キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 

便利な vpnsetup コマンド

VPN の設定は比較的にステップ数が多いため、いざとなる時に便利なリファレンスとして、ASA には vpnsetup という珍しい(?)のコマンドが用意されております。

ciscoasa(config)# vpnsetup ?

configure mode commands/options:
   ipsec-remote-access  Display IPSec Remote Access Configuration  Commands
   l2tp-remote-access   Display L2TP/IPSec Configuration Commands
   site-to-site         Display IPSec Site-to-Site Configuration Commands
   ssl-remote-access    Display SSL Remote Access Configuration Commands

4 種類の VPN の設定ステップを詳細に解説しています。

ciscoasa(config)# vpnsetup ipsec-remote-access steps

Steps to configure a remote access IKE/IPSec connection with  examples:

1. Configure Interfaces

        interface GigabitEthernet0/0
          ip address 10.10.4.200 255.255.255.0
          nameif outside
          no shutdown

        interface GigabitEthernet0/1
          ip address 192.168.0.20 255.255.255.0
          nameif inside
          no shutdown

2. Configure ISAKMP policy

        crypto isakmp policy 65535
          authentication pre-share
          encryption aes
          hash sha

3. Setup an address pool

        ip local pool client-pool 192.168.1.1-192.168.1.254
              
4. Configure authentication method

        aaa-server MyRadius protocol radius
         aaa-server MyRadius host 192.168.0.254
          key $ecretK3y

5. Define tunnel group

        tunnel-group client type remote-access
         tunnel-group client general-attributes
          address-pool client-pool
          authentication-server-group MyRadius
         tunnel-group client ipsec-attributes
          pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

        crypto ipsec transform-set myset esp-aes esp-sha-hmac

7. Setup dynamic crypto map

        crypto dynamic-map dynmap 1 set transform-set myset
         crypto dynamic-map dynmap 1 set reverse-route
              
8. Create crypto map entry and associate dynamic map with it

        crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

        crypto map mymap interface outside

10. Enable isakmp on interface

        crypto isakmp enable outside

ciscoasa(config)#  vpnsetup l2tp-remote-access steps

Steps to configure a remote access L2TP/IPSec connection with  examples:

1. Configure Interfaces

        interface GigabitEthernet0/0
          ip address 10.10.4.200 255.255.255.0
          nameif outside
          no shutdown

        interface GigabitEthernet0/1
          ip address 192.168.0.20 255.255.255.0
          nameif inside
          no shutdown

2. Configure ISAKMP policy

        crypto isakmp policy 65535
          authentication pre-share
          encryption aes
          hash sha

3. Setup an address pool

        ip local pool client-pool 192.168.1.1-192.168.1.254
              
4. Configure authentication method

        aaa-server MyRadius protocol radius
         aaa-server MyRadius host 192.168.0.254
          key $ecretK3y

5. Define tunnel group

        tunnel-group client type remote-access
         tunnel-group client general-attributes
          address-pool client-pool
          authentication-server-group MyRadius
         tunnel-group client ipsec-attributes
          pre-shared-key VpnUs3rsP@ss
         tunnel-group DefaultRAGroup ppp-attributes
          authentication pap

6. Setup ipsec parameters

        crypto ipsec transform-set myset esp-aes esp-sha-hmac
         crypto ipsec transform-set myset mode transport

7. Setup dynamic crypto map
              
         crypto dynamic-map dynmap 1 set transform-set myset

8. Create crypto map entry and associate dynamic map with it

        crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

        crypto map mymap interface outside

10. Enable isakmp on interface

        crypto isakmp enable outside

ciscoasa(config)# vpnsetup site-to-site steps

Steps to configure a site-to-site IKE/IPSec connection with  examples:

1. Configure Interfaces

        interface GigabitEthernet0/0
          ip address 10.10.4.200 255.255.255.0
          nameif outside
          no shutdown

        interface GigabitEthernet0/1
          ip address 192.168.0.20 255.255.255.0
          nameif inside
          no shutdown

2. Configure ISAKMP policy

        crypto isakmp policy 10
          authentication pre-share
          encryption aes
          hash sha

3. Configure transform-set

        crypto ipsec transform-set myset esp-aes esp-sha-hmac
              
4. Configure ACL

        access-list L2LAccessList extended permit ip 192.168.0.0  255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

        tunnel-group 10.20.20.1 type ipsec-l2l
         tunnel-group 10.20.20.1 ipsec-attributes
          pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

        crypto map mymap 10 match address L2LAccessList
         crypto map mymap 10 set peer 10.10.4.108
         crypto map mymap 10 set transform-set myset
         crypto map mymap 10 set reverse-route
         crypto map mymap interface outside

7. Enable isakmp on interface

        crypto isakmp enable outside

ciscoasa(config)# vpnsetup ssl-remote-access steps

Steps to configure a remote access SSL VPN remote access  connection and AnyConnect with examples:

1. Configure and enable interface

        interface GigabitEthernet0/0
          ip address 10.10.4.200 255.255.255.0
          nameif outside
          no shutdown

        interface GigabitEthernet0/1
          ip address 192.168.0.20 255.255.255.0
          nameif inside
          no shutdown

2. Enable WebVPN on the interface

        webvpn
          enable outside

3. Configure default route

        route outside 0.0.0.0 0.0.0.0 10.10.4.200

4. Configure AAA authentication and tunnel group
              
         tunnel-group DefaultWEBVPNGroup type remote-access
         tunnel-group DefaultWEBVPNGroup general-attributes
          authentication-server-group LOCAL

5. If using LOCAL database, add users to the Database

        username test password t3stP@ssw0rd
         username test attributes
          service-type remote-access

Proceed to configure AnyConnect VPN client:

6. Point the ASA to an AnyConnect image

        webvpn
          svc image anyconnect-win-2.1.0148-k9.pkg

7. enable AnyConnect

        svc enable

8. Add an address pool to assign an ip address to the AnyConnect  client

        ip local pool client-pool 192.168.1.1-192.168.1.254 mask  255.255.255.0

9. Configure group policy

        group-policy DfltGrpPolicy internal
         group-policy DfltGrpPolicy attributes
          vpn-tunnel-protocol svc webvpn

バージョン履歴
改訂番号
1/1
最終更新:
‎07-17-2010 09:58 AM
更新者: