Uploaded by Brati Florin

asa-firewall-lab compress

advertisement
IPSec over GRE Tunnel:
Advantages:




Will create a logical virtual interface between the two routers that the traffic will appear to flow across
Allows us to run a IGP routing protocol
Allows Multicast Routing
Encrypted Traffic going through the Internet
Pre-Configuration:

ASA
!
interface GigabitEthernet0
ip address 100.100.100.2 255.255.255.0
nameif outside
security-level 0
no shutdown
!
!
interface GigabitEthernet2
ip address 10.10.10.1 255.255.255.252
nameif inside
security-level 100
no shutdown

Corp
!
interface FastEthernet 0/0
ip address 10.10.10.2 255.255.255.252
no shutdown
interface FastEthernet 0/1
ip address 10.10.11.1 255.255.255.252
no shutdown

Branch
!
interface FastEthernet 0/0
ip address 100.100.100.10 255.255.255.0
no shutdown
!
interface FastEthernet 0/1
ip address 10.10.14.1 255.255.255.252
no shutdown

ASA
!
interface GigabitEthernet1
no nameif
security-level 0
no ip address
no shut
!
interface GigabitEthernet1.1
nameif DMZ
security-level 50
ip address 20.20.20.1 255.255.255.0

SW1
vlan database
vlan 10 name DMZ
exit
conf t
!
no ip routing
!
int fa1/0
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface range FastEthernet 1/1 - 2
switchport mode access
switchport access vlan 10
!
ip default-gateway 20.20.20.1

SW2
!
vlan database
vlan 2 name Sales
vlan 3 name Finance
exit
conf t
!
interface FastEthernet 1/0
switchport mode access
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet 1/1
switchport mode access
switchport access vlan 3
spanning-tree portfast
!
interface vlan 2
ip address 10.10.12.1 255.255.255.0
no shut
!
interface vlan 3
ip address 10.10.13.1 255.255.255.0
no shut
!
interface FastEthernet 0/0
ip address 10.10.11.2 255.255.255.252
no shut
!
ip dhcp excluded-address 10.10.12.1 10.10.12.9
!
ip dhcp pool VLAN2
network 10.10.12.0 /24
default-router 10.10.12.1
dns-server 8.8.8.8
!
ip dhcp excluded-address 10.10.13.1 10.10.13.9
!
ip dhcp pool VLAN3
network 10.10.13.0 /24
default-router 10.10.13.1
dns-server 8.8.8.8

SW3
!
vlan database
vlan 2 name Accounting
vlan 3 name Management
exit
conf t
!
interface FastEthernet 1/0
switchport mode access
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet 1/1
switchport mode access
switchport access vlan 3
spanning-tree portfast
!
interface vlan 2
ip address 10.10.15.1 255.255.255.0
no shut
!
interface vlan 3
ip address 10.10.16.1 255.255.255.0
no shut
!
interface FastEthernet 0/0
ip address 10.10.14.2 255.255.255.252
no shut
!
ip dhcp excluded-address 10.10.15.1 10.10.15.9
!
ip dhcp pool VLAN2
network 10.10.15.0 /24
default-router 10.10.15.1
dns-server 8.8.8.8
!
ip dhcp excluded-address 10.10.16.1 10.10.16.9
!
ip dhcp pool VLAN3
network 10.10.16.0 /24
default-router 10.10.16.1
dns-server 8.8.8.8
Advantages:




Will create a logical virtual interface between the two routers that the traffic will appear to flow across
Allows us to run a IGP routing protocol
Allows Multicast Routing
Encrypted Traffic going through the Internet
Configuration GRE Tunnel:
Step 1: Create OSPF routing process:

CORP(config)# router ospf 123
CORP(config-router)# network 192.168.1.0 0.0.0.255 area 0

BRANCH(config)# router ospf 123
BRANCH(config-router)# network 10.1.1.0 0.0.0.255 area 0
Step 2: Configure layer 3 tunnel interfaces:

CORP(config)# interface tunnel 0
CORP(config-if)# tunnel source f0/0
CORP(config-if)# tunnel destination 192.168.137.10
CORP(config-if)# ip address 10.10.1.1 255.255.255.252
CORP(config-if)# tunnel path-mtu-discovery
CORP(config-if)# ip ospf mtu-ignore

BRANCH(config)# interface tunnel 0
BRANCH(config-if)# tunnel source f0/0
BRANCH(config-if)# tunnel destination 192.168.137.2
BRANCH(config-if)# ip address 10.10.1.2 255.255.255.252
BRANCH(config-if)# tunnel path-mtu-discovery
BRANCH(config-if)# ip ospf mtu-ignore
Verify:

CORP# ping 10.10.1.2
Step 3: Update OSPF Network Statements:


CORP(config)# router ospf 123
CORP(config-router)# network 10.10.1.0 0.0.0.3 area 0


BRANCH(config)# router ospf 123
BRANCH(config-router)# network 10.10.1.0 0.0.0.3 area 0
Verify:

CORP# show ip ospf neighbor
Configure IPSec:
Step 1: Define Traffic to be encrypted

CORP(config)# ip access-list extended IPSEC-TRAFFIC
CORP(config-ext-nacl)# remark VPN Traffic
CORP(config-ext-nacl)# permit gre host 192.168.137.2 host 192.168.137.10

BRANCH(config)# ip access-list extended IPSEC-TRAFFIC
BRANCH(config-ext-nacl)# remark VPN Traffic
BRANCH(config-ext-nacl)# permit gre host 192.168.137.10 host 192.168.137.2
Step 2: Phase 1: Isakmp policy

CORP(config)# crypto isakmp policy 1
CORP(config-isakmp)# authentication pre-share
CORP(config-isakmp)# encryption aes 128
CORP(config-isakmp)# hash sha
CORP(config-isakmp)# group 2

BRANCH(config)# crypto isakmp policy 1
BRANCH(config-isakmp)# authentication pre-share
BRANCH(config-isakmp)# encryption aes 128
BRANCH(config-isakmp)# hash sha
BRANCH(config-isakmp)# group 2
Step 3: Define Shared Secret

CORP(config)# crypto isakmp key 0 CISCO address 192.168.137.10

BRANCH(config)# crypto isakmp key 0 CISCO address 192.168.137.2
Step 4: Phase 2: IPSec transform set

CORP(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac
CORP(cfg-crypto-trans)# mode tunnel

BRANCH(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac
BRANCH(cfg-crypto-trans)# mode tunnel
Step 5: Create crypto-map

CORP(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp
CORP(config-crypto-map)# description to BRANCH
CORP(config-crypto-map)# match address IPSEC-TRAFFIC
CORP(config-crypto-map)# set peer 192.168.137.10
CORP(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL

BRANCH(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp
BRANCH(config-crypto-map)# description to CORP
BRANCH(config-crypto-map)# match address IPSEC-TRAFFIC
BRANCH(config-crypto-map)# set peer 192.168.137.2
BRANCH(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL
Step 6: Apply crypto-map to interfaces


CORP(config)# interface f0/0
CORP(config-if)# crypto map CRYPTO-MAP
CORP(config-if)# interface tunnel 0
CORP(config-if)# crypto map CRYPTO-MAP


BRANCH(config)# interface f0/0
BRANCH(config-if)# crypto map CRYPTO-MAP
BRANCH(config-if)# interface tunnel 0
BRANCH(config-if)# crypto map CRYPTO-MAP
Step 7: Verification
CORP# show ip ospf neighbor
CORP# show crypto ipsec sa
CORP# ping 10.10.1.2 repeat 50
Download