Sending 5, 100-byte ICMP Echos to 10.0.2.9, timeout is 2 seconds: To initiate the VPN, we can ping from one LAN host to another: Our LAN-to-LAN VPN won't actually establish until one of the firewalls detects traffic matching our crypto map's access list (10.0.1.0/24 to 10.0.2.0/24 or vice versa). The corresponding crypto map on F2 looks like this:Ĭrypto map L2L 1 match address LAN_TrafficĪll that's left now is to apply the crypto map to the outside interface on each firewall:į1(config)# crypto map L2L interface outsideį2(config)# crypto map L2L interface outside Testing Then we set the VPN peer and IPsec transform set to use:į1(config)# crypto map L2L 1 set peer 172.16.2.2į1(config)# crypto map L2L 1 set transform-set L2L First we match LAN-to-LAN traffic using our access list:į1(config)# crypto map L2L 1 match address LAN_Traffic
The tunnel group configuration on F2 is identical except that its name changes to 172.16.1.2 (F1's outside interface):įinally, we need to create a crypto map (named L2L) to tie together the IPsec transform set, access list, and tunnel group configured in the previous steps. Ipsec-attributes Enter the ipsec-attributes sub command modeį1(config)# tunnel-group 172.16.2.2 ipsec-attributesį1(config-tunnel-ipsec)# pre-shared-key ThisIsAWeakKey General-attributes Enter the general-attributes sub command mode Also, notice that we must define the connection type (ipsec-l2l) before we can configure the pre-shared key.į1(config)# tunnel-group 172.16.2.2 type ipsec-l2l Since we're using pre-shred key authentication, we need to name our tunnel group as the IP address of the remote peer. We flip the addresses on F2 to match traffic heading the opposite direction:į2(config)# access-list LAN_Traffic extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 Step 4: Create a Tunnel GroupĪ tunnel group holds tunnel configuration parameters, namely the connection type and authentication method. In the real world, crypto map ACLs can be quite complex. This access list will be referenced by the crypto map we'll create in step five. Next we need to create an access list to match plain (unencrypted) traffic which should be encrypted and routed through the IPsec tunnel between the two LANs. Our transform set is named L2L.į1(config)# crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmacį2(config)# crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac Step 3: Create an ACL to Match Traffic
While it is possible to enable several options, both sides of our VPN will be configured to support only 256-bit AES and SHA-1.
The finished configuration can be copied verbatim from F1 to F2:Īn IPsec transform set establishes the encryption and authentication (HMAC) methods to be employed by the IPsec SAs. For more background on IPsec fundamentals, see my IPsec quick and dirty article.įor simplicity, we'll use a static pre-shared key for ISAKMP authentication (which will be defined in step four).į1(config-isakmp-policy)# authentication pre-shareį1(config-isakmp-policy)# encryption aes-256 ISAKMP is used to establish the initial asymmetrically encrypted channels between the two endpoints so that they can securely negotiate a pair of one-way IPsec security associations (SAs).
#Asa 5505 cisco packet tracer step by step configuaratio how to#
Here we'll see how to configure a simple L2L VPN as pictured in the below topology in a few simple steps. LAN-to-LAN VPNs are typically used to transparently connect geographically disparate LANs over an untrusted medium (e.g. Today we're going to look at LAN-to-LAN VPNs using the pair of ASA 5505s in the community lab.
0 kommentar(er)
