I Psec SA: “ L2L: VPN_TO_R2” .
Tunnel Type: LAN-to-LAN.
Final Configuration
R2:
crypto isakmp policy 10 authentication pre-share hash md5
group 2
encryption 3des
!
crypto isakmp key CISCO address 136.1.121.11
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
ip access-list extended LO2_TO_LO1
permit ip 150.1.2.0 0.0.0.255 150.1.1.0 0.0.0.255
!
crypto map VPN 10 ipsec-isakmp match address LO2_TO_LO1 set transform 3DES_MD5 set peer 136.1.121.11
!
interface E 0/0 crypto map VPN ASA1:
access-list OUTSIDE_IN permit udp any any eq isakmp access-list OUTSIDE_IN permit esp any any
VPN3k:
Create IPsec SA, based on existing “stock” SA:
1) Configuration 2) Administration 3) Monitoring
4) Save changes to Config file 5) Help Information 5) Tunneling and Security 6) Back
VPN3K: Config -> 4 1) Access Hours 2) Traffic Management 3) Group Matching
4) Network Admission Control 5) Back
VPN3K: Policy -> 2 1) Network Lists 2) Rules
3) Security Associations (SAs) 4) Filters
5) Network Address Translation (NAT) Rules 6) Bandwidth Policies
7) Back
VPN3K: Traffic -> 3
Current Security Associations ---1) Add Security Associations
2) Modify Security Association 3) Delete Security Association 4) Copy Security Association 5) Back
VPN3K: Security Associations -> 4
> Copy which SA
VPN3K: Security Associations -> 2
> SA Name
VPN3K: Security Associations -> L2L:VPN_TO_R2 1) Modify SA Name
2) Modify the SA's Inheritance 3) Modify the IPSec Parameters 4) Modify the IKE Parameters 5) Back
VPN3K: Security Associations -> 4 1) Modify IKE Peer
2) Modify Negotiation Mode 3) Modify Authentication Method 4) Modify IKE Proposal
5) Back
VPN3K: Security Associations (IKE) -> 1
> IKE Peer
VPN3K: Security Associations (IKE) -> [ 0.0.0.0 ] 136.1.122.2 1) Modify IKE Peer
2) Modify Negotiation Mode 3) Modify Authentication Method 4) Modify IKE Proposal
5) Back
VPN3K: Security Associations (IKE) ->
Create rule to match outgoing traffic:
1) Configuration 2) Administration 3) Monitoring
4) Save changes to Config file 5) Tunneling and Security 6) Back
VPN3K: Config -> 4 1) Access Hours 2) Traffic Management 3) Group Matching
4) Network Admission Control 5) Back
VPN3K: Policy -> 2 1) Network Lists 2) Rules
3) Security Associations (SAs) 4) Filters
5) Network Address Translation (NAT) Rules 6) Bandwidth Policies
7) Back
VPN3K: Traffic -> 2
Current Filter Rules
2) Modify Filter Rule 3) Delete Filter Rule 4) Copy Filter Rule 5) Back
VPN3K: Filter Rules -> 1
> Rule Name
VPN3K: Filter Rules -> L2L:VPN_TO_R2 Out 1) Modify Rule Name
2) Modify Rule parameters 3) Modify Source Address 4) Modify Destination Address 5) Modify TCP/UDP Source Port 6) Modify TCP/UDP Destination Port 7) Modify ICMP Packet type
8) Back
VPN3K: Filter Rules -> 3 1) Use Single Address/Wildcard 2) Use Network List
3) Back
VPN3K: Filter Rules (Source) -> 1
> Source IP Address for this rule
VPN3K: Filter Rules (Source) -> [ 0.0.0.0 ] 150.1.1.0
> Wildcard Mask for this rule
VPN3K: Filter Rules (Source) -> [ 255.255.255.255 ] 0.0.0.255 1) Modify Rule Name
2) Modify Rule parameters 3) Modify Source Address 4) Modify Destination Address 5) Modify TCP/UDP Source Port 6) Modify TCP/UDP Destination Port 7) Modify ICMP Packet type
8) Back
VPN3K: Filter Rules -> 4 1) Use Single Address/Wildcard 2) Use Network List
3) Back
VPN3K: Filter Rules (Destination) -> 1
> Destination IP Address for this rule
VPN3K: Filter Rules (Destination) -> [ 0.0.0.0 ] 150.1.2.0
> Wildcard Mask for this rule
VPN3K: Filter Rules (Destination) -> [ 255.255.255.255 ] 0.0.0.255 1) Modify Rule Name
2) Modify Rule parameters 3) Modify Source Address 4) Modify Destination Address 5) Modify TCP/UDP Source Port 6) Modify TCP/UDP Destination Port
7) Modify ICMP Packet type 8) Back
VPN3K: Filter Rules -> 2 1) Choose data direction 2) Select action for the rule 3) Rule applies to which protocol 4) Back
VPN3K: Filter Rules -> 1 1) Apply Rule to inbound data 2) Apply Rule to outbound data VPN3K: Filter Rules -> [ 1 ] 2 1) Choose data direction 2) Select action for the rule 3) Rule applies to which protocol 4) Back
VPN3K: Filter Rules -> 2 1) Drop
7) Override Tunnel Default Gateway
8) Override Tunnel Default Gateway and log VPN3K: Filter Rules -> [ 1 ] 5
1) Choose data direction 2) Select action for the rule 3) Rule applies to which protocol 4) Back
Create rule for inbound traffic (for policy matching):
1) Configuration 2) Administration 3) Monitoring
4) Save changes to Config file 5) Help Information 5) Tunneling and Security 6) Back
VPN3K: Config -> 4 1) Access Hours 2) Traffic Management
3) Group Matching
4) Network Admission Control 5) Back
VPN3K: Policy -> 2 1) Network Lists 2) Rules
3) Security Associations (SAs) 4) Filters
5) Network Address Translation (NAT) Rules 6) Bandwidth Policies
7) Back
VPN3K: Traffic -> 2
Current Filter Rules 'q' to Quit, '<SPACE>' to Continue ->
---1) Add Filter Rule
2) Modify Filter Rule 3) Delete Filter Rule 4) Copy Filter Rule 5) Back
VPN3K: Filter Rules -> 1
> Rule Name
VPN3K: Filter Rules -> L2L:VPN_TO_R2 In 1) Modify Rule Name
2) Modify Rule parameters 3) Modify Source Address 4) Modify Destination Address 5) Modify TCP/UDP Source Port 6) Modify TCP/UDP Destination Port 7) Modify ICMP Packet type
8) Back
VPN3K: Filter Rules -> 3 1) Use Single Address/Wildcard 2) Use Network List
3) Back
VPN3K: Filter Rules (Source) -> 1
> Source IP Address for this rule
VPN3K: Filter Rules (Source) -> [ 0.0.0.0 ] 150.1.2.0
> Wildcard Mask for this rule
VPN3K: Filter Rules (Source) -> [ 255.255.255.255 ] 0.0.0.255 1) Modify Rule Name
2) Modify Rule parameters 3) Modify Source Address 4) Modify Destination Address 5) Modify TCP/UDP Source Port 6) Modify TCP/UDP Destination Port 7) Modify ICMP Packet type
8) Back
VPN3K: Filter Rules -> 4 1) Use Single Address/Wildcard 2) Use Network List
3) Back
VPN3K: Filter Rules (Destination) -> 1
> Destination IP Address for this rule
VPN3K: Filter Rules (Destination) -> [ 0.0.0.0 ] 150.1.1.0
> Wildcard Mask for this rule
VPN3K: Filter Rules (Destination) -> [ 255.255.255.255 ] 0.0.0.255 1) Modify Rule Name
2) Modify Rule parameters 3) Modify Source Address 4) Modify Destination Address 5) Modify TCP/UDP Source Port 6) Modify TCP/UDP Destination Port 7) Modify ICMP Packet type
8) Back
VPN3K: Filter Rules -> 2 1) Choose data direction 2) Select action for the rule 3) Rule applies to which protocol 4) Back
VPN3K: Filter Rules -> 1 1) Apply Rule to inbound data 2) Apply Rule to outbound data VPN3K: Filter Rules -> [ 1 ] 1
1) Choose data direction 2) Select action for the rule 3) Rule applies to which protocol 4) Back
VPN3K: Filter Rules -> 2 1) Drop
7) Override Tunnel Default Gateway
8) Override Tunnel Default Gateway and log VPN3K: Filter Rules -> [ 1 ] 5
1) Choose data direction 2) Select action for the rule 3) Rule applies to which protocol 4) Back
VPN3K: Filter Rules -> 4
Assign rules to the Public traffic filer:
1) Configuration 2) Administration 3) Monitoring
4) Save changes to Config file 5) Help Information 5) Tunneling and Security 6) Back
VPN3K: Config -> 4 1) Access Hours 2) Traffic Management 3) Group Matching
4) Network Admission Control 5) Back
VPN3K: Policy -> 2 1) Network Lists 2) Rules
3) Security Associations (SAs) 4) Filters
5) Network Address Translation (NAT) Rules 6) Bandwidth Policies
7) Back
VPN3K: Traffic -> 4
Current Active Filters
4) Assign Rules to a Filter 5) Copy a Filter
6) Back
VPN3K: Filters -> 4
> Which Filter to assign Rules to VPN3K: Filters -> 2
The Current Rules for this Filter
2) Remove a Rule from this Filter 3) Move the Rule Up
4) Move the Rule Down
5) Assign Security Assoc. to Rule 6) Back
VPN3K: Filters -> 1
Current Filter Rules
| 27. Telnet/SSL Out | 28. Outgoing HTTP In | 'q' to Quit, '<SPACE>' to Continue ->
| 43. L2L:VPN_TO_R2 In | |
---> Which Rule to add VPN3K: Filters -> 42
The Current Rules for this Filter
2) Remove a Rule from this Filter 3) Move the Rule Up
4) Move the Rule Down
5) Assign Security Assoc. to Rule 6) Back
VPN3K: Filters -> 1
Current Filter Rules
| 33. CRL over LDAP Out | 34. SSH In |
| 35. SSH Out | 36. VCA In |
| 37. VCA Out | 38. NAT-T In |
| 39. NAT-T Out | 40. DHCP In |
| 41. DHCP Out | 42. L2L:VPN_TO_R2 Out | 'q' to Quit, '<SPACE>' to Continue ->
| 43. L2L:VPN_TO_R2 In | |
---> Which Rule to add VPN3K: Filters -> 43
The Current Rules for this Filter
2) Remove a Rule from this Filter 3) Move the Rule Up
4) Move the Rule Down
5) Assign Security Assoc. to Rule 6) Back
VPN3K: Filters -> 5
> Enter the Rule VPN3K: Filters -> 1
Current Security Associations
---> Enter the Security Association VPN3K: Filters -> 9
The Current Rules for this Filter
---| 1. L2L:VPN_TO_R2 In ---| IN IPSEC L2L:VPN_TO_R2 ---|
| 2. L2L:VPN_TO_R2 Out | OUT IPSEC |
2) Remove a Rule from this Filter 3) Move the Rule Up
4) Move the Rule Down
5) Assign Security Assoc. to Rule 6) Back
VPN3K: Filters -> 5
> Enter the Rule VPN3K: Filters -> 2
Current Security Associations
---> Enter the Security Association VPN3K: Filters -> 9
The Current Rules for this Filter
---1) Add a Rule to this Filter
2) Remove a Rule from this Filter 3) Move the Rule Up
4) Move the Rule Down
5) Assign Security Assoc. to Rule 6) Back
Create Tunnel Group:
1) Configuration 2) Administration 3) Monitoring
4) Save changes to Config file 5) Help Information 5) Tunneling and Security 6) Back
VPN3K: User Management -> 2
Current User Groups
VPN3K: Groups -> 136.1.122.2
> Password
VPN3K: Groups -> CISCO Verify -> CISCO
1) Group Type - Internal 2) Group Type - External VPN3K: Groups -> 1
1) Identification 2) General Parameters 3) Servers
4) IPSec Parameters
5) VPN Client Firewall Parameters 6) Hardware Client Parameters 7) PPTP/L2TP Parameters 8) Address Pools
9) Client Update
10) Assign Bandwidth Policies 11) WebVPN Parameters
12) NAC Parameters 13) Back
VPN3K: Groups -> 4 1) Select IPSec SA
2) Select IKE Peer Validation 3) Enable/Disable IKE Keepalives 4) Set Confidence Interval 5) Set Tunnel Type
VPN3K: Groups -> [ (inherited) ESP-3DES-MD5 ] 9 1) Select IPSec SA
2) Select IKE Peer Validation 3) Enable/Disable IKE Keepalives 4) Set Confidence Interval 5) Set Tunnel Type
2) Select IKE Peer Validation 3) Enable/Disable IKE Keepalives 4) Set Confidence Interval 5) Set Tunnel Type
6) Back
VPN3K: Groups ->
Verification
R2#ping 150.1.1.1 so lo 0 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms R2#sho crypto isakmp sa
local ident (addr/mask/prot/port): (150.1.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0) current_peer: 136.1.121.11:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0
local crypto endpt.: 136.1.122.2, remote crypto endpt.: 136.1.121.11 path mtu 1500, media mtu 1500
Monitor session at VPN3k:
1) Configuration 2) Administration 3) Monitoring
4) Save changes to Config file 5) Help Information
VPN3K: Monitor -> 4
1) View Session Statistics 2) View Top Ten Lists 3) View Session Protocols 4) View Session Encryption 5) Filter Sessions on Group 6) Back
VPN3K: Sessions -> 1 Active Sessions
---Active LAN-to-LAN Sessions: 1 Active Remote Access Sessions: 0 Active Management Sessions: 1 Total Active Sessions: 2 1) Refresh Session Statistics
2) Reset Session Statistics 3) Restore Session Statistics 4) Session Details
5) Back
VPN3K: Sessions ->