طريقة سهلة لعمل VPN على ASA أو PIX

**minimax** · 19-07-2009, 19:12

السلام عليكم,

أحيانا الواحد بينسى الخطوات أو بيتلخبط فيها بسبب وجود عدة أنواع من VPN. في طريقة سهلة تراجع فيها الخطوات بدون ما ترجع لموقع سيسكو

من config إكتب vpnsetup

pixfirewall(config)# vpnsetup ?

configure mode commands/options:
ipsec-remote-access Display IPSec Remote Access Configuration Commands
site-to-site Display IPSec Site-to-Site Configuration Commands

إختار نوع VPN . في أنواع أخرى كثيرة على ASA ولكن لأني بأستخدم PIX فما عندي إلا نوعين
خلينا نختار site-to-site

pixfirewall(config)# vpnsetup site-to-site steps

بعد ما تضغط Enter سوف تظهر لك الخطوات

Steps to configure a simple site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha

3. Configure transform-set

crypto ipsec transform-set myset esp-3des esp-sha-hmac

4. Configure ACL

access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 10.10.4.108
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside

7. Enable isakmp on interface

crypto isakmp enable outside

---------------------------------------------------------------------------------------------
pixfirewall(config)# vpnsetup site-to-site steps

خلينا نختار ipsec-remote-access

pixfirewall(config)# vpnsetup ipsec-remote-access steps

Steps to configure a simple remote access IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

aaa-server MyRadius protocol radius
aaa-server MyRadius host 192.168.0.254
key $ecretK3y

5. Define tunnel group

tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-3des esp-sha-hmac

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside

------------------------

بالتوفيق