ក្រុមការងារយើងខ្ញុំនិងខិតខំសិក្សារស្រាវជ្រាវចំនេះដឹងបន្ថែមទៀតសំរាប់លោកអ្នក សូមអរគុណសំរាប់ការគាំទ្រ !

Cisco ASA IPSec/SSL VPN Configuration


1. VPN Introduction

VPN (Virtual Private Network): 
- Allow users to connect to private network over Internet through a secure connection. - Provides data encryption and authentication between VPN peer
VPN Connection Type:
- Remote Access (Client to Server)
- Support multi protocols: IPSec, SSL…
- Connect 1 Computer on Internet to protect network behind firewall
- Use Client Software to connect to VPN server
- Site to Site (LAN to LAN)
- Use Standard IPSec
- Connect 2 or more Subnet between 2 or more peers
- Use Appliance to connect each other
VPN Protocol Type:
- IPSec: IP Based
- SSL: Web Based



2. IPSec vs SSL VPN




3. IPSec VPN Topology


4. IPSec VPN Framework



- IPSec Protocol 
- AH: Authentication + Integrity
- ESP: Encryption + Authentication + Integrity
- Confidentiality (Encryption Algorithm) 
- DES: 56 bits
- 3DES: 56 bits (3 times)
- AES: 128-256 bits
- SEAL: 160 bits
- Integrity (Guarantee data is not altered)
- MD5: 128 bits
- SHA: 160 bits
- Authentication 
- PSK: clear text
- RSA: encrypted text
- Diffie-Hellman (Secret key for Encrypt/Decrypt) 
- DH1, DH2…
IKE = Internet Key Exchange

- It’s negotiation protocol that help IPsec securely exchange cryptographic keys between ASA & VPN client

5. Configure IPSec VPN

- Configure IP Pool & Add User for VPN Client: 
ASA(config)#ip local pool VPN_CLIENT_POOL 172.16.10.10-172.16.10.20
ASA(config)#username vpn1 password 123
Create VPN Tunnel for Client to connect:
ASA(config)# tunnel-group VPN_CLIENT_TUN type remote-access
ASA(config)# tunnel-group VPN_CLIENT_TUN general-attributes
address-pool VPN_CLIENT_POOL
tunnel-group VPN_CLIENT_TUN ipsec-attributes (wait if this cmd not work)
ikev1 pre-shared-key 44kkaol59636jnfx
- Configuring IKE Policy for Authentication/Encryption Method: 
ASA(config)#crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 (enter each cmd)
ASA(config)#crypto ikev1 enable outside
- Create Transform Set (Combine Encryption & Authentication Method): 
ASA(config)# crypto ipsec ikev1 transform-set SET1 esp-3des esp-md5-hmac
- Create Dynamic Crypto Map (Policy Template for ASA receive connection from remote peer): 
ASA(config)# crypto dynamic-map DYN1 1 set ikev1 transform-set SET1 ( identify the transform set for the connection) ASA(config)# crypto dynamic-map DYN1 1 set reverse-route (ASA learn routing for connected clients)
ASA(config)# crypto map MAP1 1 ipsec-isakmp dynamic DYN1

ASA(config)# crypto map MAP1 interface outside

6. Configure IPSec VPN Split Tunnel

- Configuring ACL & NAT for Split Tunnel & Allow access to LAN: 
ASA(config)# access-list SPLIT_TUNNEL_ACL standard permit 10.0.0.0 255.255.255.0
ASA(config)# object network VPN_Network
ASA(config)# object network LAN_Network
ASA(config)# nat (inside,outside) source static LAN-Network LAN-Network destination static VPN-Network VPN-Network
 no-proxy-arp route-lookup
- Create & Apply Group Policy:
ASA(config)# group-policy POLI_VPN_GROUP internal
ASA(config)# group-policy POLI_VPN_GROUP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL_ACL
vpn-simultaneous-logins 5
ASA(config)# tunnel-group VPN_CLIENT_TUN general-attributes

default-group-policy VPN_CLIENT_TUN

7. Setup VPN Client



EmoticonEmoticon