Posts
Site to Site VPN Tunnel Cisco ASA 8.4.2 - GNS3
Assalamualaikum Warahmatullahi Wabarakatuh
ingin menulis dan berbagi tutorial mengenai VPN Site to Site di Cisco ASA, dan disini ane simulasikan menggunakan GNS3 dengan ASA 8.4.2. kalau di postingan sebelumnya VPN Site to Site menggunakan Juniper :)
http://motaroirhaby.blogspot.com/2013/12/konfigurasi-ipsec-site-to-site-vpn-di.html
sebenarnya untuk langkah nya tidak jauh beda hanya CLI yang membedakan dan untuk ketentuan sebagai berikut :
- Define Local Network and Remote Network using Object network
- Create ACL to permit IP and ICMP traffic to the remote network
- Configure NAT
- Create ISAKMP/IKEV1 policy and enable it
- Create the IPSEC transform set (hashing and encryption)
- Create the Tunnel Group
- Create a Crypto Map and enable it
- Ping from inside node to trigger the tunnel
oke dengan topology seperti ini :
Dan berikut ISAKMP / IKE Policy nya :
Oke kita masuk ke konfigurasi nya :
Konfigurasi ASA1 :
! hostname ASA1 ! interface GigabitEthernet0 nameif outside security-level 0 ip address 10.10.10.1 255.255.255.252 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
1. Define Local Network and Remote Network using Object network
object network LocalNetwork subnet 192.168.100.0 255.255.255.0 object network RemoteNetwork subnet 192.168.200.0 255.255.255.0
2. Create ACL to permit IP and ICMP traffic to the remote network
access-list Site1-to-Site2 extended permit ip object LocalNetwork object RemoteNetwork access-list NAT extended permit ip object LocalNetwork object RemoteNetwork
3. Configure NAT
nat (inside) 0 access-list NAT
4. Create ISAKMP/IKEV1 policy and enable it
crypto isakmp identity address crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
5. Create the IPSEC transform set (hashing and encryption)
crypto ipsec ikev1 transform-set ASA1Tranform-set esp-aes-256 esp-sha-hmac
6. Create the Tunnel Group
tunnel-group 10.10.10.2 type ipsec-l2l tunnel-group 10.10.10.2 ipsec-attributes ikev1 pre-shared-key cisco123
7. Create a Crypto Map and enable it
crypto map ASA1VPN 1 match address Site1-to-Site2 crypto map ASA1VPN 1 set pfs crypto map ASA1VPN 1 set peer 10.10.10.2 crypto map ASA1VPN 1 set ikev1 transform-set ASA1Tranform-set crypto map ASA1VPN 1 set security-association lifetime seconds 28800 crypto map ASA1VPN interface outside
Konfigurasi ASA2 :
! hostname ASA2 ! interface GigabitEthernet0 nameif outside security-level 0 ip address 10.10.10.2 255.255.255.252 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.200.1 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
1. Define Local Network and Remote Network using Object network
object network LocalNetwork subnet 192.168.200.0 255.255.255.0 object network RemoteNetwork subnet 192.168.100.0 255.255.255.0
2. Create ACL to permit IP and ICMP traffic to the remote network
access-list Site2-to-Site1 extended permit ip object LocalNetwork object RemoteNetwork access-list NAT extended permit ip object LocalNetwork object RemoteNetwork
3. Configure NAT
nat (inside) 0 access-list NAT
4. Create ISAKMP/IKEV1 policy and enable it
crypto isakmp identity address crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
5. Create the IPSEC transform set (hashing and encryption)
crypto ipsec ikev1 transform-set ASA2Tranform-set esp-aes-256 esp-sha-hmac
6. Create the Tunnel Group
tunnel-group 10.10.10.1 type ipsec-l2l tunnel-group 10.10.10.1 ipsec-attributes ikev1 pre-shared-key cisco123
7. Create a Crypto Map and enable it
crypto map ASA2VPN 1 match address Site2-to-Site1 crypto map ASA2VPN 1 set pfs crypto map ASA2VPN 1 set peer 10.10.10.1 crypto map ASA2VPN 1 set ikev1 transform-set ASA1Tranform-set crypto map ASA2VPN 1 set security-association lifetime seconds 28800 crypto map ASA2VPN interface outside
8. Ping from inside node to trigger the tunnel
nah kita coba ping dari host inside local network ke remote network .
nah dari hasil ping kita dah bisa ping dari local network ke remote network dan begitu sebaliknya.
kita check SA nya apakah sudah up , harusnya sudah :D
nah bila kita implementasi di Real Network bila SA sudah up tetapi masing masing network belum dapat mengakses satu sama lain kita tambahkan/check ulang mengenai Access Rule dan NAT nya. *pengalaman pribadi dulu pernah seperti itu :D
untuk lebih jelasnya ane buatin Video Tutorial nya sebagai pelengkap nya .
Wassalamualaikum Warahmatullahi Wabarakatuh
0 comments:
Post a Comment