Lab 19.1 Triển khai VPN client to site qua Router GPON (Phần 1)

thanhdc

Junior – IT Sơ cấp
Aug 10, 2014
124
3
18
I. Tổng quan:

1.1 Sơ đồ:




1.2 Yêu cầu:


Triển khai Remote Access VPN behind a Nat Router.


II. Cấu hình:

2.1 Cấu hình ASA:

ASA Version 9.2(1)
!
hostname ASA1
domain-name svuit.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd jDUXMyqeIzxQIVgK encrypted
names


ip local pool SVUIT_easy_vpn_pool 10.1.1.1-10.1.1.126 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.0​
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0​
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0​
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0​
!
ftp mode passive
dns domain-lookup outside
dns server-group GoogleDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name svuit.com

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network DMZ-SUBNET
subnet 192.168.2.0 255.255.255.0​
object network INSIDE-SUBNET
subnet 192.168.1.0 255.255.255.0​
object network VPN-TUNNEL
subnet 10.1.1.0 255.255.255.128​
object network WEB-SERVER
host 192.168.2.20​
object network DNS-SERVER
host 192.168.2.10​
object network NAT-WEB-IP
host 172.16.1.3

access-list SVUIT_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list SVUIT_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list SVUIT_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 192.168.2.20 eq www

access-group outside_access_in in interface outside

pager lines 23
mtu management 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-72145.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected


nat (inside,outside) source static INSIDE-SUBNET INSIDE-SUBNET
destination static VPN-TUNNEL VPN-TUNNEL no-proxy-arp route-lookup​
nat (DMZ,outside) source static DMZ-SUBNET DMZ-SUBNET
destination static VPN-TUNNEL VPN-TUNNEL no-proxy-arp route-lookup​
nat (outside,outside) source dynamic VPN-TUNNEL interface
!
object network DMZ-SUBNET
nat (DMZ,outside) dynamic interface​
object network INSIDE-SUBNET
nat (inside,outside) dynamic interface​
object network WEB-SERVER
nat (DMZ,outside) static NAT-WEB-IP service tcp www www

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact


crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SVUIT_CRYPTO_MAP 100 set ikev1 transform-set ESP-DES-MD5
crypto map outside_map 100 ipsec-isakmp dynamic SVUIT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000

crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

telnet 10.0.0.0 255.255.255.0 management
no telnet timeout
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 500
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials


group-policy SVUIT internal
group-policy SVUIT attributes
dns-server value 192.168.2.10 4.2.2.2​
vpn-tunnel-protocol ikev1
password-storage enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SVUIT_splitTunnelAcl
default-domain value svuit.com
split-tunnel-all-dns disable

username admin password fbFbxQS63ePiLd41 encrypted privilege 15
username vpnuser1 password 4/M7B0YaP2FnP/il encrypted privilege 0

username vpnuser1 attributes
vpn-group-policy SVUIT
tunnel-group SVUIT type remote-access

tunnel-group SVUIT general-attributes
address-pool SVUIT_easy_vpn_pool
default-group-policy SVUIT
tunnel-group SVUIT ipsec-attributes​
ikev1 pre-shared-key svuit.com
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
---parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy​
---class inspection_default
inspect rtsp
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny​
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
---profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 27
subscribe-to-alert-group configuration periodic monthly 27
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:4c08066afe4b3fa8c7f54d0fd7e36fbd
: end
asdm image disk0:/asdm-72145.bin
asdm history enable


2.2 Cấu hình NAT Router (Gateway GPON):











 
Last edited:

About us

  • Securityzone.vn là một trang web chuyên về an ninh mạng và công nghệ thông tin. Trang web này cung cấp các bài viết, tin tức, video, diễn đàn và các dịch vụ liên quan đến lĩnh vực này. Securityzone.vn là một trong những cộng đồng IT lớn và uy tín tại Việt Nam, thu hút nhiều người quan tâm và tham gia. Securityzone.vn cũng là nơi để các chuyên gia, nhà nghiên cứu, sinh viên và người yêu thích an ninh mạng có thể trao đổi, học hỏi và chia sẻ kiến thức, kinh nghiệm và giải pháp về các vấn đề bảo mật trong thời đại số.

Quick Navigation

User Menu