Dışarıya aktar (0) Yazdır
Tümünü Genişlet
EN
Bu içerik dilinizde bulunmamaktadır ancak İngilizce sürümüne buradan bakabilirsiniz.

Cisco ASA templates

Updated: February 6, 2014

The template below is for devices in the Cisco ASA device family. For a list of all available device templates, see About VPN Devices for Virtual Network. For information about configuring a device template for your environment, see About configuring VPN device templates.

! Microsoft Corporation
! Windows Azure Virtual Network

! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
! 
! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
object-group network <RP_AzureNetwork>
 network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>
 exit
object-group network <RP_OnPremiseNetwork>
 network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>
 exit
access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork> <RP_OnPremiseNetwork> destination static <RP_AzureNetwork> <RP_AzureNetwork>

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
 exit

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association. 
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 match address <RP_AccessList>
crypto map <RP_IPSecCryptoMap> 10 set peer <SP_AzureGatewayIpAddress>
crypto map <RP_IPSecCryptoMap> 10 set transform-set <RP_IPSecTransformSet>
crypto map <RP_IPSecCryptoMap> interface outside

! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
!
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication.  
tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
 pre-shared-key <SP_PresharedKey>
 exit

! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
!
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350

ImportantImportant
Dynamic routing is not supported for the Cisco ASA family of devices.

See Also

Show:
© 2014 Microsoft