S1: Configure IKEv1 Policy on ASA ( It should be same on other ASA).
ASA1(config)# crypto ikev1 policy 10
ASA1(config)# encryption aes
ASA1(config)# authentication pre-share
ASA1(config)# hash sha
ASA1(config)# group 2
ASA1(config)#crypto ikev1 enable outside
ASA1(config)# lifetime 1000
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# crypto ikev1 policy 10
ASA2(config)# encryption aes
ASA2(config)# authentication pre-share
ASA2(config)# hash sha
ASA2(config)# group 2
ASA1(config)#crypto ikev1 enable outside
ASA2(config)# lifetime 1000
Note : Priority and Lifetime can be different on both ASA's.
S2: Configure Pre-shared-key on ASA
ASA1(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ASA1(config)# tunnel-group 2.2.2.2 ipsec-attributes
ASA1(config)# ikev1 pre-shared-key Cisco123
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ASA2(config)# tunnel-group 1.1.1.1 ipsec-attributes
ASA2(config)# ikev1 pre-shared-key Cisco123
S3: Configure Transform Set on ASA
ASA1(config)#crypto ipsec ikev1 transform-set Myset esp-3des esp-md5-hmac
-------------------------------------------------------------------------------------------------------------------
ASA2(config)#crypto ipsec ikev1 transform-set Myset esp-3des esp-md5-hmac
S4: Configure Interesting Traffic on ASA
ASA1(config)# access-list 101 permit ip 1.0.0.0 255.0.0.0 2.0.0.0 255.0.0.0
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# access-list 101 permit ip 2.0.0.0 255.0.0.0 1.0.0.0 255.0.0.0
S5: Configure Crypto Map on ASA
ASA1(config)# crypto map Mymap 1 match address 101
ASA1(config)# crypto map Mymap 1 set peer 2.2.2.2
ASA1(config)# crypto map Mymap 1 set transform-set Myset
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# crypto map Mymap 1 match address 101
ASA2(config)# crypto map Mymap 1 set peer 1.1.1.1
ASA2(config)# crypto map Mymap 1 set transform-set Myset
ASA1(config)# crypto ikev1 policy 10
ASA1(config)# encryption aes
ASA1(config)# authentication pre-share
ASA1(config)# hash sha
ASA1(config)# group 2
ASA1(config)#crypto ikev1 enable outside
ASA1(config)# lifetime 1000
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# crypto ikev1 policy 10
ASA2(config)# encryption aes
ASA2(config)# authentication pre-share
ASA2(config)# hash sha
ASA2(config)# group 2
ASA1(config)#crypto ikev1 enable outside
ASA2(config)# lifetime 1000
Note : Priority and Lifetime can be different on both ASA's.
S2: Configure Pre-shared-key on ASA
ASA1(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ASA1(config)# tunnel-group 2.2.2.2 ipsec-attributes
ASA1(config)# ikev1 pre-shared-key Cisco123
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ASA2(config)# tunnel-group 1.1.1.1 ipsec-attributes
ASA2(config)# ikev1 pre-shared-key Cisco123
S3: Configure Transform Set on ASA
ASA1(config)#crypto ipsec ikev1 transform-set Myset esp-3des esp-md5-hmac
-------------------------------------------------------------------------------------------------------------------
ASA2(config)#crypto ipsec ikev1 transform-set Myset esp-3des esp-md5-hmac
S4: Configure Interesting Traffic on ASA
ASA1(config)# access-list 101 permit ip 1.0.0.0 255.0.0.0 2.0.0.0 255.0.0.0
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# access-list 101 permit ip 2.0.0.0 255.0.0.0 1.0.0.0 255.0.0.0
S5: Configure Crypto Map on ASA
ASA1(config)# crypto map Mymap 1 match address 101
ASA1(config)# crypto map Mymap 1 set peer 2.2.2.2
ASA1(config)# crypto map Mymap 1 set transform-set Myset
-------------------------------------------------------------------------------------------------------------------
ASA2(config)# crypto map Mymap 1 match address 101
ASA2(config)# crypto map Mymap 1 set peer 1.1.1.1
ASA2(config)# crypto map Mymap 1 set transform-set Myset
S6: Enable Cyrpto Map on the interface that is connected to Internet.
ASA1(config)#crypto map Mymap interface outside
-------------------------------------------------------------------------------------------------------------------
ASA2(config)#crypto map Mymap interface outside
0 comments:
Post a Comment