« Back
in 安全 VPN 思科 read.

ASA Remote VPN

ASA remote vpn
 

crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400

username vpntest password vpntest

tunnel-group ezvpn type remote-access
 

ip local pool ippool 20.1.1.1-20.1.1.10

tunnel-group ezvpn general-attributes(使用AAA server做认证的话,可以在这个模式下面调用AAA

address-pool ippool
 

tunnel-group ezvpn ipsec-attributes
  pre-shared-key cisco  

crypto ipsec transform-set ezvpn esp-des esp-md5-hmac

crypto dynamic-map ezvpn 10 set transform-set ezvpn
crypto dynamic-map ezvpn 10 set reverse-route

crypto map cisco 10 ipsec-isakmp dynamic ezvpn

crypto map cisco interface outside

crypto isakmp enable outside

1. split-tunnel
ip local pool iepool 100.1.1.1-100.1.1.100    (配置推送的地址池)

access-list split line 1 extended permit ip 45.45.7.0 255.255.255.0 any (后面准备最为隧道分割的列表)

crypto isakmp enable outside(防火墙接口默认未开启isakmp功能需要开启)

crypto isakmp policy 10(注意asa上第一阶段配置建议全手动配置不要自动生成,remote vpn要使用适当的策略)

authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400
 

group-policy remotevpn internal(定义叫做remotevpn的组策略-此隧道分割策略为可选其他策略为必选。)
group-policy remotevpn attributes

split-tunnel-policy tunnelspecified(设置分割类型为指定符合列表流量加密,其他不加密)

split-tunnel-network-list value split(调用隧道分割的列表)

tunnel-group remotevpn type remote-access(定义叫做remotevpn的隧道策略,类型为RA)

tunnel-group remotevpn general-attributes(设置remotevpn这个隧道的全局策略)
  address-pool iepool(调用地址池)
  default-group-policy remotevpn(调用隧道分割的组策略)  

tunnel-group remotevpn ipsec-attributes
   pre-shared-key *(指定预共享密钥,此密钥和tunnel-group的名字也就是remotevpn作为第一阶段认证)  

crypto ipsec transform-set cisco esp-des esp-md5-hmac (定义第二阶段转换集)

crypto dynamic-map cisco 10 set transform-set cisco(在动态map里调用第二阶段转换集)

crypto dynamic-map cisco 10 set reverse-route(设置RRI也就是反向路由注入)

crypto map cisco 10 ipsec-isakmp dynamic cisco(静态map调用动态map)

crypto map cisco interface outside(在接口调用map)
 

2. route inside 0.0.0.0 0.0.0.0 10.1.1.1 tunnel
 

3. ezvpn

crypto isakmp id address 或 auto

group-policy下的nem enable (开启对硬件客户端,网络扩展模式的支持)
 

4. NAT-T

ipsec-over-tcp 最优 <流量:只有特定端口TCP的流量>

nat-t 次优(rfc规定,udp 4500)<流量:6个isakmp,esp封装进udp 4500端口>

ipsec-over-udp 最低优先级(cisco私有,可以封装在任何udp端口内)<流量:6个isakmp,esp封装进udp特定端口>
 

注:cisco router支持对esp的pat;防火墙默认没有开启NAT穿越技术

 

ipsec-over-udp开启:

group-policy <...> attributes

ipsec-udp enable (开启ipsec-over-udp)

ipsec-udp-port 5000 (定义ipsec-over-udp端口)
 

nat-t开启:

crypto isakmp nat-traversal 20 (全局开启,可以定义发送nat-t keepalive的间隔;nat-t keepalive用来保持nat转换项不超时)
 

ipsec-over-tcp开启:

crypto isakmp ipsec-over-tcp port <port-number> (全局开启,最多可以定义10个;client端需要定义tcp的端口号)
 

5. 两个vpn client互访

same-security-traffic permit intra-interface (允许连接到同一个接口的vpn client互相访问)

注:如果设置了split-tunnel,需要将ip local pool地址段也加到split-tunnel定义的acl中