Cisco/CLI: Unterschied zwischen den Versionen
Aus SchnallIchNet
< Cisco
Cbs (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „ == IPSec == yadda yadda === IPSec Tunnel-Template === <pre> route outside-interface-name 192.168.160.0 255.255.255.0 ''<IP of outside-interface-name>'' o…“) |
Cbs (Diskussion | Beiträge) (→IPSec Tunnel-Template) |
||
| Zeile 8: | Zeile 8: | ||
<pre> | <pre> | ||
| − | route outside-interface-name 192.168.160.0 255.255.255.0 | + | route outside-interface-name 192.168.160.0 255.255.255.0 <IP of outside-interface-name> |
object network NET_FIRMNAME | object network NET_FIRMNAME | ||
| Zeile 36: | Zeile 36: | ||
default-group-policy FIRMNAMEACCESSPOLICY | default-group-policy FIRMNAMEACCESSPOLICY | ||
tunnel-group 1.2.3.4 ipsec-attributes | tunnel-group 1.2.3.4 ipsec-attributes | ||
| − | ikev1 pre-shared-key | + | ikev1 pre-shared-key <PSK> |
| − | ikev2 remote-authentication pre-shared-key | + | ikev2 remote-authentication pre-shared-key <PSK> |
| − | ikev2 local-authentication pre-shared-key | + | ikev2 local-authentication pre-shared-key <PSK> |
| Zeile 48: | Zeile 48: | ||
</pre> | </pre> | ||
| − | |||
=== IPSec debugging === | === IPSec debugging === | ||
Version vom 22. September 2017, 06:05 Uhr
IPSec
yadda yadda
IPSec Tunnel-Template
route outside-interface-name 192.168.160.0 255.255.255.0 <IP of outside-interface-name> object network NET_FIRMNAME subnet 192.168.0.0 255.255.255.0 object-group network GRP_FIRMNAME_REMOTE_ACCESS network-object object NET_10.0.0.0_24 network-object object NET_DMZ network-object object NET_Server access-list DC_to_FIRMNAME_ENCDOM extended permit ip object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS access-list FIRMANEACL extended permit icmp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 3389 access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 22 access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 6556 nat (inside,outside-telekom) source static NET_FIRMNAME NET_FIRMNAME destination static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS no-proxy-arp route-lookup nat (dmz,outside-telekom) source static NET_FIRMNAME NET_FIRMNAME destination static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS no-proxy-arp route-lookup group-policy FIRMNAMEACCESSPOLICY internal group-policy FIRMNAMEACCESSPOLICY attributes vpn-filter value FIRMANEACL vpn-tunnel-protocol ikev1 ikev2 tunnel-group 1.2.3.4 type ipsec-l2l tunnel-group 1.2.3.4 general-attributes default-group-policy FIRMNAMEACCESSPOLICY tunnel-group 1.2.3.4 ipsec-attributes ikev1 pre-shared-key <PSK> ikev2 remote-authentication pre-shared-key <PSK> ikev2 local-authentication pre-shared-key <PSK> crypto map outside-telekom_map 40 match address DC_to_FIRMNAME_ENCDOM crypto map outside-telekom_map 40 set peer 1.2.3.4 crypto map outside-telekom_map 40 set ikev1 transform-set ESP-AES-256-SHA crypto map outside-telekom_map 40 set ikev2 ipsec-proposal AES256 crypto map outside-telekom_map 40 set pfs
IPSec debugging
Basic
Show established isakmp sa's:
show crypto isakmp sa
Show established ipsec sa's:
show crypto ipsec sa
Start show/follow logs:
debug crypto isakmp
or
debug crypto ipsec
And stop logs:
no debug crypto isakmp
or
no debug crypto ipsec
