Penasaran mau coba di GNS, Site to site ASA with NAT Control, so ini sudah gw coba sendiri dan running, dapat di jadikan tamplate standart sepertinya tinggal ganti2 aja ip access-list VPN Protect nya dan NAT0 nya.
Capture kedua ASA sbb:
so cekthisout :)
ASA 1 Capture Configuration:
ASA-kanan# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA-kanan
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 0
ip address 22.22.22.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any any
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 19.19.19.0 255.255.255.0 22.22.22.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy DfltGrpPolicy attributes
username admin password eY/fQXw7Ure8Qrz7 encrypted
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:b6b9f86d0b50ff1aeee2595ebe05c4bb
: end
-----------------------------------------------------------------------------------
ASA-kanan# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
-----------------------------------------------------------------------------------
ASA-kanan# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap permit ip 19.19.19.0 255.255.255.0 11.11.11.0 255.255.255.0
local ident (addr/mask/prot/port): (19.19.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (11.11.11.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
#pkts encaps: 384, #pkts encrypt: 384, #pkts digest: 384
#pkts decaps: 384, #pkts decrypt: 384, #pkts verify: 384
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 384, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F18D1423
inbound esp sas:
spi: 0x7C7E07AC (2088634284)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824966/28607)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF18D1423 (4052554787)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824966/28607)
IV size: 8 bytes
replay detection support: Y
ASA Kiri Capture Caonfiguration(Ada configuration remote Access yang sebelumnya, dan memang gw mau buat jalan dua mode, site-to-site dan Remote-Access IPSEC :
ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any any
access-list outside_1_cryptomap extended permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 19.19.19.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto map OUTSIDE_MAP 1 match address outside_1_cryptomap
crypto map OUTSIDE_MAP 1 set pfs group1
crypto map OUTSIDE_MAP 1 set peer 1.1.1.1
crypto map OUTSIDE_MAP 1 set transform-set ESP-DES-SHA
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
banner value hati2 ya
dns-server value 19.19.19.19
vpn-tunnel-protocol IPSec
default-domain none
username admin password eY/fQXw7Ure8Qrz7 encrypted
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
vpn-group-policy REMOTE_SALES_POLICY
vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
address-pool REMOTE_SALES_POOL
default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
pre-shared-key *
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a5b1dbc88a6d5bd218b949f68c587dc9
: end
-------------------------------------------------------------------
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
-------------------------------------------------------------------
ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 1, local addr: 1.1.1.2
access-list outside_1_cryptomap permit ip 11.11.11.0 255.255.255.0 19.19.19.0 255.255.255.0
local ident (addr/mask/prot/port): (11.11.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (19.19.19.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 470, #pkts encrypt: 470, #pkts digest: 470
#pkts decaps: 470, #pkts decrypt: 470, #pkts verify: 470
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 470, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7C7E07AC
inbound esp sas:
spi: 0xF18D1423 (4052554787)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 28672, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4274961/28523)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7C7E07AC (2088634284)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 28672, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4274961/28523)
IV size: 8 bytes
replay detection support: Y
Cloud terhubung ke VMware dan running 2003 include Cisco VPN Client, dan success bisa ping ke inside network ASA 2. :)
Tidak ada komentar:
Posting Komentar