Network diagram
Campus addressing schema :
- Campus IP addresses : 172.16.0.0/17
- DC : 172.16.0.0/18
- Users : 172.16.64.0/20
- DMZ : 172.16.96.0/21
- Network devices : 172.16.252.0/23
- L3 P2p links : 172.16.254.0/24
Branch office 1 IP subnet : 172.16.129.0/24
Enterprise internet IP addresses : 134.95.56.16/28
IPSEC VPN configuration to apply :
- ESP Encryption : AES-256
- AH hash algorithm : SHA
- Pre shared key : SHAREDSECRET
Solution
Campus network - ASA 5505 IPSEC VPN headend device configuration .
interface Vlan1
nameif inside
security-level 100
ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
The
ENTERPRISE_PRIVATE-TRAFFIC access-group is important to allow the IP traffic through the firewall from remote subnets to the inside subnets. The traffic wiill be blocked by the ASA if this access-list is not configured and applied to the inside vlan interface.
Branch office n°1 - ASA 5505 remote device configuration
interface Vlan1
nameif inside
security-level 100
ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
Aucun commentaire:
Enregistrer un commentaire