Cisco asa vpn

21
ACTIVIDAD CONFIGURACION DE CISCO ASA VPN CAMILA MARTÍNEZ LÓPEZ NILSON ANDRÉS LONDOÑO HERNANDEZ GERSON ZAPATA AGUDELO TECNOLOGÍA EN GESTIÓN DE REDES DE DATOS FICHA: 455596 INSTRUCTOR ISABEL CRISTINA YÉPEZ OCAMPO SERVICIO NACIONAL DE APRENDIZAJE (SENA) CENTRO DE SERVICIOS Y GESTIÓN EMPRESARIAL (CESGE) MEDELLÍN ANTIOQUIA 2014

description

 

Transcript of Cisco asa vpn

Page 1: Cisco asa vpn

ACTIVIDAD CONFIGURACION DE CISCO ASA VPN

CAMILA MARTÍNEZ LÓPEZ

NILSON ANDRÉS LONDOÑO HERNANDEZ

GERSON ZAPATA AGUDELO

TECNOLOGÍA EN GESTIÓN DE REDES DE DATOS

FICHA: 455596

INSTRUCTOR

ISABEL CRISTINA YÉPEZ OCAMPO

SERVICIO NACIONAL DE APRENDIZAJE (SENA)

CENTRO DE SERVICIOS Y GESTIÓN EMPRESARIAL (CESGE)

MEDELLÍN – ANTIOQUIA

2014

Page 2: Cisco asa vpn

Contenido

TOPOLOGIA ..................................................................................................................................... 3

CONFIGURACION GRAFICA ........................................................................................................ 3

CONFIGURACIÓN ASA IZQUIERDO ........................................................................................ 10

CONFIGURACIÓN ASA DERECHO ........................................................................................... 16

Page 3: Cisco asa vpn

TOPOLOGIA

CONFIGURACION GRAFICA

Nos dirigimos a wizards, y luego a wizards de VPN > Seleccionamos VPN Sitio a Sitio:

Page 4: Cisco asa vpn

Nos aparecerá la introducción, solo damos siguiente:

Seleccionamos la IP del lado contrario de la red Pública y seleccionamos como interfaz

aquella que se encuentre configurada como la de salida, en nuestro caso se llama

“outside”:

Page 5: Cisco asa vpn

En la siguiente ventana seleccionaremos los protocolos para intercambiar las llaves de

internet, en nuestro caso usaremos ambos:

Seleccionaremos la red local del ASA y como la remota, la red a la cual queremos

acceder:

Page 6: Cisco asa vpn

En esta ventana configuraremos la llave compartida para permitir la autenticación entre

los dispositivos (La claves deben ser las mismas en ambos lados):

En la siguiente ventana nos aparecerán los algoritmos de encripción que serán usados

para proteger los datos de la VPN, en nuestro caso los dejaremos por defecto

Page 7: Cisco asa vpn

Ahora seleccionamos la primera y última opción con la interfaz interna.

Ahora damos clic en finalizar.

Page 8: Cisco asa vpn

Ahora aplicamos los cambios.

Nos debe quedar la configuración de la siguiente forma

Page 9: Cisco asa vpn

Ahora nos dirigimos a Device Setup > Routing > Static Routers y agregamos una nueva.

La ruta se creó para que cuando en la LAN pregunten por la red 192.168.1.0/24, dirija el

tráfico hacia la interfaz en la red Pública cercana a está:

Page 10: Cisco asa vpn

La configuración del enrutamiento estático debe quedar así.

CONFIGURACIÓN ASA IZQUIERDO

: Saved : ASA Version 9.1(3) ! hostname ASA1 enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.40.254 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address 180.100.10.1 255.255.255.0 ! interface Ethernet0/2

Page 11: Cisco asa vpn

shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only shutdown no nameif no security-level no ip address ! ftp mode passive object network NETWORK_OBJ_192.168.40.0_24 subnet 192.168.40.0 255.255.255.0 object network NETWORK_OBJ_192.168.50.0_24 subnet 192.168.50.0 255.255.255.0 access-list outside_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.50.0 255.255.255.0 pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,inside) source static NETWORK_OBJ_192.168.40.0_24 NETWORK_OBJ_192.168.40.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup nat (inside,outside) source static NETWORK_OBJ_192.168.40.0_24 NETWORK_OBJ_192.168.40.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup route outside 192.168.50.0 255.255.255.0 180.100.10.2 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.40.0 255.255.255.0 inside

Page 12: Cisco asa vpn

no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set peer 180.100.10.2 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map interface outside crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes

Page 13: Cisco asa vpn

integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192

Page 14: Cisco asa vpn

hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400

Page 15: Cisco asa vpn

crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy GroupPolicy_180.100.10.2 internal group-policy GroupPolicy_180.100.10.2 attributes vpn-tunnel-protocol ikev1 ikev2 username admin password RA4vw/GpJKxVwa9B encrypted privilege 15 username admin1 password RA4vw/GpJKxVwa9B encrypted privilege 15 username admones password pyZg7oqajBSMWzic encrypted privilege 15 username admin2 password zT8V4igE6lU/Ogmd encrypted privilege 15 username andres password WaGcYi5VcTxeYFYY encrypted privilege 0 tunnel-group 180.100.10.2 type ipsec-l2l tunnel-group 180.100.10.2 general-attributes default-group-policy GroupPolicy_180.100.10.2 tunnel-group 180.100.10.2 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip

Page 16: Cisco asa vpn

inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:86696a4d93418771b94b90f95a0f5f34 : end

CONFIGURACIÓN ASA DERECHO

: Saved : ASA Version 9.1(3) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.50.254 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address 180.100.10.2 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only shutdown no nameif no security-level no ip address

Page 17: Cisco asa vpn

! ftp mode passive object network NETWORK_OBJ_192.168.40.0_24 subnet 192.168.40.0 255.255.255.0 object network NETWORK_OBJ_192.168.50.0_24 subnet 192.168.50.0 255.255.255.0 access-list outside_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.40.0 255.255.255.0 pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 destination static NETWORK_OBJ_192.168.40.0_24 NETWORK_OBJ_192.168.40.0_24 no-proxy-arp route-lookup route outside 192.168.40.0 255.255.255.0 180.100.10.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.50.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES

Page 18: Cisco asa vpn

protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set peer 180.100.10.1 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map interface outside crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack

Page 19: Cisco asa vpn

encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2

Page 20: Cisco asa vpn

lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy GroupPolicy_180.100.10.1 internal group-policy GroupPolicy_180.100.10.1 attributes vpn-tunnel-protocol ikev1 ikev2 username ADMIN password XrSTHPC5dRv3lK14 encrypted privilege 15 tunnel-group 180.100.10.1 type ipsec-l2l tunnel-group 180.100.10.1 general-attributes default-group-policy GroupPolicy_180.100.10.1

Page 21: Cisco asa vpn

tunnel-group 180.100.10.1 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous crashinfo save disable Cryptochecksum:a0116c93d0e3038b09b20004ff9921a1 : end