Did you know that the kind coders at Cisco has put a lot of help for us into the CLI of ASA firewall? Here are two examples:
- vpnsetup todo-list
- Command syntax help
With the vpnsetup-command you can see a list of configuration tasks needed for setting up different types of VPN:
fw2(config)# vpnsetup ?
configure mode commands/options:
ipsec-remote-access Display IPSec Remote Access Configuration Commands
l2tp-remote-access Display L2TP/IPSec Configuration Commands
site-to-site Display IPSec Site-to-Site Configuration Commands
ssl-remote-access Display SSL Remote Access Configuration Commands
Let´s say that we need to make a new Lan2Lan-tunnel:
fw2(config)# vpnsetup site-to-site steps
Steps to configure a site-to-site IKE/IPSec connection with examples:
1. Configure Interfaces
interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown
interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown
2. Configure ISAKMP policy
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
3. Configure transform-set
crypto ipsec transform-set myset esp-aes esp-sha-hmac
4. Configure ACL
access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
5. Configure Tunnel group
tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key P@rtn3rNetw0rk
6. Configure crypto map and attach to interface
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 10.10.4.108
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
7. Enable isakmp on interface
crypto isakmp enable outside
fw2(config)#
Of course you can use question-mark and tab-completion. But did You know that there is also a built-in man-page for every command? Try “help
fw2(config)# help global
USAGE:
[no] global (
show running-config [all] global [(
clear configure global
DESCRIPTION:
global Specify, delete or view global address pools,
or designate a PAT(Port Address Translated) address
SYNTAX:
<(ext_if_name)> The external network interface name
will draw from these global addresses
dynamically be translated on an as needed basis to hosts
in the nat group
If this
Center(NIC).
These addresses should also be reverse resolvable(in-addr.arpa)
on the outside DNS servers.
An address specified singly will be used as a PAT address.
When all of the non-PAT addresses of a global pool are in use
and there is a PAT address, subsequent hosts from the nat
group
the number of licensed connections.
[netmask
interface IP address of
see also: nat, alias, static
fw2(config)#