Cisco/CLI

Aus SchnallIchNet
< Cisco
Version vom 22. September 2017, 05:59 Uhr von Cbs (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „ == IPSec == yadda yadda === IPSec Tunnel-Template === <pre> route outside-interface-name 192.168.160.0 255.255.255.0 ''<IP of outside-interface-name>'' o…“)

(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

IPSec

yadda yadda

IPSec Tunnel-Template


route outside-interface-name 192.168.160.0 255.255.255.0 ''<IP of outside-interface-name>''

object network NET_FIRMNAME 
 subnet 192.168.0.0 255.255.255.0

object-group network GRP_FIRMNAME_REMOTE_ACCESS
 network-object object NET_10.0.0.0_24
 network-object object NET_DMZ
 network-object object NET_Server

access-list DC_to_FIRMNAME_ENCDOM extended permit ip object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS
access-list FIRMANEACL extended permit icmp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 3389
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 22
access-list FIRMANEACL extended permit tcp object NET_FIRMNAME object-group GRP_FIRMNAME_REMOTE_ACCESS EQ 6556

nat (inside,outside-telekom) source static NET_FIRMNAME NET_FIRMNAME destination static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS no-proxy-arp route-lookup
nat (dmz,outside-telekom) source static NET_FIRMNAME NET_FIRMNAME destination static GRP_FIRMNAME_REMOTE_ACCESS GRP_FIRMNAME_REMOTE_ACCESS no-proxy-arp route-lookup

group-policy FIRMNAMEACCESSPOLICY internal
group-policy FIRMNAMEACCESSPOLICY attributes
 vpn-filter value FIRMANEACL
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy FIRMNAMEACCESSPOLICY
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key ''<PSK>''
 ikev2 remote-authentication pre-shared-key ''<PSK>''
 ikev2 local-authentication pre-shared-key ''<PSK>''
 

crypto map outside-telekom_map 40 match address DC_to_FIRMNAME_ENCDOM
crypto map outside-telekom_map 40 set peer 1.2.3.4
crypto map outside-telekom_map 40 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-telekom_map 40 set ikev2 ipsec-proposal AES256
crypto map outside-telekom_map 40 set pfs


IPSec debugging

Basic

Show established isakmp sa's: 

show crypto isakmp sa


Show established ipsec sa's: 

show crypto ipsec sa


Start show/follow logs: 

debug crypto isakmp

or 

debug crypto ipsec


And stop logs: 

no debug crypto isakmp

or 

no debug crypto ipsec
Von „https://schnallich.net/index.php?title=Cisco/CLI&oldid=1509