I'm going to post configuration example along with comments about every particular command.
!--- Configure the outside interface.
!interface Ethernet0/1
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!--- Configure the inside interface.
!interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!-- Output suppressed
!passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0
10.20.10.0 255.255.255.0
!--- This access list (inside_nat0_outbound) is used
!--- with the nat zero command. This prevents traffic which
!--- matches the access list from undergoing network address translation (NAT).
!--- The traffic specified by this ACL is traffic that is to be encrypted and
!--- sent across the VPN tunnel. This ACL is intentionally
!--- the same as (outside_1_cryptomap).
!--- Two separate access lists should always be used in this configuration. access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0
10.20.10.0 255.255.255.0
!--- This access list (outside_cryptomap) is used
!--- with the crypto map outside_map
!--- to determine which traffic should be encrypted and sent
!--- across the tunnel.
!--- This ACL is intentionally the same as (inside_nat0_outbound).
!--- Two separate access lists should always be used in this configuration.pager lines 24
mtu inside 1500
mtu outside 1500
no failover
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
!--- NAT 0 prevents NAT for networks specified in
!--- the ACL inside_nat0_outbound.
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 dmz
no snmp-server location
no snmp-server contact
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here. crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
!--- Define the transform set for Phase 2. crypto map outside_map 1 match address outside_1_cryptomap
!--- Define which traffic should be sent to the IPsec peer.
crypto map outside_map 1 set peer 172.17.1.1
!--- Sets the IPsec peercrypto map outside_map 1 set transform-set ESP-DES-SHA
!--- Sets the IPsec transform set "ESP-AES-256-SHA"
!--- to be used with the crypto map entry "outside_map". crypto map outside_map interface outside
!--- Specifies the interface to be used with
!--- the settings defined in this configuration. !--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used. crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
tunnel-group 172.17.1.1 type ipsec-l2l
!--- In order to create and manage the database of connection-specific
!--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command
!--- tunnel-group in global configuration mode.
!--- For L2L connections the name of the tunnel group MUST be the IP
!--- address of the IPsec peer. tunnel-group 172.17.1.1 ipsec-attributes
pre-shared-key *
!--- Enter the pre-shared-key in order to configure the
!--- authentication method.
No comments:
Post a Comment