Difference between revisions of "Nextelco:VPN setup"

From its-wiki.no
Jump to: navigation, search
 
(4 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
[[File:Nextelco_VPN_setup.png|200px|center]]
 
[[File:Nextelco_VPN_setup.png|200px|center]]
  
In order to set up the VPN we will start with ASA1 configuration. We assume that ASA is not configured yet.
+
In order to set up the VPN we will start with ASA1 configuration. We assume that ASA1 is not configured yet.
 
<ol>
 
<ol>
<li>Connect from console port, configure hostname, interfaces and ssh connection.</li>
+
<li>Connect from console port, configure hostname, interfaces, ICMP inspection, NAT and ssh connection.</li>
 
  ciscoasa>enable
 
  ciscoasa>enable
 
  Password:
 
  Password:
Line 27: Line 27:
 
  ASA1(config-if)#no shutdown
 
  ASA1(config-if)#no shutdown
 
  ASA1(config-if)#exit
 
  ASA1(config-if)#exit
 +
ASA1(config)#policy-map global_policy
 +
ASA1(config-pmap)#class inspection_default
 +
ASA1(config-pmap-c)#inspect icmp
 +
ASA1(config-pmap-c)#exit
 +
ASA1(config-pmap)#exit
 +
ASA1(config)#access-list inside_nat_outside extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
 +
ASA1(config)#nat (inside) 1 access-list inside_nat_outside
 +
ASA1(config)#global (outside) 1 interface
 
  ASA1(config)#username basicinternet password basicinternet privilege 15
 
  ASA1(config)#username basicinternet password basicinternet privilege 15
 
  ASA1(config)#crypto key generate rsa modulus 2048
 
  ASA1(config)#crypto key generate rsa modulus 2048
Line 38: Line 46:
 
  ASA1#exit
 
  ASA1#exit
 
  ASA1>
 
  ASA1>
<li>Now we can establish ssh connection and configure it through User 1 pc. So let start with some preliminary steps. We are going to configure some network objects in order to identify our local and remote inside subnets.</li>
+
<li>Now we can establish ssh connection and configure it through User 1 pc. So let start with some preliminary steps. The first thing will be to create two access-lists in order to identify traffic going from one side to another. The first access-list will be used to identify which traffic ASA has to encrypt and the second to know which traffic does not have to translate.</li>
 
  terminal$ ssh basicinternet@192.168.1.1
 
  terminal$ ssh basicinternet@192.168.1.1
 
  basicinternet@192.168.1.1's password:
 
  basicinternet@192.168.1.1's password:
Line 44: Line 52:
 
  Password:
 
  Password:
 
  ASA1#configure terminal
 
  ASA1#configure terminal
  ASA1(config)#object network net-local
+
  ASA1(config)#access-list lan_to_lan permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA1(config-network-object)#subnet 192.168.1.0 255.255.255.0
+
  ASA1(config)#access-list nat0_lan_to_lan permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA1(config-network-object)#object network net-remote
+
ASA1(config-network-object)#subnet 192.168.2.0 255.255.255.0
+
ASA1(config-network-object)#exit
+
ASA1(config)#
+
<li>Next we are going to configure the access control lists. These access control lists will identify the traffic flows, identifying the traffic that goes from our inside subnet to the remote inside subnet.</li>
+
  ASA1(config)#access-list outside_1_cryptomap permit ip object net-local object net-remote
+
 
<li>So now we will configure the tunnel.</li>
 
<li>So now we will configure the tunnel.</li>
 
<ol>
 
<ol>
 
<li>Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.</li>
 
<li>Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.</li>
  ASA1(config)#crypto isakmp enable outside
+
ASA1(config)#crypto isakmp enable outside
 
<li>Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).</li>
 
<li>Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).</li>
 
   ASA1(config)#tunnel-group 10.10.10.2 type ipsec-l2l
 
   ASA1(config)#tunnel-group 10.10.10.2 type ipsec-l2l
Line 62: Line 64:
 
<ol>
 
<ol>
 
<li>The first attribute will be the pre-shared key</li>
 
<li>The first attribute will be the pre-shared key</li>
  ASA1(config-tunnel-ipsec)#pre-shared-key whatever
+
  ASA1(config-tunnel-ipsec)#pre-shared-key basicinternet
 
<li>Keepalive time</li>
 
<li>Keepalive time</li>
 
  ASA1(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
 
  ASA1(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
Line 70: Line 72:
 
<ol>
 
<ol>
 
<li>First we will set that we are going to use pre-shared key</li>
 
<li>First we will set that we are going to use pre-shared key</li>
  ASA1(config)#crypto isakmp policy (1-65534) authentication pre-share
+
  ASA1(config)#crypto isakmp policy 10 authentication pre-share
 
<li>Next we need to set our encryption</li>
 
<li>Next we need to set our encryption</li>
 
  ASA1(config)#crypto isakmp policy 10 encrypt 3des
 
  ASA1(config)#crypto isakmp policy 10 encrypt 3des
Line 84: Line 86:
 
  ASA1(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
 
  ASA1(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
 
<li>Now we have to map the cryptomap to the access control list</li>
 
<li>Now we have to map the cryptomap to the access control list</li>
  ASA1(config)#crypto map outside_map 1 match address outside_1_cryptomap
+
  ASA1(config)#crypto map map_lan_to_lan 1 match address lan_to_lan
 
<li>Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security</li>
 
<li>Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security</li>
  ASA1(config)#crypto map outside_map 1 set pfs group1
+
  ASA1(config)#crypto map map_lan_to_lan 1 set pfs group1
 
<li>Next we are going to identify our peer, the other end of the connection</li>
 
<li>Next we are going to identify our peer, the other end of the connection</li>
  ASA1(config)#crypto map outside_map 1 set peer 10.10.10.2
+
  ASA1(config)#crypto map map_lan_to_lan 1 set peer 10.10.10.2
 
<li> Then we are going to say to our cryptomap which transform set to use</li>
 
<li> Then we are going to say to our cryptomap which transform set to use</li>
  ASA1(config)#crypto map outside_map 1 set transform-set ESP-3DES-SHA
+
  ASA1(config)#crypto map map_lan_to_lan 1 set transform-set ESP-3DES-SHA
 
<li>Finally we are going to apply the cryptomap to the outside interface</li>
 
<li>Finally we are going to apply the cryptomap to the outside interface</li>
  ASA1(config)#crypto map outside_map interface outside
+
  ASA1(config)#crypto map map_lan_to_lan interface outside
</ol>
+
 
</ol>
 
</ol>
 
<li>So now we are going to configure NAT in order to specify not to translate this addresses.</li>
 
<li>So now we are going to configure NAT in order to specify not to translate this addresses.</li>
  ASA1(config)#nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
+
  ASA1(config)#nat (inside) 0 access-list nat0_lan_to_lan
 
<li>Finally we are going to configure the default route</li>
 
<li>Finally we are going to configure the default route</li>
  ASA1(config)#route outside 0 0 default-gateway-ip
+
  ASA1(config)#route outside 192.168.2.0 255.255.255.0 10.10.10.2
 +
<li>Last step, save the configuration</li>
 +
ASA1(config)#write memory
 +
Building configuration...
 +
Cryptochecksum: c47ca90d a167f297 2fb5ca80 2d4343fe
 +
3929 bytes copied in 1.740 secs (3929 bytes/sec)
 +
[OK]
 +
ASA1(config)#
 
</ol>
 
</ol>
  
  
So lets continue with ASA2 configuration. We assume that ASA is not configured yet.
+
So lets continue with ASA2 configuration. We assume that ASA2 has been already configured and that we are connected through ssh.  
 
<ol>
 
<ol>
<li>Connect from console port, configure hostname, interfaces and ssh connection.</li>
+
<li>First of all we create the necessary access-lists.</li>
ciscoasa>enable
+
  ASA2(config)#access-list lan_to_lan permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Password:
+
  ASA2(config)#access-list nat0_lan_to_lan permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa#configure terminal
+
ciscoasa(config)#hostname ASA2
+
  ASA2(config)#interface vlan 1
+
ASA2(config-if)#ip address 192.168.2.1 255.255.255.0
+
ASA2(config-if)#nameif inside
+
INFO: Security level for "inside" set to 100 by default.
+
ASA2(config-if)#interface vlan 2
+
ASA2(config-if)#ip address 10.10.10.2 255.255.255.0
+
ASA2(config-if)#nameif outside
+
INFO: Security level for "outside" set to 0 by default.
+
ASA2(config-if)#exit
+
ASA2(config)#interface ethernet0/0
+
ASA2(config-if)#switchport access vlan 2
+
ASA2(config-if)#no shutdown
+
ASA2(config-if)#exit
+
ASA2(config)#interface ethernet0/1
+
ASA2(config-if)#no shutdown
+
ASA2(config-if)#exit
+
ASA2(config)#username basicinternet password basicinternet privilege 15
+
ASA2(config)#crypto key generate rsa modulus 2048
+
WARNING: You have a RSA keypair already defined name <Default-RSA-Key>.
+
Do you really want to replace them? [yes/no]: yes
+
Keypair generation process begin. Please wait...
+
ASA2(config)#aaa authentication ssh console LOCAL
+
ASA2(config)#ssh 192.168.2.0 255.255.255.0 inside
+
  ASA2(config)#write memory
+
ASA2(config)#exit
+
ASA2#exit
+
ASA2>
+
<li>Now we can establish ssh connection and configure it through User 1 pc. So let start with some preliminary steps. We are going to configure some network objects in order to identify our local and remote inside subnets.</li>
+
terminal$ ssh basicinternet@192.168.2.1
+
basicinternet@192.168.2.1’s password:
+
ASA2>enable
+
Password:
+
ASA2#configure terminal
+
ASA2(config)#object network net-local
+
ASA2(config-network-object)#subnet 192.168.2.0 255.255.255.0
+
ASA2(config-network-object)#object network net-remote
+
ASA2(config-network-object)#subnet 192.168.1.0 255.255.255.0
+
ASA2(config-network-object)#exit
+
ASA2(config)#
+
<li>Next we are going to configure the access control lists. These access control lists will identify the traffic flows, identifying the traffic that goes from our inside subnet to the remote inside subnet.</li>
+
ASA2(config)#access-list outside_1_cryptomap permit ip object net-local object net-remote
+
 
<li>So now we will configure the tunnel.</li>
 
<li>So now we will configure the tunnel.</li>
 
<ol>
 
<ol>
 
<li>Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.</li>
 
<li>Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.</li>
  ASA2(config)#crypto isakmp enable outside
+
ASA2(config)#crypto isakmp enable outside
 
<li>Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).</li>
 
<li>Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).</li>
 
   ASA2(config)#tunnel-group 10.10.10.1 type ipsec-l2l
 
   ASA2(config)#tunnel-group 10.10.10.1 type ipsec-l2l
Line 160: Line 125:
 
<ol>
 
<ol>
 
<li>The first attribute will be the pre-shared key</li>
 
<li>The first attribute will be the pre-shared key</li>
  ASA2(config-tunnel-ipsec)#pre-shared-key whatever
+
  ASA2(config-tunnel-ipsec)#pre-shared-key basicinternet
 
<li>Keepalive time</li>
 
<li>Keepalive time</li>
 
  ASA2(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
 
  ASA2(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
Line 168: Line 133:
 
<ol>
 
<ol>
 
<li>First we will set that we are going to use pre-shared key</li>
 
<li>First we will set that we are going to use pre-shared key</li>
  ASA2(config)#crypto isakmp policy (1-65534) authentication pre-share
+
  ASA2(config)#crypto isakmp policy 10 authentication pre-share
 
<li>Next we need to set our encryption</li>
 
<li>Next we need to set our encryption</li>
 
  ASA2(config)#crypto isakmp policy 10 encrypt 3des
 
  ASA2(config)#crypto isakmp policy 10 encrypt 3des
Line 182: Line 147:
 
  ASA2(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
 
  ASA2(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
 
<li>Now we have to map the cryptomap to the access control list</li>
 
<li>Now we have to map the cryptomap to the access control list</li>
  ASA2(config)#crypto map outside_map 1 match address outside_1_cryptomap
+
  ASA2(config)#crypto map map_lan_to_lan 1 match address lan_to_lan
 
<li>Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security</li>
 
<li>Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security</li>
  ASA2(config)#crypto map outside_map 1 set pfs group1
+
  ASA2(config)#crypto map map_lan_to_lan 1 set pfs group1
 
<li>Next we are going to identify our peer, the other end of the connection</li>
 
<li>Next we are going to identify our peer, the other end of the connection</li>
  ASA2(config)#crypto map outside_map 1 set peer 10.10.10.1
+
  ASA2(config)#crypto map map_lan_to_lan 1 set peer 10.10.10.1
 
<li> Then we are going to say to our cryptomap which transform set to use</li>
 
<li> Then we are going to say to our cryptomap which transform set to use</li>
  ASA2(config)#crypto map outside_map 1 set transform-set ESP-3DES-SHA
+
  ASA2(config)#crypto map map_lan_to_lan 1 set transform-set ESP-3DES-SHA
 
<li>Finally we are going to apply the cryptomap to the outside interface</li>
 
<li>Finally we are going to apply the cryptomap to the outside interface</li>
  ASA2(config)#crypto map outside_map interface outside
+
  ASA2(config)#crypto map map_lan_to_lan interface outside
</ol>
+
 
</ol>
 
</ol>
 
<li>So now we are going to configure NAT in order to specify not to translate this addresses.</li>
 
<li>So now we are going to configure NAT in order to specify not to translate this addresses.</li>
  ASA2(config)#nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
+
  ASA2(config)#nat (inside) 0 access-list nat0_lan_to_lan
 
<li>Finally we are going to configure the default route</li>
 
<li>Finally we are going to configure the default route</li>
  ASA2(config)#route outside 0 0 default-gateway-ip
+
  ASA2(config)#route outside 192.168.1.0 255.255.255.0 10.10.10.1
 +
<li>Last step, save the configuration</li>
 +
ASA2(config)#write memory
 +
Building configuration...
 +
Cryptochecksum: c47ca90d a167f297 2fb5ca80 2d4343fe
 +
3929 bytes copied in 1.740 secs (3929 bytes/sec)
 +
[OK]
 +
ASA2(config)#
 
</ol>
 
</ol>
  
These are all the steps, now we should be able to ping User 2 computer from User 1 computer.
+
 
 +
These are all the steps, now we should be able to ping User 2 computer from User 1 computer, as well as to connect to User 2 node web page.
 +
 
 +
 
 +
Return to [[Nextelco:Phase_1|Phase 1]] page.

Latest revision as of 17:41, 29 May 2014

VPN

Cisco ASA supports different types of VPNs. In this section Lan2Lan or Site2Site IPsec VPN is explained. We have two ASA 5505 devices and we want to create an IPsec VPN. The following figure shows the network diagram.

Nextelco VPN setup.png

In order to set up the VPN we will start with ASA1 configuration. We assume that ASA1 is not configured yet.

  1. Connect from console port, configure hostname, interfaces, ICMP inspection, NAT and ssh connection.
    2. ciscoasa>enable
Password:
ciscoasa#configure terminal
ciscoasa(config)#hostname ASA1
ASA1(config)#interface vlan 1
ASA1(config-if)#ip address 192.168.1.1 255.255.255.0
ASA1(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)#interface vlan 2
ASA1(config-if)#ip address 10.10.10.1 255.255.255.0
ASA1(config-if)#nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)#exit
ASA1(config)#interface ethernet0/0
ASA1(config-if)#switchport access vlan 2
ASA1(config-if)#no shutdown
ASA1(config-if)#exit
ASA1(config)#interface ethernet0/1
ASA1(config-if)#no shutdown
ASA1(config-if)#exit
ASA1(config)#policy-map global_policy
ASA1(config-pmap)#class inspection_default
ASA1(config-pmap-c)#inspect icmp
ASA1(config-pmap-c)#exit
ASA1(config-pmap)#exit
ASA1(config)#access-list inside_nat_outside extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
ASA1(config)#nat (inside) 1 access-list inside_nat_outside
ASA1(config)#global (outside) 1 interface
ASA1(config)#username basicinternet password basicinternet privilege 15
ASA1(config)#crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined name <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ASA1(config)#aaa authentication ssh console LOCAL
ASA1(config)#ssh 192.168.1.0 255.255.255.0 inside
ASA1(config)#write memory
ASA1(config)#exit
ASA1#exit
ASA1>
  2. Now we can establish ssh connection and configure it through User 1 pc. So let start with some preliminary steps. The first thing will be to create two access-lists in order to identify traffic going from one side to another. The first access-list will be used to identify which traffic ASA has to encrypt and the second to know which traffic does not have to translate.
    3. terminal$ ssh basicinternet@192.168.1.1
basicinternet@192.168.1.1's password:
ASA1>enable
Password:
ASA1#configure terminal
ASA1(config)#access-list lan_to_lan permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA1(config)#access-list nat0_lan_to_lan permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  3. So now we will configure the tunnel.
    1. Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.
      2. ASA1(config)#crypto isakmp enable outside
    2. Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).
      3.  ASA1(config)#tunnel-group 10.10.10.2 type ipsec-l2l
    3. Establish the tunnel attributes
      4. ASA1(config)#tunnel-group 10.10.10.2 ipsec-attributes
      1. The first attribute will be the pre-shared key
        2. ASA1(config-tunnel-ipsec)#pre-shared-key basicinternet
      2. Keepalive time
        3. ASA1(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
ASA1(config-tunnel-ipsec)#exit
    4. After setting the preliminary configuration let continue with tunnel phase 1 (hand-shake [key exchange])
      1. First we will set that we are going to use pre-shared key
        2. ASA1(config)#crypto isakmp policy 10 authentication pre-share
      2. Next we need to set our encryption
        3. ASA1(config)#crypto isakmp policy 10 encrypt 3des
      3. The hashing algorithm
        4.  ASA1(config)#crypto isakmp policy 10 hash sha
      4. Finally the diffie-helman group and the key livetime
        5.  ASA1(config)#crypto isakmp policy 10 group 2
 ASA1(config)#crypto isakmp policy 10 lifetime 86400
    5. Now is time for phase 2 (setting up the tunnel)
      1. The first thing is to define the transform set
        2. ASA1(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
      2. Now we have to map the cryptomap to the access control list
        3. ASA1(config)#crypto map map_lan_to_lan 1 match address lan_to_lan
      3. Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security
        4. ASA1(config)#crypto map map_lan_to_lan 1 set pfs group1
      4. Next we are going to identify our peer, the other end of the connection
        5. ASA1(config)#crypto map map_lan_to_lan 1 set peer 10.10.10.2
      5. Then we are going to say to our cryptomap which transform set to use
        6. ASA1(config)#crypto map map_lan_to_lan 1 set transform-set ESP-3DES-SHA
      6. Finally we are going to apply the cryptomap to the outside interface
        7. ASA1(config)#crypto map map_lan_to_lan interface outside
    6. So now we are going to configure NAT in order to specify not to translate this addresses.
      7. ASA1(config)#nat (inside) 0 access-list nat0_lan_to_lan
    7. Finally we are going to configure the default route
      8. ASA1(config)#route outside 192.168.2.0 255.255.255.0 10.10.10.2
    8. Last step, save the configuration
      9. ASA1(config)#write memory 
Building configuration...
Cryptochecksum: c47ca90d a167f297 2fb5ca80 2d4343fe
3929 bytes copied in 1.740 secs (3929 bytes/sec)
[OK]
ASA1(config)#


    So lets continue with ASA2 configuration. We assume that ASA2 has been already configured and that we are connected through ssh.

    1. First of all we create the necessary access-lists.
      2. ASA2(config)#access-list lan_to_lan permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)#access-list nat0_lan_to_lan permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    2. So now we will configure the tunnel.
      1. Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.
        2. ASA2(config)#crypto isakmp enable outside
      2. Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).
        3.  ASA2(config)#tunnel-group 10.10.10.1 type ipsec-l2l
      3. Establish the tunnel attributes
        4. ASA2(config)#tunnel-group 10.10.10.1 ipsec-attributes
        1. The first attribute will be the pre-shared key
          2. ASA2(config-tunnel-ipsec)#pre-shared-key basicinternet
        2. Keepalive time
          3. ASA2(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
ASA2(config-tunnel-ipsec)#exit
      4. After setting the preliminary configuration let continue with tunnel phase 1 (hand-shake [key exchange])
        1. First we will set that we are going to use pre-shared key
          2. ASA2(config)#crypto isakmp policy 10 authentication pre-share
        2. Next we need to set our encryption
          3. ASA2(config)#crypto isakmp policy 10 encrypt 3des
        3. The hashing algorithm
          4.  ASA2(config)#crypto isakmp policy 10 hash sha
        4. Finally the diffie-helman group and the key livetime
          5.  ASA2(config)#crypto isakmp policy 10 group 2
 ASA2(config)#crypto isakmp policy 10 lifetime 86400
      5. Now is time for phase 2 (setting up the tunnel)
        1. The first thing is to define the transform set
          2. ASA2(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
        2. Now we have to map the cryptomap to the access control list
          3. ASA2(config)#crypto map map_lan_to_lan 1 match address lan_to_lan
        3. Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security
          4. ASA2(config)#crypto map map_lan_to_lan 1 set pfs group1
        4. Next we are going to identify our peer, the other end of the connection
          5. ASA2(config)#crypto map map_lan_to_lan 1 set peer 10.10.10.1
        5. Then we are going to say to our cryptomap which transform set to use
          6. ASA2(config)#crypto map map_lan_to_lan 1 set transform-set ESP-3DES-SHA
        6. Finally we are going to apply the cryptomap to the outside interface
          7. ASA2(config)#crypto map map_lan_to_lan interface outside
      6. So now we are going to configure NAT in order to specify not to translate this addresses.
        7. ASA2(config)#nat (inside) 0 access-list nat0_lan_to_lan
      7. Finally we are going to configure the default route
        8. ASA2(config)#route outside 192.168.1.0 255.255.255.0 10.10.10.1
      8. Last step, save the configuration
        9. ASA2(config)#write memory 
Building configuration...
Cryptochecksum: c47ca90d a167f297 2fb5ca80 2d4343fe
3929 bytes copied in 1.740 secs (3929 bytes/sec)
[OK]
ASA2(config)#


      These are all the steps, now we should be able to ping User 2 computer from User 1 computer, as well as to connect to User 2 node web page.


      Return to Phase 1 page.
Retrieved from "https://its-wiki.no/index.php?title=Nextelco:VPN_setup&oldid=20516"