Cisco ASA samples
Det här innehållet finns inte tillgängligt på ditt språk men här finns den engelska versionen,

Cisco ASA samples

Updated: July 13, 2015

The sample below is for devices in the Cisco ASA device family. Use the sample as a guideline. For VPN device support, please contact your device manufacturer.

For a list of all available device samples, see About VPN Devices and Gateways for Virtual Network Connectivity. For information about configuring a device sample for your environment, see About configuring VPN device samples.

! Microsoft Corporation
! Microsoft Azure Virtual Network

! This configuration sample applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
object-group network <RP_AzureNetwork>
 network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>
object-group network <RP_OnPremiseNetwork>
 network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>
access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork> <RP_OnPremiseNetwork> destination static <RP_AzureNetwork> <RP_AzureNetwork>

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association. 
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 match address <RP_AccessList>
crypto map <RP_IPSecCryptoMap> 10 set peer <SP_AzureGatewayIpAddress>
crypto map <RP_IPSecCryptoMap> 10 set transform-set <RP_IPSecTransformSet>
crypto map <RP_IPSecCryptoMap> interface outside

! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication.  
tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
 pre-shared-key <SP_PresharedKey>

! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350

Dynamic routing is not supported for the Cisco ASA family of devices.

See Also

Other Resources

VPN Gateway Documentation

© 2015 Microsoft