Cisco ASA Firewall Fundamentals 2nd Edition(1)

[ Pobierz całość w formacie PDF ]
.Using Access-Lists (Crypto ACL) we can identify which traffic flow must be encrypted.In our example diagramabove, we want all traffic flow between private networks 192.168.1.0/24 and 192.168.2.0/24 to beencrypted.ASA 1:ASA-1(config)# access-list LAN1-to-LAN2 extended permit ip 192.168.1.0 255.255.255.0192.168.2.0 255.255.255.0ASA 2:ASA-2(config)# access-list LAN2-to-LAN1 extended permit ip 192.168.2.0 255.255.255.0192.168.1.0 255.255.255.0Notice that we have to configure the exact mirror access-list for each ASA firewall participating inthe IPSEc VPN.The Crypto ACL needs to identify only outbound traffic.The permit statement in theACL means that the specific traffic must be encrypted.One important issue to consider is the case of using NAT on the firewall for normal Internet access.Because IPSEc does not work with NAT, we need to exclude the traffic to be encrypted from theNAT operation.This means in our example that the Interesting Traffic in the Crypto ACL must notbe translated (we can use the nat 0 command for this).See configuration below:56ASA 1:ASA-1(config)# access-list NONAT extended permit ip 192.168.1.0 255.255.255.0192.168.2.0 255.255.255.0ASA-1(config)# nat (inside) 0 access-list NONAT �� Exclude traffic from LAN1 to LAN2 fromNAT operationASA 2:ASA-2(config)# access-list NONAT extended permit ip 192.168.2.0 255.255.255.0192.168.1.0 255.255.255.0ASA-2(config)# nat (inside) 0 access-list NONAT �� Exclude traffic from LAN2 to LAN1 fromNAT operationCisco ASA Version 8.3 and laterASA 1:ASA-1(config)# object network obj-localASA-1(config-network-object)# subnet 192.168.1.0 255.255.255.0ASA-1(config-network-object)# exitASA-1(config)# object network obj-remoteASA-1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA-1(config-network-object)# exitASA-1(config)# nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remoteASA 2:ASA-2(config)# object network obj-localASA-2(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA-2(config-network-object)# exitASA-2(config)# object network obj-remoteASA-2(config-network-object)# subnet 192.168.1.0 255.255.255.0ASA-2(config-network-object)# exitASA-2(config)# nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote57 STEP 2: Configure Phase 1 (ISAKMP)Phase 1 of the IPSEc operation is used to establish a secure communication channel for further datatransmission.In Phase 1, VPN peers exchange shared secret keys, authenticate each other, negotiateIKE security policies etc.In this Phase we configure an isakmp policy which MUST match thepolicy configured on the other peer(s).This isakmp policy tells the other peer(s) what securityparameters must be used in the VPN (e.g encryption protocol, hash algorithm, authenticationmethod, Diffie Hellman Group (DH), lifetime threshold for the tunnel etc).The command format of the isakmp policy is the following:ASA(config)# isakmp policy priority number ��Lower number means higher priorityASA(config-isakmp-policy)# encryption {aes | 3des | des}ASA(config-isakmp-policy)# hash {sha | md5}ASA(config-isakmp-policy)# authentication {pre-share | rsa-sig}ASA(config-isakmp-policy)# group {1 | 2 | 5 | 7} ��DH GroupASA(config-isakmp-policy)# lifetime seconds ��Up to 86400 secondsASA(config)# isakmp enable interface-name ��Attach the policy on an interfaceASA(config)# isakmp identity address ��Identify the ASA with its address and not FQDNSeveral isakmp policies can be configured to match different requirements from different IPSEcpeers.The priority number uniquely identifies each policy.The lower the priority number, thehigher the priority will be given to the specific policy.The following example parameters can be used to create a strong isakmp policy:Encryption aesHash shaAuthentication pre-shareGroup 2 or 5Lifetime 3600 (the Security Association SA will expire and renegotiate every 1 hour)The next thing we need to specify is the pre-shared key and the type of the VPN (Lan-to-Lan,Remote Access or WebVPN).These are configured by the tunnel-group command.ASA(config)# tunnel-group peer IP address type {ipsec-l2l | ipsec-ra | webvpn}ASA(config)# tunnel-group peer IP address ipsec-attributesASA(config-tunnel-ipsec)# pre-shared-key key58Note: The tunnel-group types ipsec-ra and webvpn were deprecated from ASA version 8.0(2).These two are replaced by the new remote-access type.Let s see the complete example configuration for both firewalls for Phase 1 setup:ASA 1:ASA-1(config)# isakmp policy 10ASA-1(config-isakmp-policy)# encryption aesASA-1(config-isakmp-policy)# hash shaASA-1(config-isakmp-policy)# authentication pre-shareASA-1(config-isakmp-policy)# group 2ASA-1(config-isakmp-policy)# lifetime 3600ASA-1(config)# isakmp enable outsideASA-1(config)# isakmp identity addressASA-1(config)# tunnel-group 200.200.200.1 type ipsec-l2lASA-1(config)# tunnel-group 200.200.200.1 ipsec-attributesASA-1(config-tunnel-ipsec)# pre-shared-key somestrongkeyASA 2:ASA-2(config)# isakmp policy 10ASA-2(config-isakmp-policy)# encryption aesASA-2(config-isakmp-policy)# hash shaASA-2(config-isakmp-policy)# authentication pre-shareASA-2(config-isakmp-policy)# group 2ASA-2(config-isakmp-policy)# lifetime 3600ASA-2(config)# isakmp enable outsideASA-2(config)# isakmp identity addressASA-2(config)# tunnel-group 100.100.100.1 type ipsec-l2lASA-2(config)# tunnel-group 100.100.100 [ Pobierz całość w formacie PDF ]

pdf; download; ebook; pobieranie; do ÂściÂągnięcia

Archiwum

Szukaj