Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

Remote Access SSL and IKEv1configuring via command line interface on Cisco ASA

cisco_screenshotsmallSince ASDM and “wizards” are being used, knowing Command Line Interface on ASA to configure its seems to be unnecessary, but knowledge about what particular commands are responsible for and how they work is demanding if you will have to  troubleshoot SSL. In this topic you will se how to configure Remote Access with SSL and VPN.with command line.

Let’s omit explanation what are and how work both protocols ( you will find an explanation at my blog elsewhere) and go over the configuration, because there is a lot to explain.

remote access SSL and IKEv1 lab.jpg
 

DHCP Pool for Remote Access hosts, doesn’t have to cover internal network behind ASA, cause ASA use Reverse Route Injection and will put this network into its routing table.

ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0

We have to exempt Remote Access hosts return traffic (from inside to outside) from being “natted”, it is called NAT0 or Nat Exemption

object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0

nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

nat (real interface,mapped interface) source static [real_object] [mapped_object] destination static [real_object] [mapped_object]

Enabling SSL Remote Access and anyconnect software on the outside interface (I assumed you uploaded an image via TFTP already)

webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.1.04011-k9.pkg
anyconnect enable

creating user that will be authenticated and pointing out inherited group policy

username Marcin password itbundle
username Marcin attributes
vpn-group-policy GroupPolicy_ANYCONNECT-SSL

SPlit Tunnel ACL. If we don’t specify Split Tunnel, then a whole traffic from the RA host regardless is going to the ASA or to the Internet always will be going first to the outside ASA interface.

access-list SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0

Group Policy – Policy that will be applied after logging on, group policy is linked to the Tunnel Group. We also specify split tunnel policy and a couple of other things like domain name or dns server that connected RA host will be using.

group-policy GroupPolicy_ANYCONNECT-SSL internal
group-policy GroupPolicy_ANYCONNECT-SSL attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value itbundle.net
dns-server value 192.168.100.1

creating tunnel group that is nothing more then well know connection profile.
In tunnel group first we specify type of tunnel then assign group policy, address pool,
as you see we may also use name aliases.

tunnel-group ANYCONNECT-SSL type remote-access
tunnel-group ANYCONNECT-SSL general-attributes
default-group-policy GroupPolicy_ANYCONNECT-SSL
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-SSL webvpn-attributes
group-alias ANYCONNECT-SSL enable

usefull command if you want to logoff given user:
vpn-sessiondb logoff name USERNAME


IKEv1

We wspecify ISAKMP and transform sets policy alike in ipsec site to site
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac

pool destined for VPN RA hosts
ip local pool client_pool 192.168.100.1-192.168.100.254 mask 255.255.255.0

split tunnel
access-list split_tunnel_acl standard permit 172.16.1.0 255.255.255.0

group policy
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl

tunel group additionally to compare with SSL we specify the server to authenticate users of the tunnel also we specify pre shared key of the tunnel

tunnel-group ipsec_ra_tunnel type remote-access
tunnel-group ipsec_ra_tunnel general-attributes
address-pool client_pool
default-group-policy ipsec_ra_policy
authentication-server-group LOCAL
tunnel-group ipsec_ra_tunnel ipsec-attributes
ikev1 pre-shared-key cisco

Now we have to create DYNAMIC crypto map, cause we have no idea what is the address of the user that wants to connect to VPN server

crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1
crypto dynamic-map dyn_map 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside

username Marcin password itbundle

And finally we want to prevent VPN traffic from being “natted”

object-group network obj_192.168.100.0_255
network 192.168.100.0 255.255.255.248

nat (inside,outside) source static any any destination static obj_192.168.100.0_255 obj_192.168.100.0_255 no-proxy-arp route-lookup

, ,

Onlain bookmaker bet365.com - the best bokie

Menu