(0) exportieren Drucken
Alle erweitern
Dieser Artikel wurde noch nicht bewertet - Dieses Thema bewerten.

Cisco ASA-Vorlagen

Letzte Aktualisierung: Mai 2013

Die folgende Vorlage ist für die Cisco ASA-Gerätefamilie konzipiert. Eine Liste aller verfügbaren Gerätevorlagen finden Sie unter Informationen zu VPN-Geräten für virtuelle Netzwerke. Weitere Informationen zum Konfigurieren einer Gerätevorlage für Ihre Umgebung finden Sie unter Informationen zur Konfiguration von VPN-Gerätevorlagen.

Vorlage für statisches Routing für die Cisco ASA-Gerätefamilie

! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
! 
! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
object-group network <RP_AzureNetwork>
 network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>
 exit
object-group network <RP_OnPremiseNetwork>
 network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>
 exit
access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork> <RP_OnPremiseNetwork> destination static <RP_AzureNetwork> <RP_AzureNetwork>

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
 exit

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association. 
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 match address <RP_AccessList>
crypto map <RP_IPSecCryptoMap> 10 set peer <SP_AzureGatewayIpAddress>
crypto map <RP_IPSecCryptoMap> 10 set transform-set <RP_IPSecTransformSet>
crypto map <RP_IPSecCryptoMap> interface outside

! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
!
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication.  
tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
 pre-shared-key <SP_PresharedKey>
 exit

! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
!
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350

Vorlage für dynamisches Routing für die Cisco ASA-Gerätefamilie

ImportantWichtig
Dynamisches Routing wird für die Cisco ASA-Gerätefamilie nicht unterstützt.

Siehe auch

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.
Anzeigen:
© 2014 Microsoft. Alle Rechte vorbehalten.