configuring asa site-to-site vpns.docx

8/16/2019 Configuring ASA Site-To-Site VPNs.docx

1/50

Confguring ASA Site-To-Site VPN

ContentsPurpose:................................................................................................2

Background:..........................................................................................2

Outside:...................................................................................................................2

Inside:......................................................................................................................3

DMZ:........................................................................................................................ 3

VPN:......................................................................................................3

ASA VPN Types:......................................................................................3

Clientless VPN:........................................................................................................ 3

Any Connet VPN:...................................................................................................!

Site-to-Site VPN:...................................................................................................... !

T"ere #re t$o ty%es o& site-to-site VPNs:.............................................................!

ASDM:...................................................................................................4

Learnng !"#ect$es:...............................................................................%

Net&ork Dagra':..................................................................................(

La":.......................................................................................................(

T#s' (: Confgure #ll ot"er de)ies e*e%t t"e ASA.................................................+

PC,s #nd ser)ers:..................................................................................................+ISP:....................................................................................................................... +

(:........................................................................................................................

2:........................................................................................................................

T#s' 2: Cre#te #n MS /oo%0#' intere................................................................1

T#s' 3: Add t"e ASA de)ie to NS3.......................................................................

Loca) Ste...............................................................................................*

T#s' !: Inst#ll ASDM on t"e ASA de)ie...................................................................

T#s' 4: Confgure t"e ASA using ASDM..................................................................((

Ste% (: 5#si onfgur#tion................................................................................((

Ste% 2: Cre#te # glo0#l ser)ie %oliy.................................................................(

Ste% 3: Confgure t"e d67.................................................................................(

Ste% !: Cre#te #n Aess ule............................................................................22

T#s' +: Veri&ying t"e /o#l onfgur#tion...............................................................2!


2/50

+e'ote Ste.........................................................................................2%

T#s' : Inst#ll ASDM on t"e ASA de)ie.................................................................24

Task ,: Con-gure te ASA usng ASDM..........................................................2+

Step /: Basc con-guraton...........................................................................2+

Step 2: Create a g)o"a) ser$ce po)cy.........................................................3(

Task *: Ver0yng te +e'ote con-guraton..................................................33

Con-gure te Ste1To1Ste VPN..............................................................33

Loca) ste.............................................................................................34

+e'ote ste.........................................................................................4

Ver0yng te VPN con-guraton............................................................4

Pur%ose:

T"e %ur%ose o& t"is l#0 is to %ro)ide # 6ore #d)#ned underst#nding o&Ciso,s ASA 4428 Ad#%ti)e Seurity A%%li#ne9 T"e Ciso ASA is # seurityde)ie t"#t o60ines fre$#ll #nti)irus intrusion %re)ention #nd )irtu#l%ri)#te net$or' ;VPN< #%#0ilities. In t"is l#0 $e $ill use NS3 to le#rn "o$to onfgure t"e ASA #s # 0#si =ire$#ll $it" t"e #ddition o& # t"ird 7onere&erred to #s # DMZ #nd fn#lly $e $ill re#te # site-to-site VPN 0et$een t"esites. T"is 'no$ledge is essenti#l to %#ssing t"e CCNP Seurity e*#6 #nd $ill0e used in d#ily in your %osition #s # Ciso net$or' engineer.

5#'ground:

In t"is l#0 $e $ill 0e using NS3 #nd ASDM to 6odel # net$or' $it" /OCA/

#nd >MOT> site. >#" o& t"ese sites $ill "#)e #ess to t"e internet. T"e

lo#l site $ill #lso "#)e # DMZ 7one t"#t #n 0e #ess 0y #ny outside de)ie

#s $ell #s inside de)ies 0ut $ill not 0e #0le to onnet to #ny inside de)ie.

In #ddition to t"is $e $ill re#te # site-to-site VPN 0et$een t"e lo#l site #nd

re6ote site. 5e&ore $e ontinue $it" our l#0 let,s t#'e # loo' #t so6e 0#si

intere 0eing used in t"is l#0.

!utsde: T"e outside intere is # %u0li untrusted 7one o66only used to onnetto %u0li #ddress $it"in t"e internet. De)ies $it"in t"is 7one #nnot #essde)ies in t"e inside or DMZ $it"out %er6ission.

nsde:

T"e inside intere is # %ri)#te trusted intere gener#lly used &or lo#lde)ies using # %ri)#te #ddress s%#e. To #ess %u0li #ddress in t"e


3/50

outside t"e %ri)#te #ddress $ill need to 0e tr#nsl#ted using NAT or PAT.De)ie #n #ess de)ies in t"e outside or DMZ unless restrited.

DM5:

In o6%uter seurity # DMZ or de6ilit#ri7ed 7one ;so6eti6es re&erred to #s

# %eri6eter net$or'< is # %"ysi#l or logi#l su0 net$or' t"#t ont#ins #nde*%oses #n org#ni7#tion?s e*tern#l-ing ser)ies to # l#rger #nd untrustednet$or' usu#lly t"e Internet. T"e %ur%ose o& # DMZ is to #dd #n #ddition#ll#yer o& seurity to #n org#ni7#tion?s lo#l #re# net$or' ;/AN*"#nge Ser)er 28(8 in 1.!;2< #nd l#ter.


4/50

A%%li#tion Aess ;s6#rt tunnel or %ort &or$#rding #ess to ot"er TCP-0#sed #%%li#tions<

Clientless SS/ VPN uses Seure So'ets /#yer Protool #nd its suessor Tr#ns%ort /#yer Seurity ;SS/ET/S(< to %ro)ide t"e seure onnetion

0et$een re6ote users #nd s%eif su%%orted intern#l resoures t"#t youonfgure #t #n intern#l ser)er. T"e ASA reogni7es onnetions t"#t 6ust 0e%ro*ied #nd t"e TTP ser)er inter#ts $it" t"e #ut"enti#tion su0syste6 to#ut"enti#te users.

T"e net$or' #d6inistr#tor %ro)ides #ess to resoures 0y users o&Clientless SS/ VPN sessions on # grou% 0#sis. Fsers "#)e no diret #ess toresoures on t"e intern#l net$or'.

Any Connect VPN:

Ciso AnyConnet is #n #%% designed to let you onnet seurely to VPNs.

T"is is #n #%% &or enter%rise users $"o need # seure $#y to onnet to #VPN #t t"eir %l#e o& $or'. Co6ing &ro6 # trusted n#6e li'e Ciso t"e #%%%ro)ides # le)el o& s#&ety #nd seurity t"#t s"ould 0e $elo6e 0y t"ose $"o"#)e need o& su" #n #%%.

Ste1to1Ste VPN:

A site-to-site VPN #llo$s oes in 6ulti%le f*ed lo#tions to est#0lis" seureonnetions $it" e#" ot"er o)er # %u0li net$or' su" #s t"e Internet. Site-to-site VPN e*tends t"e o6%#ny?s net$or' 6#'ing o6%uter resoures&ro6 one lo#tion #)#il#0le to e6%loyees #t ot"er lo#tions. An e*#6%le o& #o6%#ny t"#t needs # site-to-site VPN is # gro$ing or%or#tion $it" do7ens

o& 0r#n" oes #round t"e $orld.Tere are t&o types o0 ste1to1ste VPNs:

Intr#net-0#sed -- I& # o6%#ny "#s one or 6ore re6ote lo#tions t"#tt"ey $is" to Goin in # single %ri)#te net$or' t"ey #n re#te #nintr#net VPN to onnet e#" se%#r#te /AN to # single BAN.

>*tr#net-0#sed -- B"en # o6%#ny "#s # lose rel#tions"i% $it"#not"er o6%#ny ;su" #s # %#rtner su%%lier or usto6er)en t"oug" t"e %ur%ose o& # site-to-site VPN is diHerent &ro6 t"#t o& #re6ote-#ess VPN it ould use so6e o& t"e s#6e so&t$#re #nd e@ui%6ent.Ide#lly t"oug" # site-to-site VPN s"ould eli6in#te t"e need &or e#"o6%uter to run VPN lient so&t$#re #s i& it $ere on # re6ote-#ess VPN.Dedi#ted VPN lient e@ui%6ent desri0ed l#ter in t"is #rtile #n#o6%lis" t"is go#l in # site-to-site VPN.


5/50

ASDM:

Ciso,s ASDM is # si6%le FI-5#sed =ire$#ll A%%li#ne M#n#ge6ent toolt"#t is user &riendly #nd #llo$s t"e user to onfgure 6onitor #ndtrou0les"oot Ciso fre$#ll #%%li#nes #nd fre$#ll ser)ie 6odules. Ide#l &ors6#ll or si6%le de%loy6ents t"e Ciso Ad#%ti)e Seurity De)ie M#n#ger

%ro)ides t"e &ollo$ing:

• Setu% $i7#rds t"#t "el% you onfgure #nd 6#n#ge Ciso fre$#llde)ies inluding t"e Ciso ASA Ad#%ti)e Seurity A%%li#nes CisoPI #%%li#nes #nd Ciso C#t#lyst +488 Series =ire$#ll Ser)iesModules $it"out u60erso6e o66#nd-line sri%ts

• Po$er&ul re#l-ti6e log )ie$er #nd 6onitoring d#s"0o#rds t"#t %ro)ides#n #t-#-gl#ne )ie$ o& fre$#ll #%%li#ne st#tus #nd "e#lt"

• #ndy trou0les"ooting &e#tures #nd %o$er&ul de0ugging tools su" #s%#'et tr#e #nd %#'et #%ture.

/e#rning O0Geti)es:

• Add t"e ASA to NS3.

• Confgure MS /oo%0#' Intere.

• Inst#ll #nd onfgure ASDM.

• Fse ASDM to onfgure t"e ASA.

• Confgure # DMZ

• Confgure # Site-to-Site VPN


6/50

Net&ork Dagra':

/#0:

T#s' (: Confgure #ll ot"er de)ies e*e%t t"e ASA.

In t"is %#rt o& or l#0 $e $ill onfgure t"e routers PCs #nd ser)ers #s s"o$n

in t"e net$or' di#gr#6.

Note: In t"is l#0 routers #re 0eing used to si6ul#te t"e de)ies INT>N>TDMZ #nd /OCA/ ser)ers #nd t"e >MOT> #nd /OCA/ PCs.

PC,s #nd ser)ers:

(. Confgure t"e INT>N>T DMZ #nd /OCA/ ser)ers #nd t"e >MOT>#nd /OCA/ PCs de)ies #s s"o$n in t"e net$or' di#gr#6.

2. Confgure # deult route on t"e #0o)e de)ies.

ISP:

(. Confgure t"e ISP #s &ollo$s:


7/50

SP6con-g tSP7con-g86nter0ace 9astternet;SP7con-g86 p address 2*./(%.2.* 2%%.2%%.2%%.24,SP7con-g86No Sutdo&nSP7con-g86e


8/50

+27con-g86 p address 2*./(%.2.233 2%%.2%%.2%%.24,+27con-g86No Sutdo&n+27con-g86e


9/50

(!. In t"e Miroso&t /oo%0#' Ad#%ter Pro%erties di#log 0o* )eri&yt"#t t"e Virtu#l M#"ine Net$or' ser)ies "e' 0o* is seleted.

(4. Cli' Internet Protool ;TCPEIP/(>32 auto nous" conso)e@ttyS>*("gpysarea@(%%3(

. /e#)e #ll ot"er o%tions #t deults

(8. Cli' t"e S#)e 0utton t"en li' OL.

((. Co%y t"e ASDM l#0.7i% fle to t"e NS3 %roGet diretory.

(2. >*tr#t t"e ASDM l#0.7i% fle.

(3. O%en t"e l#0 to%ology.

(!. One t"e ASA is u% enter en#0le #nd t"en enter one o& t"e&ollo$ing to #ti)#te &e#tures:


10/50

act$aton1key


11/50

Note: to o6%lete t"e ne*t ste% you $ill need to dis#0le or onfgureyour PC fre$#ll. Jou 6#y #lso need to dis#0le %o%u% in your 0ro$ser#nd in #)# onfgur#tion. /#stly you 6#y need to #ddttps:;;/*2./(,.2./ to t"e trusted site under t"e internet seurityo%tions. Jou 6#y #lso need to inst#ll t"e ertif#te in your 0ro$ser.

1. O%en your 0ro$ser #nd 0ro$se to ttps:;;/*2./(,.2./ #nd li' t"eInst#ll ASDM /#un"er 0utton to do$nlo#d #nd inst#ll t"e ASDM #%%&ro6 t"e ASA.

. One t"e Ciso ASDM-IDM /#un"er "#s lo#ded login to it $it" t"en#6e #d6in #nd %#ss$ord iso.

Task %: Con-gure te ASA usng ASDM.

Step /: Basc con-guraton.

(. =ro6 t"e ASDM $indo$ selet onfgur#tion.


12/50

2. /#un" t"e st#rtu% $i7#rd.

3. Selet 6odi&y e*isting onfgur#tion #nd li' ne*t.!. ostn#6e ASA( Do6#in N#6e /o#l #nd li' ne*t.4. Selet en#0le intere #nd onfgure t"e intere $it" t"e &ollo$ing:

nter0ace FFFF.Gga"tternetnter0ace na'e ..outsdesecurty )e$e)FF.p addressFFFF2*./(%.2.22(su"net 'askFF.2%%.2%%.2%%.24,

+. Cli' ne*t.

. ig"lig"t ig#0it>t"ernet( #nd li' edit.1. Selet en#0le intere #nd onfgure t"e intere $it" t"e &ollo$ing:

nter0ace FFFF.Gga"tternet/nter0ace na'e ..nsdesecurty )e$e)FF.p addressFFFF/*2./(,.2./su"net 'askFF.2%%.2%%.2%%.


13/50

. Cli' OL.(8.((. ig"lig"t ig#0it>t"ernet2 #nd li' edit.(2. Selet en#0le intere #nd onfgure t"e intere $it" t"e

&ollo$ing:

nter0ace FFFF.Gga"tternet2nter0ace na'e ..d'Hsecurty )e$e)FF.p addressFFFF/2./(././su"net 'askFF.2%%.2%%.2%%.

(3. Cli' OL.


14/50

(!. Cli' ne*t.(4. Cli' Add #nd enter t"e &ollo$ing:

nter0aceFF.nsdeNet&orkFF..any

Gate&ay PF2*./(%.2.22%

(+. Cli' OL

(. Cli' ne*t.(1. >n#0le DCP ser)er on t"e inside intere.(. >nter t"e st#rting IP #ddress (2.(+1.(8.(8 #nd #n ending IP

#ddress (2.(+1.(8.(88.


15/50

(+. Cli' ne*t.(. Selet use t"e IP #ddress on ig#0it>t"ernet8 intere.


16/50

(. Cli' ne*t.(1. Cli' ne*t.(. Cli' ne*t28. Selet do not en#0le s6#rt #ll "o6e #nd li' ne*t.2(. Veri&y t"e onfgur#tion.


17/50

(1. Cli' fnis".(. Selet send.

Step 2: Create a g)o"a) ser$ce po)cy.

(. =ro6 t"e onfgur#tion t#0 selet =ire$#ll.

2. Selet Ser)ie Poliy ules.3. Cli' t"e Add 0utton #nd selet Add Ser)ie Poliy ule.!. Cli' lo0#l #nd 6#'e t"e %oliy N#6e glo0#l-%oliy t"e li' ne*t.4. C"e' t"e 0o* l#0eled Deult Ins%etion Tr# #nd li' ne*t.+. Cli' ne*t.. C"e' t"e &ollo$ing ins%etion rules


18/50

• DNS

• >SMIP

• =TP

• .323 .224

• TTP

• ICMP

• IP-OPTIONS

• N>T5IOS

1. Cli' fnis".

. Cli' A%%ly.


19/50

(8. Cli' send.

Step 3: Con-gure te d'H.

(. =ro6 t"e =ire$#ll dro% do$n selet Net$or' O0GetErou%.2. Cli' Add #nd selet Net$or' O0Get.3. In t"e Net$or' O0Get $indo$ enter t"e &ollo$ing:

N#6eUUUUU..inside-su0net Ty%eUUUUUU.Net$or'IP AddressUU.(2.(+1.(.8 Net6#s'UUU.244.244.244.8

!. Cli' t"e NAT #nd selet Add Auto6#ti Address Tr#nsl#tion ule.4. Selet t"e Ty%e o& Dyn#6i+. Selet t"e Tr#nsl#tion Address #s outside. Cli' Ad)#ned.1. Selet t"e Soure Intere #s inside #nd Destin#tion Intere outside. li' OL.


20/50

(8. =ro6 t"e =ire$#ll dro% do$n selet Net$or' O0GetErou%.((. Cli' Add #nd selet Net$or' O0Get.(2. In t"e Net$or' O0Get $indo$ enter t"e &ollo$ing:

N#6eUUUUU..d67-su0net Ty%eUUUUUU.Net$or'IP AddressUU.(2.(+.(.8 Net6#s'UUU.244.244.244.8

(3. Cli' t"e NAT #nd selet Add Auto6#ti Address Tr#nsl#tion ule.(!. Selet t"e Ty%e o& Dyn#6i(4. Selet t"e Tr#nsl#tion Address #s outside(+. Cli' Ad)#ned.(. Selet t"e Soure Intere #s d67 #nd Destin#tion Intere

outside


21/50

(1. li' OL.

(. Cli' OL.28. Cli' Add #nd selet Net$or' O0Get.2(. In t"e Net$or' O0Get $indo$ enter t"e &ollo$ing:

N#6eUUUUU..d67-"ost-e*t Ty%eUUUUUU."ost

IP AddressUU.28.(+4.288.22

22. Cli' OL 23. Cli' Add #nd selet Net$or' O0Get.2!. In t"e Net$or' O0Get $indo$ enter t"e &ollo$ing:

N#6eUUUUU..d67-"ost-int Ty%eUUUUUU."ost


22/50

IP AddressUU.(2.(+.(.288

24. Cli' t"e NAT #nd selet Add Auto6#ti Address Tr#nsl#tion ule.2+. Selet t"e Ty%e o& St#ti2. Selet t"e Tr#nsl#tion Address #s d67-"ost-e*t

21. Cli' Ad)#ned.2. Selet t"e Soure Intere #s d67 #nd Destin#tion Intereoutside.

38. Cli' OL 3(. Cli' OL 32. Cli' A%%ly.

33. Cli' Send.

Step 4: Create an Access +u)e.

(. =ro6 t"e =ire$#ll selet Aess ules.2. ig"lig"t outside ;8 i6%liit ino6ing rules


23/50

• Ation: Per6it

• Soure: #ny

• Destin#tion: d67-"ost-int

• Ser)ies: t%E&t% t%E&t%-d#t# t%E"tt% t%E"tt%s t%Ess"t%Etelnet

!. Cli' OL.


24/50

4. Cli' A%%ly.

+. Cli' send.. =ro6 t"e 6enu 0#r li' S#)e.1. Cli' send.

Task (: Ver0yng te Loca) con-guraton.

(. =ro6 /OCA/-PC Telnet t"e INT>N>T ser)er using t"e usern#6e #d6in#d t"e %#ss$ord iso.

2. >nter >*it.3. =ro6 /OCA/-PC Telnet t"e DMZ ser)er using t"e usern#6e #d6in #d

t"e %#ss$ord iso.

!. >nter >*it.4. =ro6 DMZ ser)er Telnet t"e INT>N>T ser)er using t"e usern#6e

#d6in #d t"e %#ss$ord iso.+. >nter >*it.. Insure you #nnot Telnet /OCA/-PC or ser)er &ro6 DMZ.


25/50

+e'ote Ste.

Task : nsta)) ASDM on te ASA de$ce.

(. I& you don,t #lre#dy "#)e # T=TP ser)er inst#lled t"en you #n

do$nlo#d #nd inst#ll t"e Ciso T=TP ser)er #)#il#0le $it" t"is l#0.

2. In t"e ASA onsole enter t"e &ollo$ing:

cscoasa 6 con-g tcscoasa7con-g86ostna'e ASA2ASA2 7con-g8 6 nt g %ASA2 7con-g8 6 p address /*2./(,.2.2 2%%.2%%.2%%.ASA2 7con-g8 6 na'e0 'anage'entASA2 7con-g8 6 no sut

3. Ping t"e Bindo$s loo%0#' #d#%ter &ro6 t"e ASA fre$#ll to testonneti)ity.

!. I& you don,t #lre#dy "#)e t"e ASDM t"en do$nlo#d t"e ASDM+!inluded $it" t"is l#0.

4. In t"e ASA onsole o%y t"e ASDM 0in fle to R#s" on t"e ASA:

ASA26 copy t0tp as Address or na'e o0 re'ote ost E /*2./(,.2./ Source -)ena'e E asd'1(4."n Destnaton -)ena'e asd'1(4."nE

+. Set t"e ASA to lo#d t"e ASDM during t"e ne*t 0oot

ASA26 con-g t ASA27con-g86 asd' 'age as:asd'1(4."n ASA27con-g86 ttp ser$er ena")e ASA27con-g86 ttp /*2./(,.2./ 2%%.2%%.2%%.2%%'anage'ent ASA27con-g86 userna'e ad'n pass&ord csco pr$)ege /%

. B"en t"e o%y is o6%lete s#)e you onfgur#tion using t"e $r,

o66#nd #nd t"en relo#d t"e fre$#ll using ?relo#d? o66#nd.

Note: to o6%lete t"e ne*t ste% you $ill need to dis#0le or onfgureyour PC fre$#ll. Jou 6#y #lso need to dis#0le %o%u% in your 0ro$ser#nd in #)# onfgur#tion. /#stly you 6#y need to #ddttps:;;/*2./(,.2.2 to t"e trusted site under t"e internet seurityo%tions. Jou 6#y #lso need to inst#ll t"e ertif#te in your 0ro$ser.


26/50

1. O%en your 0ro$ser #nd 0ro$se to ttps:;;/*2./(,.2.2 #nd li' t"eInst#ll ASDM /#un"er 0utton to do$nlo#d #nd inst#ll t"e ASDM #%%&ro6 t"e ASA.

. One t"e Ciso ASDM-IDM /#un"er "#s lo#ded login to it $it" t"e

n#6e #d6in #nd %#ss$ord iso.

Task ,: Con-gure te ASA usng ASDM.

Step /: Basc con-guraton.

(. =ro6 t"e ASDM $indo$ selet onfgur#tion.


27/50

2. /#un" t"e st#rtu% $i7#rd.

3. Selet 6odi&y e*isting onfgur#tion #nd li' ne*t.!. ostn#6e ASA( Do6#in N#6e /o#l #nd li' ne*t.4. Selet en#0le intere #nd onfgure t"e intere $it" t"e &ollo$ing:

nter0ace FFFF.Gga"tternetnter0ace na'e ..outsdesecurty )e$e)FF.p addressFFFF2*./(%.2.22(su"net 'askFF.2%%.2%%.2%%.24,

+. Cli' ne*t.

. ig"lig"t ig#0it>t"ernet( #nd li' edit.1. Selet en#0le intere #nd onfgure t"e intere $it" t"e &ollo$ing:

nter0ace FFFF.Gga"tternet/nter0ace na'e ..nsdesecurty )e$e)FF.p addressFFFF/*2./(,.2./su"net 'askFF.2%%.2%%.2%%.

. Cli' OL.


28/50

(8. Cli' ne*t.((. Cli' Add #nd enter t"e &ollo$ing:

nter0aceFF.nsde

Net&orkFF..anyGate&ay PF2*./(%.2.22%

(2. Cli' OL


29/50

(3. Cli' ne*t.(!. >n#0le DCP ser)er on t"e inside intere.(4. >nter t"e st#rting IP #ddress (2.(+1.8.(8 #nd #n ending IP

#ddress (2.(+1.(8.(88.


30/50

(+. Cli' ne*t.(. Selet use t"e IP #ddress on ig#0it>t"ernet8 intere.(1. Cli' ne*t.(. Cli' ne*t.28. Cli' ne*t2(. Selet do not en#0le s6#rt #ll "o6e #nd li' ne*t.22. Veri&y t"e onfgur#tion.


31/50

23. Cli' fnis".2!. Selet send.

Step 2: Create a g)o"a) ser$ce po)cy.

(. =ro6 t"e onfgur#tion t#0 selet =ire$#ll.

2. Selet Ser)ie Poliy ules.3. Cli' t"e Add 0utton #nd selet Add Ser)ie Poliy ule.!. Cli' lo0#l #nd 6#'e t"e %oliy N#6e glo0#l-%oliy t"e li' ne*t.4. C"e' t"e 0o* l#0eled Deult Ins%etion Tr# #nd li' ne*t.+. Cli' ne*t.. C"e' t"e &ollo$ing ins%etion rules


32/50

• DNS

• >SMIP

• =TP

• .323 .224

• TTP

• ICMP

• IP-OPTIONS

• N>T5IOS

1. Cli' fnis".

. Cli' A%%ly.


33/50

(8. Cli' send.

Task *: Ver0yng te +e'ote con-guraton.

(. =ro6 >MOT>-PC Telnet t"e INT>N>T ser)er using t"e usern#6e#d6in #d t"e %#ss$ord iso.

2. >nter >*it.3. =ro6 >MOT>-PC Telnet t"e DMZ ser)er outside #ddress

28.(+4.288.22 using t"e usern#6e #d6in #d t"e %#ss$ord iso.!. >nter >*it.4. Insure you #nnot Telnet t"e /OCA/-PC or ser)er &ro6 >MOT>-PC.

Con-gure te Ste1To1Ste VPN=or t"is %#rt o& our l#0 $e $ill 0e using ASDM to onfgure t"e /o#l #nde6ote side o& our Site-To-Site VPN.


34/50

Loca) ste.

(. O%en your 0ro$ser #nd 0ro$se to ttps:;;/*2./(,.2./ #nd li' t"eInst#ll ASDM /#un"er 0utton to do$nlo#d #nd inst#ll t"e ASDM #%%&ro6 t"e ASA.

2. One t"e Ciso ASDM-IDM /#un"er "#s lo#ded login to it $it" t"en#6e #d6in #nd %#ss$ord iso.

3. =ro6 t"e 6enu 0#r selet $i7#rds.

!. =ro6 t"e dro%do$n selet VPN Bi7#rds #nd selet Site-to-Site VPNBi7#rd.


35/50

4. Cli' Ne*t.+. >nter t"e outside #ddress o& ASA2 #s t"e Peer IP Address.. Insure t"e VPN Aess Intere is outside.

1. Cli' Ne*t.. Be $ill 0e using IL> )ersion ( &or t"is l#0 so un"e' IL> )ersion 2


36/50

(8. Cli' ne*t.((. =ro6 t"e /o#l Net$or' dro%do$n selet t"e inside-su0net #s t"e

/o#l Net$or'.(2. Selet t"e e6ote Net$or' dro%do$n.(3. Cli' #dd #nd selet net$or' o0Get. And enter t"e &ollo$ing:

Na'e: re'ote1su"netType: Net&ork.

P Address: /*2./(,.2.NetMask: 2%%.2%%.2%%.


37/50

(3. Cli' OL (!. Selet re6ote-su0net #s t"e e6ote Net$or'.

(4. Cli' Ne*t.(+. >nter iso #s t"e Pre-s"#red 'ey.(. Cli' ne*t.(1. T#'e t"e deults &or t"e IL> %oliy #nd IPse Pro%os#l.


38/50

(. Cli' Ne*t.28. C"e' t"e re6#ining 2 0o*es.

2(. Cli' Ne*t.


39/50

22. Insure t"e onfgur#tion is o' #nd li' =inis".

23. Cli' send.


40/50

T"is o6%letes t"e site-to-site VPN onfgur#tion on t"e /o#l site.

+e'ote ste.

(!. O%en your 0ro$ser #nd 0ro$se to ttps:;;/*2./(,.2.2 #nd li't"e Inst#ll ASDM /#un"er 0utton to do$nlo#d #nd inst#ll t"e ASDM#%% &ro6 t"e ASA.

(4. One t"e Ciso ASDM-IDM /#un"er "#s lo#ded login to it $it"t"e n#6e #d6in #nd %#ss$ord iso.

(+. =ro6 t"e 6enu 0#r selet $i7#rds.

(. =ro6 t"e dro%do$n selet VPN Bi7#rds #nd selet Site-to-SiteVPN Bi7#rd.


41/50

(1. Cli' Ne*t.


42/50

(. >nter t"e outside #ddress o& ASA( #s t"e Peer IP Address.28. Insure t"e VPN Aess Intere is outside.

2(. Cli' Ne*t.22. Be $ill 0e using IL> )ersion ( &or t"is l#0 so un"e' IL> )ersion

2


43/50

23. Cli' ne*t.2!. =ro6 t"e /o#l Net$or' dro%do$n selet t"e inside-su0net #s t"e

/o#l Net$or'.24. Selet t"e e6ote Net$or' dro%do$n.2+. Cli' #dd #nd selet net$or' o0Get. And enter t"e &ollo$ing:

Na'e: re'ote1su"netType: Net&ork.P Address: /*2./(,./.NetMask: 2%%.2%%.2%%.

2!. Cli' OL 24. Selet re6ote-su0net #s t"e e6ote Net$or'.


44/50

2+. Cli' Ne*t.2. >nter iso #s t"e Pre-s"#red 'ey.21. Cli' ne*t.2. T#'e t"e deults &or t"e IL> %oliy #nd IPse Pro%os#l.

38. Cli' Ne*t.3(. C"e' t"e re6#ining 2 0o*es.


45/50

32. Cli' Ne*t.

33. Insure t"e onfgur#tion is o' #nd li' =inis".


46/50

3!. Cli' send.


47/50

T"is o6%letes t"e site-to-site VPN onfgur#tion on t"e /o#l site.

Ver0yng te VPN con-guraton

(. =ro6 t"e >MOT>-PC telnet t"e /OCA/ ser)er (2.(+1.(8.288 usingt"e usern#6e #d6in #nd %#ss$ord iso.

2. Ty%e e*it3. =ro6 t"e >MOT>-PC telnet t"e INT>N>T ser)er 28.(+4.288.(( using

t"e usern#6e #d6in #nd %#ss$ord iso.!. Ty%e e*it4. =ro6 t"e >MOT>-PC telnet t"e DMZ ser)er 28.(+4.288.22 using t"e

usern#6e #d6in #nd %#ss$ord iso.

+. Ty%e e*it. =ro6 t"e INT>N>T Ser)er insure you #nnot #ess t"e inside o& t"e

/OCA/ or >MOT> site.1. =ro6 t"e o66#nd %ro6%t o& ASA2 issue t"e &ollo$ing o66#nds #nd

o0ser)er t"e out%uts.

ASA26 s crypto sak'p sa


48/50

IL>)( SAs:

Ati)e SA: ( e'ey SA: 8 ;A tunnel $ill re%ort ( Ati)e #nd ( e'ey SA during re'ey< Tot#l IL> SA: (

( IL> Peer: 28.(+4.288.22+ Ty%e : /2/ ole : initi#tor e'ey : no St#te : MMWACTIV>

T"ere #re no IL>)2 SAs

ASA26 s crypto psec saintere: outside Cry%to 6#% t#g: outsideW6#% se@ nu6: ( lo#l #ddr: 28.(+4.288.23!

#ess-list outsideWry%to6#% e*tended %er6it i% (2.(+1.28.8244.244.244.8 (2.(+1.(8.8 244.244.244.8 lo#l ident ;#ddrE6#s'E%rotE%ort


49/50

Anti re%l#y 0it6#%: 8*======== 8*======== out0ound es% s#s: s%i: 8*3+C+A==8 ;(18132< tr#ns&or6: es%-#es es%-s"#-"6# no o6%ression

in use settings Y/2/ Tunnel P=S rou% 2 [ slot: 8 onnWid: !8+ ry%to-6#%: outsideW6#% s# ti6ing: re6#ining 'ey li&eti6e ;'5Ese)( : ( : ( : (


50/50

IPse : ( : ( : (--------------------------------------------------------------------------- Tot#ls : 2 : 2---------------------------------------------------------------------------

configuring asa site-to-site vpns.docx

Documents