エクスポート (0) 印刷
すべて展開

Cisco ASA 用テンプレート

更新日: 2015年4月

次のテンプレートは Cisco ASA デバイス ファミリのデバイス用です。使用できるすべてのデバイス テンプレートの一覧については、「仮想ネットワークの接続に使用する VPN デバイスについて」を参照してください。目的の環境に合わせたデバイス テンプレートの構成については、「About configuring VPN device templates」を参照してください。

! Microsoft Corporation ! Windows Azure Virtual Network  ! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3. ! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.  ! --------------------------------------------------------------------------------------------------------------------- ! ACL and NAT rules !  ! Proper ACL and NAT rules are needed for permitting cross-premise network traffic. ! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel. object-group network <RP_AzureNetwork>  network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>  exit object-group network <RP_OnPremiseNetwork>  network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>  exit access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNetwork> object-group <RP_AzureNetwork> nat (inside,outside) source static <RP_OnPremiseNetwork> <RP_OnPremiseNetwork> destination static <RP_AzureNetwork> <RP_AzureNetwork>  ! --------------------------------------------------------------------------------------------------------------------- ! Internet Key Exchange (IKE) configuration !  ! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase ! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If ! that happens to conflict with an existing policy, you may choose to use a different policy #. crypto isakmp enable outside crypto isakmp policy 10  authentication pre-share  encryption aes-256  hash sha  group 2  lifetime 28800  exit  ! --------------------------------------------------------------------------------------------------------------------- ! IPSec configuration !  ! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick ! mode security association.  crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 102400000  ! --------------------------------------------------------------------------------------------------------------------- ! Crypto map configuration ! ! This section defines a crypto map that binds the cross-premise network traffic to the ! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If ! that happens to conflict with an existing crypto map, you may choose to use a different ID #. crypto map <RP_IPSecCryptoMap> 10 match address <RP_AccessList> crypto map <RP_IPSecCryptoMap> 10 set peer <SP_AzureGatewayIpAddress> crypto map <RP_IPSecCryptoMap> 10 set transform-set <RP_IPSecTransformSet> crypto map <RP_IPSecCryptoMap> interface outside  ! --------------------------------------------------------------------------------------------------------------------- ! Tunnel configuration ! ! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key ! value used for Phase 1 authentication.   tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes  pre-shared-key <SP_PresharedKey>  exit  ! --------------------------------------------------------------------------------------------------------------------- ! TCPMSS clamping ! ! Adjust the TCPMSS value properly to avoid fragmentation sysopt connection tcpmss 1350

Important重要
動的ルーティングは、Cisco ASA デバイス ファミリではサポートされていません。

関連項目

表示:
© 2015 Microsoft