小編的客戶使用Cisco ASA5520與Azure建立Site to Site VPN , Cisco ASA 5520相關設定範
本如下,經實測Azure端要設定Policy Route , Site to Site VPN才會通
::::::::::::::::::::::::::::ASA Config Beginning::::::::::::::::::::::::::::::::::::::::::::::::::::
object-group network azure-networks
description Azure-Virtual-Network
network-object 192.168.10.0 255.255.255.0
exit
object-group network onprem-networks
description On-premises Network
network-object 10.10.10.0 255.255.255.0
exit
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
Nat (inside,outside) 1 source static onprem-networks onprem-networks destination static azure-networks azure-networks
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 enable outside
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
tunnel-group 104.x.x.x type ipsec-l2l
tunnel-group 104.x.x.x ipsec-attribute
ikev1 pre-shared-key <Pre-Shared-Key>
crypto map azure-crypto-map 1 match address azure-vpn-acl
crypto map azure-crypto-map 1 set peer 104.x.x.x
crypto map azure-crypto-map 1 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
“sysopt connection tcpmss 1350”
sysopt connection preserve-vpn-flows
:::::::::::::::::::::::::::::::::::END of ASA Config:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Verifying ASA configuration:
Once above configuration is completed, you can verify it
Verifying Object-group and Access-list:
Using “show run object-group” and “show run access-list” to verify object-group and Access-list.
My-ASA(config)# show run object-group
object-group network azure-networks
network-object 192.168.10.0 255.255.255.0
object-group network onprem-networks
network-object 10.10.10.0 255.255.255.0
My-ASA(config)# show run access-list
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
Verifying Crypto configuration:
To verify all crypto configuration, use “show run crypto” to verify configured crypto CLI.
My-ASA(Config)#Show run crypto
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto map azure-crypto-map 1 match address azure-vpn-acl
crypto map azure-crypto-map 1 set peer 104.X.X.X
crypto map azure-crypto-map 1 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
Verify Tunnel group:
To verify tunnel group configuration, use CLI “Show run tunnel-group”
My-ASA(config)# show run tunnel-group
tunnel-group 104.210.13.15 type ipsec-l2l
tunnel-group 104.210.13.15 ipsec-attributes
ikev1 pre-shared-key *****
My-ASA(config)#
沒有留言:
張貼留言