четверг, 18 сентября 2014 г.

Site-to-Site VPN ipsec между Cisco ASA 5505 и Huawei USG 2200

Создание туннеля site-to-site IPSec между двумя межсетевыми экранами Cisco ASA 5505 и Huawei USG 2200



ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd AoEdbRBYKfdQlH8t encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.19.19.52 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.19.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network localnet
 subnet 10.19.1.0 255.255.255.0
object network usg_net
 subnet 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip object localnet object usg_net
pager lines 24
logging enable
logging asdm informational
logging class vpn asdm debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static localnet localnet destination static usg_net usg_net
route outside 0.0.0.0 0.0.0.0 172.19.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 172.31.31.23
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy GroupPolicy_172.31.31.23 internal
group-policy GroupPolicy_172.31.31.23 attributes
 vpn-tunnel-protocol ikev1
username user1 password aFt.o4zGLM3/WuZK encrypted
tunnel-group 172.31.31.23 type ipsec-l2l
tunnel-group 172.31.31.23 general-attributes
 default-group-policy GroupPolicy_172.31.31.23
tunnel-group 172.31.31.23 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:a93428982c4fc8a65921ede3aac01dee
: end


Конфигурация Huawei USG 2200:

15:29:26  2014/07/22
#
sysname USG2110
#
l2tp domain suffix-separator @
#
 ike dpd interval 10
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
firewall packet-filter basic-protocol enable
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
vlan batch 1
#
 stp mode stp
#
firewall statistic system enable
#
pki certificate access-control-policy default permit
#
dns proxy enable
#
license-server domain lic.huawei.com
#
runmode firewall
#
update schedule ips daily 3:41
update schedule av daily 3:41
security server domain sec.huawei.com
#
web-manager enable
web-manager security enable port 8443
#
user-manage web-authentication security port 8888
#
l2fwdfast enable
#
acl number 3000
 rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 10.19.1.0 0.0.0.255
#
acl number 3001
#
ike proposal 1
 encryption-algorithm 3des
 dh group2 group1
#
ike peer ike21713319279
 exchange-mode auto
 pre-shared-key %$%$o,akP.$_);0Ofm@^SQ&EC>5,%$%$
 ike-proposal 1
 undo version 2
 remote-id-type none
 remote-address 172.19.19.52
#
ipsec proposal prop21713319279
 encapsulation-mode auto
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ipsec policy ipsec2171331933 1 isakmp
 security acl 3000
 ike-peer ike21713319279
 alias asa
 proposal prop21713319279
 local-address applied-interface
 sa duration traffic-based 1843200
 sa duration time-based 3600
#
interface Vlanif1
 ip address 192.168.0.1 255.255.255.0
#
interface Cellular5/0/0
 link-protocol ppp
#
interface Cellular5/0/1
 link-protocol ppp
#
interface Ethernet0/0/0
 alias WAN
 ip address 172.31.31.23 255.255.255.0
 ipsec policy ipsec2171331933 auto-neg
#
interface Ethernet1/0/0
 portswitch
 port link-type access
#
interface Ethernet1/0/1
 portswitch
 port link-type access
#
interface Ethernet1/0/2
 portswitch
 port link-type access
#
interface Ethernet1/0/3
 portswitch
 port link-type access
#
interface Ethernet1/0/4
 portswitch
 port link-type access
#
interface Ethernet1/0/5
 portswitch
 port link-type access
#
interface Ethernet1/0/6
 portswitch
 port link-type access
#
interface Ethernet1/0/7
 portswitch
 port link-type access
#
interface Atm2/0/0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 detect ftp
 detect rtsp
 detect pptp
 add interface Ethernet1/0/0
 add interface Ethernet1/0/1
 add interface Ethernet1/0/2
 add interface Ethernet1/0/3
 add interface Ethernet1/0/4
 add interface Ethernet1/0/5
 add interface Ethernet1/0/6
 add interface Ethernet1/0/7
 add interface Vlanif1
 add interface Wlan-Bss1
#
firewall zone untrust
 set priority 5
 detect ftp
 detect rtsp
 detect pptp
 add interface Ethernet0/0/0
#
firewall zone dmz
 set priority 50
 detect ftp
 detect rtsp
 detect pptp
#
firewall interzone local trust
 detect ftp
 detect pptp
 detect rtsp
#
firewall interzone local untrust
 detect ftp
 detect pptp
 detect rtsp
#
firewall interzone local dmz
 detect ftp
 detect pptp
 detect rtsp
#
firewall interzone trust untrust
 detect ftp
 detect pptp
 detect rtsp
#
firewall interzone trust dmz
 detect ftp
 detect pptp
 detect rtsp
#
firewall interzone dmz untrust
 detect ftp
 detect pptp
 detect rtsp
#
#
aaa
 local-user admin password irreversible-cipher %@%@t.0tEQSe;Z#[7#P+SUh&UlcZNqaeMT!a/<SPGO)`Mj$;Lrid%@%@
 local-user admin service-type web terminal telnet
 local-user admin level 15
 local-user user1 password cipher %$%$<%J=9k93}>bZHNT&]d(2Vsja%$%$
 local-user user1 service-type web ssh
 local-user user1 level 15
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 domain dot1x
 #
#
nqa-jitter tag-version 1

#
ip route-static 0.0.0.0 0.0.0.0 172.31.31.1
#
stelnet server enable
ssh user user1
ssh user user1 authentication-type password
ssh user user1 service-type stelnet
ssh client first-time enable
#
banner enable
#
user-interface con 0
user-interface tty 2 3
 modem both
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
#
slb
#
cwmp
#
right-manager server-group
#
wlan srm
 dot11a mandatory-rate 6 9 12 24
 dot11a supported-rate 18 36 48 54
 dot11b mandatory-rate 1 2
 dot11b supported-rate 5.5 11
 dot11g mandatory-rate 1 2 5.5 11
 dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-class 0 plain
 ssid gateway
 station max-number 124
 service-class enable
#
wlan service-class 1 plain
 ssid gateway1
 station max-number 124
 service-class enable
#
interface Wlan-Bss0
#
interface Wlan-Bss1
#
interface Wlan-rf4/0/0
 radio-type dot11gn
 channel auto
 bind service-class 0 interface wlan-bss 0
 bind service-class 1 interface wlan-bss 1
#
#
sim 1
sim 2
#
policy interzone local untrust inbound
 policy 1
  action permit
  policy service service-set ssh

 policy 2
  action permit
  policy source 172.19.19.0 0.0.0.255
#
policy interzone trust untrust inbound
 policy 1
  action permit
  policy source 10.19.1.0 0.0.0.255
  policy destination 192.168.0.0 0.0.0.255
#
policy interzone trust untrust outbound
 policy 1
  action permit
  policy source 192.168.0.0 0.0.0.255
  policy destination 10.19.1.0 0.0.0.255
#
return


2 комментария:

  1. Whenever someone talks about private browsing, what may come to mind is using the in-private, incogneto or private browsing setting in your browser But private browsing is not so private because all of your browsing histroy is visable to your ISP (Internet service provider) or IT administratortop10-bestvpn

    ОтветитьУдалить