Cisco ASA 8.2+ 软件的 Cisco ASA 设备
示例配置
- 配置外部接口。
- 确保 Crypto ISAKMP 策略序列号具有唯一性。
- 确保 Crypto 列表策略序列号具有唯一性。
- 确保 Crypto IPsec 转换集和 Crypto ISAKMP 策略序列与设备上配置的任何其他 IPsec 隧道一致。
- 确保 SLA 监控号具有唯一性。
- 对在客户网关和您的本地网络之间传输流量的全部路由选择进行配置。
重要
下面的配置信息是您的整合团队可望提供的示例。以下示例中的很多值与您收到的实际配置信息不同。您必须使用实际值,而非此处所示的示例值,否则您的实施将会失败。
! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. Only a single tunnel will be up at a ! time to the VGW. ! ! You may need to populate these values throughout the config based on your setup: ! outside_interface - External interface of the ASA ! outside_access_in - Inbound ACL on the external interface ! amzn_vpn_map - Outside crypto map ! vpc_subnet and vpc_subnet_mask - VPC address range ! local_subnet and local_subnet_mask - Local subnet address range ! sla_monitor_address - Target address that is part of acl-amzn to run SLA monitoring ! ! -------------------------------------------------------------------------------- ! IPSec Tunnels ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #201, which may conflict with ! an existing policy using the same or lower number depending on ! the encryption type. If so, we recommend changing the sequence number to ! avoid conflicts and overlap. ! ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! crypto isakmp identity address crypto isakmp enable outside_interface crypto isakmp policy 201 encryption aes authentication pre-share group 2 lifetime 28800 hash sha exit ! ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group AWS_ENDPOINT_1 type ipsec-l2l tunnel-group AWS_ENDPOINT_1 ipsec-attributes pre-shared-key password_here ! ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! tunnel-group AWS_ENDPOINT_2 type ipsec-l2l tunnel-group AWS_ENDPOINT_2 ipsec-attributes pre-shared-key password_here ! ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! -------------------------------------------------------------------------------- ! #2: Access List Configuration ! ! Access lists are configured to permit creation of tunnels and to send applicable traffic over them. ! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic. ! This is to allow VPN traffic into the device from the Amazon endpoints. ! access-list outside_access_in extended permit ip host AWS_ENDPOINT_1 host YOUR_UPLINK_ADDRESS access-list outside_access_in extended permit ip host AWS_ENDPOINT_2 host YOUR_UPLINK_ADDRESS ! ! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will ! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association ! is done through the "crypto map" command. ! ! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet. ! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range. ! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically. ! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor ! traffic will be sourced from. ! See section #4 regarding how to restrict the traffic going over the tunnel ! ! access-list acl-amzn extended permit ip any vpc_subnet vpc_subnet_mask !--------------------------------------------------------------------------------- ! #3: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac ! The crypto map references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. The mapping is created ! as #1, which may conflict with an existing crypto map using the same ! number. If so, we recommend changing the mapping number to avoid conflicts. ! crypto map amzn_vpn_map 1 match address acl-amzn crypto map amzn_vpn_map 1 set pfs group2 crypto map amzn_vpn_map 1 set peer AWS_ENDPOINT_1 AWS_ENDPOINT_2 crypto map amzn_vpn_map 1 set transform-set transform-amzn crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600 ! ! Only set this if you do not already have an outside crypto map, and it is not applied: ! crypto map amzn_vpn_map interface outside_interface ! ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! ! This option instructs the firewall to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! crypto ipsec df-bit clear-df outside_interface ! ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! ! This option instructs the firewall to fragment the unencrypted packets ! (prior to encryption). ! crypto ipsec fragmentation before-encryption outside_interface ! ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! ! In order to keep the tunnel in an active or always up state, the ASA needs to send traffic to the subnet ! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and ! will keep the tunnel active. This traffic needs to be sent to a target that will return a response. ! This can be manually tested by sending a ping to the target from the ASA sourced from the outside interface. ! A possible destination for the ping is an instance within the VPC. For redundancy multiple SLA monitors ! can be configured to several instances to protect against a single point of failure. ! ! The monitor is created as #1, which may conflict with an existing monitor using the same ! number. If so, we recommend changing the sequence number to avoid conflicts. ! sla monitor 1 type echo protocol ipIcmpEcho sla_monitor_address interface outside_interface frequency 5 exit sla monitor schedule 1 life forever start-time now ! ! The firewall must allow icmp packets to use "sla monitor" icmp permit any outside_interface !--------------------------------------------------------------------------------- ! #4: VPN Filter ! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied. ! The first entry provides an example to include traffic between your VPC Address space and your office. ! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect. ! ! access-list amzn-filter extended permit ip vpc_subnet vpc_subnet_mask local_subnet local_subnet_mask access-list amzn-filter extended deny ip any any group-policy filter internal group-policy filter attributes vpn-filter value amzn-filter tunnel-group AWS_ENDPOINT_1 general-attributes default-group-policy filter exit tunnel-group AWS_ENDPOINT_2 general-attributes default-group-policy filter exit !--------------------------------------------------------------------------------------- ! #5: NAT Exemption ! If you are performing NAT on the ASA you will have to add a nat exemption rule. ! This varies depending on how NAT is set up. It should be configured along the lines of: ! object network obj-SrcNet ! subnet 0.0.0.0 0.0.0.0 ! object network obj-amzn ! subnet vpc_subnet vpc_subnet_mask ! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn ! If using version 8.2 or older, the entry would need to look something like this: ! nat (inside) 0 access-list acl-amzn ! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
评论抢沙发