내보내기(0) 인쇄
모두 확장

Cisco ASA 템플릿

업데이트 날짜: 2015년 4월

아래 템플릿은 Cisco ASA 장치 제품군의 장치용으로 사용됩니다. 모든 사용 가능한 장치 템플릿 목록은 가상 네트워크 연결의 VPN 장치 정보를 참조하십시오. 장치 템플릿을 환경에 맞게 구성하는 방법에 대한 자세한 내용은 About configuring VPN device templates를 참조하십시오.

! Microsoft Corporation ! Windows Azure Virtual Network  ! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3. ! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.  ! --------------------------------------------------------------------------------------------------------------------- ! ACL and NAT rules !  ! Proper ACL and NAT rules are needed for permitting cross-premise network traffic. ! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel. object-group network <RP_AzureNetwork>  network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>  exit object-group network <RP_OnPremiseNetwork>  network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>  exit access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNetwork> object-group <RP_AzureNetwork> nat (inside,outside) source static <RP_OnPremiseNetwork> <RP_OnPremiseNetwork> destination static <RP_AzureNetwork> <RP_AzureNetwork>  ! --------------------------------------------------------------------------------------------------------------------- ! Internet Key Exchange (IKE) configuration !  ! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase ! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If ! that happens to conflict with an existing policy, you may choose to use a different policy #. crypto isakmp enable outside crypto isakmp policy 10  authentication pre-share  encryption aes-256  hash sha  group 2  lifetime 28800  exit  ! --------------------------------------------------------------------------------------------------------------------- ! IPSec configuration !  ! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick ! mode security association.  crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 102400000  ! --------------------------------------------------------------------------------------------------------------------- ! Crypto map configuration ! ! This section defines a crypto map that binds the cross-premise network traffic to the ! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If ! that happens to conflict with an existing crypto map, you may choose to use a different ID #. crypto map <RP_IPSecCryptoMap> 10 match address <RP_AccessList> crypto map <RP_IPSecCryptoMap> 10 set peer <SP_AzureGatewayIpAddress> crypto map <RP_IPSecCryptoMap> 10 set transform-set <RP_IPSecTransformSet> crypto map <RP_IPSecCryptoMap> interface outside  ! --------------------------------------------------------------------------------------------------------------------- ! Tunnel configuration ! ! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key ! value used for Phase 1 authentication.   tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes  pre-shared-key <SP_PresharedKey>  exit  ! --------------------------------------------------------------------------------------------------------------------- ! TCPMSS clamping ! ! Adjust the TCPMSS value properly to avoid fragmentation sysopt connection tcpmss 1350

Important중요
Cisco ASA 장치 제품군에는 동적 라우팅이 지원되지 않습니다.

참고 항목

표시:
© 2015 Microsoft