[ Pobierz całość w formacie PDF ]
.2.0 255.255.255.0 insidetelnet timeout 5155ssh 100.100.100.1 255.255.255.255 outsidessh timeout 5console timeout 0!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect pptp!service-policy global_policy globalusername admin password xxxxxxxxxxxxxxx encryptedtunnel-group 100.100.100.1 type ipsec-l2ltunnel-group 100.100.100.1 ipsec-attributespre-shared-key branch2vpnkeyisakmp keepalive threshold 30 retry 5prompt hostname context: end156CONFIGURATION EXAMPLE 4: REMOTE ACCESS VPNContinuing our VPN examples, we will configure here a Remote Access VPN scenario for providingsecure connectivity to remote users over the Internet, as we have described in more detail inChapter 5.Moreover, in this configuration example we will setup the  split-tunneling featurewhich allows remote users to browse the Internet while connected with the IPSEC VPN.Because split-tunneling is not considered safe, it is disabled by default.This means that once the remoteusers initiate a Remote Access VPN with the central site, they can ONLY access the Corporate LANnetwork and nothing else.In order for the users to simultaneously access Internet resources andthe Corporate LAN, then split-tunneling must be configured.The complete configuration follows below.See the Blue Color comments for clarifications.See alsothe Red Color commands for ASA version 8.3 and later.157ASA-1# sh run: Saved:!hostname ASA-1domain-name test.comenable password xxxxxxxxxxxxxxxxxx encryptednamesdns-guard!interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 100.100.100.1 255.255.255.248!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet0/2shutdownno nameifno security-levelno ip address!interface GigabitEthernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdownno nameifno security-levelno ip address!passwd xxxxxxxxxxxxxxxxxxxxx encryptedboot system disk0:/asa723-k8.binftp mode passivedns server-group DefaultDNSdomain-name test.comaccess-list outside-in extended permit icmp any any echo-replyaccess-list outside-in extended deny ip any any log158! Traffic between internal LAN and Remote Access clients must not be translatedaccess-list nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0! Remote Access client traffic destined to the internal LAN is permitted for split tunneling (i.e to!access the Internet simultaneously)access-list splittunnel standard permit 192.168.1.0 255.255.255.0pager lines 24logging enablelogging trap debuggingmtu outside 1500mtu inside 1500! Create a pool of addresses to assign for the remote access clientsip local pool vpnpool 192.168.20.1-192.168.20.254icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm521.binno asdm history enablearp timeout 14400nat-controlglobal (outside) 1 interfacenat (inside) 0 access-list nat0_aclnat (inside) 1 192.168.1.0 255.255.255.0! Below is for version 8.3 and laterobject network internal_lansubnet 192.168.1.0 255.255.255.0nat (inside,outside) dynamic interfaceobject network obj-remotesubnet 192.168.20.0 255.255.255.0nat (inside,outside) 1 source static any any destination static obj-remote obj-remoteaccess-group outside-in in interface outsideroute outside 0.0 0.0 100.100.100.2 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absoluteaaa authentication ssh console LOCALaaa authentication serial console LOCALaaa authentication telnet console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart159crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac! Create a dynamic crypto map for the remote VPN clientscrypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5! Attach the dynamic crypto map to a static crypto mapcrypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_mapcrypto map outside_map interface outside! Create a Phase 1 isakmp policy for the remote VPN clientscrypto isakmp enable outsidecrypto isakmp policy 20authentication pre-shareencryption 3deshash md5group 2lifetime 86400! nat-traversal allows remote clients behind a NAT device to connect without problems.crypto isakmp nat-traversal 20telnet 192.168.1.0 255.255.255 [ Pobierz całość w formacie PDF ]