138.0/24)
|
==== DMZ ====
(158.193.152.0/24)
Klientom na IPsec VPN tunneli bude priradená adresa 192.168.10.0/24. Povolený prístup z Public aj DMZ.
Konfigurácia na strane ASA:
1) Zadefinuj ACL, kde definuješ prevádzku, ktorá nespadá pod NAT (Networ AddressTranslation)
access-list no_NAT line 1 remark Define_IPSec_trafficnot_Nated_
access-list no_NAT line 2 extended permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0
2) Vytvor pool adries, ktoré budú prideľované dynamicky pre VPN klientov (môže byť AAA server, DHCP server, local pool)
ip local pool VPN_Clients_pool 192.168.10.200-192.168.10.254
3) Zakáž NAT-ovanie pre IPsec traffic, ktorý bude vystupovať cez NAT do IPSec tunela (private priestor)
nat (inside) 0 access-list no_NAT
4) Povoľ prechod paketov z IPSec tunnela cez NAT bez opätovnej kontroly voči ACL filtrom
sysopt connection permit-ipsec
5) Nastavenie IPSec-u (manual)
!— Define the transform set to be used during IPsec
!— security association (SA) negotiation. Specify AES as the encryption algorithm.
crypto ipsec transform-set Moj_VPN_SET esp-aes-256 esp-sha-hmac
crypto dynamic-map Moja_dynamic_mapa 10 set transform-set Moj_VPN_SET
crypto map Moja_mapa 10 ipsec-isakmp dynamic Moja_dynamic_mapa
! implementuj mapu na rozhranie
crypto map Moja_mapa interface outside
crypto map Moja_mapa interface dmz
6)
!— Enable Internet Security Association and Key Management
!— Protocol (ISAKMP) negotiation on the interface on which the IPsec
!— peer communicates with the ASA Firewall.
isakmp enable outside
isakmp enable dmz
isakmp identity address
9) ako je v manuali
!— Define an ISAKMP policy to be used while
!— negotiating the ISAKMP SA. Specify
!— AES as the encryption algorithm. The configurable AES
!— options are aes, aes-192 and aes-256.
!— Note: AES 192 is not supported by the VPN Client.
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp disconnect-notify
10) zadefinuj tunnel group:
tunnel-group KIS_outside type ipsec-ra
tunnel-group KIS_outside general-attributes
address-pool (inside) VPN_Clients_pool
address-pool VPN_Clients_pool
default-group-policy KIS_outside
dhcp-server 192.168.10.2
tunnel-group KIS_outside ipsec-attributes
pre-shared-key *
11) Konfiguracia skupinových politík (Group policy) pre splitting (its configuration allows VPN Clients secure access to corporate resources via IPsec while giving unsecured access to the Internet.)
group-policy KIS_outside internal
group-policy KIS_outside attributes
dns-server value 158.193.152.1
vpn-idle-timeout 30
access-list Split-tunnel-policy remark KIS net behind ASA, inside interface.
access-list Split-tunnel-policy standard permit 192.168.10.0 255.255.255.0
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-tunnel-policy
Link3 (PIX/ASA 7.x: Allow Local LAN Access for VPN Clients Configuration Example)