Start From Here...

“Ilmu pengetahuan semakin banyak melahirkan keajaiban. Dongengan leluhur sampai malu tersipu. Tak perlu lagi orang bertapa bertahun untuk dapat bicara dengan seseorang di seberang lautan. Orang Jerman telah memasang kawat laut dari Inggris sampai India! Dan kawat semacam itu membiak berjuluran ke seluruh permukaan bumi. Seluruh dunia kini dapat mengawasi tingkah-laku seseorang. Dan orang dapat mengawasi tingkah-laku seluruh dunia" (Pramoedya Ananta Toer: Bumi Manusia, hal. 316, 1980).

Kamis, 29 September 2011

DMVPN

Penasaran dari dulu pengen coba DMVPN, akhirnya kesampaian dan bisa:

berikut DMVPN yang katanya didukukung penuh oleh cisco dan tidak oleh vendor lainya, boleh cek di google. hehe :P

dari topology diatas bisa kita lihat sebenarnya DMVPN itu terbagi atas apa itu yang disebut HUB dan SPOKE, HUB = HQ atau kantor pusat, sementara SPOKE = Kantor cabang.
hubungan keduanya dijalankan melalui tunnel multipoint (tunnel mode gre multipoint)
yang nantinya akan di encryp kembali dengan ipsec.

berikut untuk konfigurasi 1 router DMVPN HUB dan 3 SPOKE yang bertindak sebagai router edge cabang. Perlu di ketahui sebenarnya hubungan spoke ke spoke hanya membutuhkan hub sekali saja, selebihnya akan cros langsung dengan tunnel.

R1 :

R1#sh run
Building configuration...

Current configuration : 1386 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.15.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.15.1
ip route 192.168.30.1 255.255.255.255 192.168.0.3
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

R2 :

R2#sh run
Building configuration...

Current configuration : 1135 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.15.1 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
ip address 172.16.45.1 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.16.25.1 255.255.255.252
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
ip address 172.16.35.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
!
!
end

R3 :
R3#sh run
Building configuration...

Current configuration : 1451 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.20.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.25.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.25.1
!
!
end

R4 :

R4#sh run
Building configuration...

Current configuration : 1547 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
--More--
*Mar 1 00:48:59.331: %SYS-5-CONFIG_I: Configured from console by console
archive
log config
hidekeys
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.30.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp nhs 192.168.0.1
tunnel source 172.16.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.35.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.35.1
ip route 192.168.10.2 255.255.255.255 Tunnel0
ip route 192.168.10.2 255.255.255.255 192.168.0.1
!
!
no ip http server
no ip http secure-server
---------------------------------------------------

mari lihat buktinya :P
R4#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 172.16.15.2 192.168.0.1 UP 00:32:01 S
1 172.16.25.2 192.168.0.2 UP never D
----------------------------------------------------------

R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.25.2 192.168.0.2 UP never D
1 172.16.35.2 192.168.0.3 UP never D
----------------------------------------------------------
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.15.2 172.16.25.2 QM_IDLE 1001 0 ACTIVE
172.16.15.2 172.16.35.2 QM_IDLE 1002 0 ACTIVE

R1#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.15.2

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.15.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.35.2/255.255.255.255/47/0)
current_peer 172.16.35.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 117, #pkts encrypt: 117, #pkts digest: 117
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.15.2, remote crypto endpt.: 172.16.35.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF048AEC0(4031295168)

Dan ingat pastikan semua di routing melalui tunnel interface atau ip tunnel neighboornya, dan show deh cryptonya. C U,,

Sabtu, 24 September 2011

Site-To-Site ASA (Tested)

Penasaran mau coba di GNS, Site to site ASA with NAT Control, so ini sudah gw coba sendiri dan running, dapat di jadikan tamplate standart sepertinya tinggal ganti2 aja ip access-list VPN Protect nya dan NAT0 nya.

Capture kedua ASA sbb:

so cekthisout :)

ASA 1 Capture Configuration:

ASA-kanan# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA-kanan
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 0
ip address 22.22.22.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any any
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 19.19.19.0 255.255.255.0 22.22.22.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy DfltGrpPolicy attributes
username admin password eY/fQXw7Ure8Qrz7 encrypted
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:b6b9f86d0b50ff1aeee2595ebe05c4bb
: end
-----------------------------------------------------------------------------------

ASA-kanan# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

-----------------------------------------------------------------------------------

ASA-kanan# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

access-list outside_1_cryptomap permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
local ident (addr/mask/prot/port): (19.19.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (11.11.11.0/255.255.255.0/0/0)
current_peer: 1.1.1.2

#pkts encaps: 384, #pkts encrypt: 384, #pkts digest: 384
#pkts decaps: 384, #pkts decrypt: 384, #pkts verify: 384
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 384, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F18D1423

inbound esp sas:
spi: 0x7C7E07AC (2088634284)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824966/28607)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF18D1423 (4052554787)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824966/28607)
IV size: 8 bytes
replay detection support: Y

ASA Kiri Capture Caonfiguration(Ada configuration remote Access yang sebelumnya, dan memang gw mau buat jalan dua mode, site-to-site dan Remote-Access IPSEC :

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any any
access-list outside_1_cryptomap extended permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto map OUTSIDE_MAP 1 match address outside_1_cryptomap
crypto map OUTSIDE_MAP 1 set pfs group1
crypto map OUTSIDE_MAP 1 set peer 1.1.1.1
crypto map OUTSIDE_MAP 1 set transform-set ESP-DES-SHA
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
banner value hati2 ya
dns-server value 19.19.19.19
vpn-tunnel-protocol IPSec
default-domain none
username admin password eY/fQXw7Ure8Qrz7 encrypted
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
vpn-group-policy REMOTE_SALES_POLICY
vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
address-pool REMOTE_SALES_POOL
default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
pre-shared-key *
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a5b1dbc88a6d5bd218b949f68c587dc9
: end

-------------------------------------------------------------------

ciscoasa# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

-------------------------------------------------------------------

ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 1, local addr: 1.1.1.2

access-list outside_1_cryptomap permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
local ident (addr/mask/prot/port): (11.11.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (19.19.19.0/255.255.255.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 470, #pkts encrypt: 470, #pkts digest: 470
#pkts decaps: 470, #pkts decrypt: 470, #pkts verify: 470
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 470, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7C7E07AC

inbound esp sas:
spi: 0xF18D1423 (4052554787)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 28672, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4274961/28523)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7C7E07AC (2088634284)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 28672, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4274961/28523)
IV size: 8 bytes
replay detection support: Y

Cloud terhubung ke VMware dan running 2003 include Cisco VPN Client, dan success bisa ping ke inside network ASA 2. :)

Jumat, 23 September 2011

Remote-Access with ASA to ASA in GNS (Tested)

Berikut yang bisa dijadikan Tamplate standar untuk segala topology.

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
banner value hati2 ya
dns-server value 19.19.19.19
vpn-tunnel-protocol IPSec
default-domain none
username admin password eY/fQXw7Ure8Qrz7 encrypted
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
vpn-group-policy REMOTE_SALES_POLICY
vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
address-pool REMOTE_SALES_POOL
default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a5b1dbc88a6d5bd218b949f68c587dc9
: end

ciscoasa# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 19.19.19.19
Type : user Role : responder
Rekey : no State : AM_ACTIVE

Kamis, 22 September 2011

ASA Remote Access (Tested)

Network dibelakang ASA (Inside) 11.11.11.0/24 (Router = 11.11.11.2)
Network ASA to Router R2 = 12.12.12.0/24 (Router = 12.12.12.2)
Client = 1.1.1.0/24

Goal = Client dengan network 1.1.1.0/24 bisa ping ke 11.11.11.2 dengan ipsec vpn client.

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 12.12.12.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.12.12.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf CN=sales,CN=Users,DC=cisco,DC=co.id ExamplePolicy1
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (outside) host 1.1.1.3
ldap-base-dn DC=cisco,DC=co.id
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=administrator,OU=Users,DC=cisco,DC=co.id
server-type microsoft
ldap-attribute-map CISCOMAP
http server enable
http 1.1.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
banner value hati2 ya
dns-server value 1.1.1.3
vpn-tunnel-protocol IPSec
default-domain none
username admin password eY/fQXw7Ure8Qrz7 encrypted
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
vpn-group-policy REMOTE_SALES_POLICY
vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
address-pool REMOTE_SALES_POOL
default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:ee1dab5c76819a5748c47e27843d02a5
: end