You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Table of Contents

How to configure VPN

Site-Site

  1. Define the Networks
    1. object-group network Remote_VPN
       network-object 10.10.10.0 255.255.255.0
       network-object 10.20.20.0 255.255.255.0
      object-group network Remote_Internal
       network-object 172.16.1.0 255.255.255.0
       network-object 172.16.2.0 255.255.255.0
       network-object 172.16.3.0 255.255.255.0
       network-object 172.16.4.0 255.255.255.0
       network-object 172.18.0.0 255.255.0.0
      object-group network Remote_Combined
       group-object Remote_VPN
       group-object Remote_Internal
  2. Create the Crypto Map ACL
  3. Create the No-Nat ACL (Networks/hosts to which the packets should not be changed)
  4. Apply the No-NAT
  5. Create a Transform set
  6. Create the Crypto Map
  7. Enable isakmp on interface
  8. Create isakmp policies
  9. Create policy for Tunnel-Group (Site-Site hosts)
  10. Apply Tunnel-Group and Attributes
 

access-list outside_cryptomap_1 extended permit ip 172.32.100.0 255.255.255.0 object-group 4POINT_ACCESS
access-list VPNNONAT extended permit ip 172.32.100.0 255.255.255.0 object-group 4POINT_ACCESS
nat (inside) 0 access-list VPNNONAT
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MELONGCryptoMaps 1 match address outside_cryptomap_1
crypto map MELONGCryptoMaps 1 set peer 66.46.186.170
crypto map MELONGCryptoMaps 1 set transform-set ESP-AES-256-SHA
crypto map MELONGCryptoMaps interface outside
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy Site2Site internal
group-policy Site2Site attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 66.46.186.170 type ipsec-l2l
tunnel-group 66.46.186.170 general-attributes
default-group-policy Site2Site
tunnel-group 66.46.186.170 ipsec-attributes
pre-shared-key melongP@$$

Configure Split-DNS Resolution

ciscoasa# config t
ciscoasa(config)# group-policy POLICY attributes
ciscoasa(config-group-policy)# split-dns value internal.local extenral.com

Troubleshooting

debug ISAKMP SA negotiations

debug crypto isakmp sa <debug level>

Password Recovery

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover from the loss of passwords, perform the following steps:

--------------------------------------------------------------------------------
Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-1.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011
Configuration Summary:
  boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5. 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config
  • No labels