cấu hình vpn site to site- router cisco 2811 – asa 5510.docx
TRANSCRIPT
Cu Hnh VPN Site to site: Router Cisco 2811 ASA 5510
SITE A ROUTER CISCO 2811:Bc 0:Quoay PPPoE Trn router ciscoBc 1:To Internet Key Exchange (IKE) key policy:Router(config)#crypto isakmp policy 10Router(config-isakmp)#encryption3desRouter(config-isakmp)#authentication pre-shareRouter(config-isakmp)#group 2Bc 2: To shared key s dng cho kt ni VPNRouter(config)#crypto isakmp key Cisco123 address 210.245.101.100(IP ca ASA site B)Bc3: Quy nh lifetimeRouter(config)#crypto ipsec security-association lifetime seconds 86400Bc4: Cu hnh ACL dy IP c th VPN Lu : i vi trng hp Va quoay PPPoE va chy VPN site to site th trong phn NAT overload lm nh sau:Router(config)#ip nat inside source route-map nonat interface Dialer0 overloadRouter(config)#route-map nonat petmit 10Router(config-route-map)#match ip address 100Router(config)#access-list 100 deny ip 192.168.6.0 0.0.0.255 10.16.3.0 0.0.0.255Router(config)#access-list 100 permit ip 192.168.6.0 0.0.0.255 anyRouter(config)#access-list 101 permit ip 192.168.6.0 0.0.0.255 10.16.3.0 0.0.0.255=> Th mng bn trong mi va vo internet c v va VPN c.Bc 5: nh ngha transformations set ci m s c s dng cho VPN connection ny:Router(config)#crypto ipsec transform-set SET-VPN esp-3des esp-sha-hmacBc 6: To cypto-map cho cc transform, setnameRouter(config)#crypto map MAP-VPN 1 ipsec-isakmpRouter(config-crypto-map)#set peer 210.245.101.100(IP ca ASA site B)Router(config-crypto-map)#set transform-set SET-VPN ( Setname bc 5)Router(config-crypto-map)#match address 101(101 : acl-number bc 4 )Bc7: Gn vo interfaceRouter(config)#interface dialer 0Router(config-if)#crypto map MAP-VPNSITE A ASA 5510:Bc 1: to Connection Profiles: Login vo ASDM v chn MenuStartup Wizardsri sau chnIPsec VPN Wizard
Ti bc 1 chn:+ Tick voSite-to-Site+ VPN Tunnel Interface chn interface:outside(WAN IP)+ V tick chn Enable. v bmNext- bc 2:+ Peer IP Address in IP WAN ca router 2811 (Site A).+ Pre-shared key: gCisco123(ging nh Pre-shared key router cisco 2811 site A) v nhnNext. bc 2: chn IKE Policy m ha v Authentication, lu phi cng loi vi Router Cisco 2811. y ta mc nh do bc 1 site A ta chn3desauthen v Pre-shared key l : pre-share bc 3 chn thut ton m ha v authen cho Tunnel lu phi ph hp vi Cisco 2811 site A. y ta chn 3DES v SHA do bc 5 site A ta chnesp-3des esp-sha-hmac- Ti bc 5: tng ng vi bc 4 site A set ACL c th VPN :+ Local g 10.16.3.0/24+ Remote 192.168.6.0/24+ V chn interface translation l inside. Sau chnNext
V bm Finish hon tt vic to kt ni(Connection Profile). Sau khi to kt ni xong ti hnh Enable interface for IPsec access.+ Ti Access Interface click vo interface outside v click v check box Allow access tng ng v nhn Save
Bc 2: To Access List: Sau khi to Connection Profile xong ta tin hnh set access-list nonat cho kt ni VPN. Lu mc nh nonat s disable, bn cn phi enable n ln trc sau mi c th tin hnh to access-list cho nonat.+ X du cng tiCertificate to Connection Profilev chnACL Manager.ti nonat click chut phi chnAdd ACE Permit cho class mng 192.168.0.0/24 v 16.3.0/24 . Sau khi to xong ta s c nh bn di.
Tng t nh vy ta kim tra permit cho outside v inside cha( mc nh outside_cryptomap c t ng to khi khi to Connection Profile).
Kt qu: 2 site ping thy nhau: