[ Pobierz całość w formacie PDF ]
.Internet Key Exchange (IKE): This is the mechanism used by the security appliance forsecurely exchanging encryption keys, authenticating IPSEc peers and negotiating IPSEcSecurity parameters.On the ASA firewall, this is synonymous with ISAKMP as we will see inthe IPSEc configuration.DES, 3DES, AES: All these are encryption algorithms supported by the Cisco ASA Firewall.DES is the weakest one (uses 56-bit encryption key), and AES is the strongest one (uses 128,192, or 256 bit encryption keys).3DES is a middle choice using 168-bit encryption key.Diffie-Hellman Group (DH): This is a public-key cryptography protocol used by IKE toestablish session keys.MD5, SHA-1: These are both Hash Algorithms used to authenticate packet data.SHA isstronger than MD5.Security Association (SA): An SA is a connection between two IPSEc peers.Each IPSEcpeer maintains an SA database in its memory containing SA parameters.SAs are uniquelyidentified by the IPSEc peer address, security protocol, and security parameter index (SPI).HOW IPSEC WORKSThere are five main steps followed by the IPSEc devices:1.Interesting Traffic: The IPSEc devices recognize the traffic to protect.2.Phase 1 (ISAKMP): The IPSEc devices negotiate an IKE security policy and establish asecure channel for communication.3.Phase 2 (IPSEc): The IPSEc devices negotiate an IPSEc security policy to protect data.4.Data Transfer: Data is transferred securely between the IPSEc peers based on the IPSEcparameters and keys negotiated during the previous phases.5.IPSEc Tunnel Terminated: IPSEc SAs terminate when timing out or a certain data volumeis reached.The steps above will become clear when we see actual configuration examples.Let s start with thefirst IPSEc VPN type that we will describe in this Chapter.Site-to-Site VPN.54 SITE-TO-SITE IPSEC VPNSite-to-Site IPSEc VPN is sometimes called LAN-to-LAN VPN.As the name implies, this VPN typeconnects together two distant LAN networks over the Internet.Usually, Local Area Networks useprivate addressing as shown on our diagram above.Without VPN connectivity, the two LANnetworks above (LAN-1 and LAN-2) wouldn t be able to communicate.By configuring a Site-to-SiteIPSEc VPN between the two ASA firewalls, we can establish a secure tunnel over the Internet, andpass our private LAN traffic inside this tunnel.The result is that hosts in network 192.168.1.0/24can now directly access hosts in 192.168.2.0/24 network (and vice-versa) as if they are located inthe same LAN.The IPSEc tunnel is established between the Public IP addresses of the firewalls(100.100.100.1 and 200.200.200.1).55 CONFIGURING SITE-TO-SITE IPSEC VPNAs we described above in  How IPSEc Works , there are five steps in the operation of IPSEc.Nextwe will describe the configuration commands needed for each step in order to set up the VPN.Allconfiguration examples below refer to the network diagram for site-to-site VPN.STEP 1: Configure Interesting TrafficWe need first to define the Interesting Traffic, that is, traffic that will be encrypted.Using Access-Lists (Crypto ACL) we can identify which traffic flow must be encrypted.In our example diagramabove, we want all traffic flow between private networks 192.168.1.0/24 and 192.168.2.0/24 to beencrypted.ASA 1:ASA-1(config)# access-list LAN1-to-LAN2 extended permit ip 192.168.1.0 255.255.255.0192.168.2.0 255.255.255.0ASA 2:ASA-2(config)# access-list LAN2-to-LAN1 extended permit ip 192.168.2.0 255.255.255.0192.168.1.0 255.255.255.0Notice that we have to configure the exact mirror access-list for each ASA firewall participating inthe IPSEc VPN.The Crypto ACL needs to identify only outbound traffic.The permit statement in theACL means that the specific traffic must be encrypted.One important issue to consider is the case of using NAT on the firewall for normal Internet access.Because IPSEc does not work with NAT, we need to exclude the traffic to be encrypted from theNAT operation.This means in our example that the Interesting Traffic in the Crypto ACL must notbe translated (we can use the nat 0 command for this).See configuration below:56 ASA 1:ASA-1(config)# access-list NONAT extended permit ip 192.168.1.0 255.255.255.0192.168.2.0 255.255.255.0ASA-1(config)# nat (inside) 0 access-list NONAT ßð Exclude traffic from LAN1 to LAN2 fromNAT operationASA 2:ASA-2(config)# access-list NONAT extended permit ip 192.168.2.0 255.255.255.0192.168.1.0 255.255.255.0ASA-2(config)# nat (inside) 0 access-list NONAT ßð Exclude traffic from LAN2 to LAN1 fromNAT operationCisco ASA Version 8.3 and laterASA 1:ASA-1(config)# object network obj-localASA-1(config-network-object)# subnet 192.168.1.0 255.255.255.0ASA-1(config-network-object)# exitASA-1(config)# object network obj-remoteASA-1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA-1(config-network-object)# exitASA-1(config)# nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remoteASA 2:ASA-2(config)# object network obj-localASA-2(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA-2(config-network-object)# exitASA-2(config)# object network obj-remoteASA-2(config-network-object)# subnet 192.168.1.0 255.255.255.0ASA-2(config-network-object)# exitASA-2(config)# nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote57 STEP 2: Configure Phase 1 (ISAKMP)Phase 1 of the IPSEc operation is used to establish a secure communication channel for further datatransmission.In Phase 1, VPN peers exchange shared secret keys, authenticate each other, negotiateIKE security policies etc.In this Phase we configure an isakmp policy which MUST match thepolicy configured on the other peer(s).This isakmp policy tells the other peer(s) what securityparameters must be used in the VPN (e.g encryption protocol, hash algorithm, authenticationmethod, Diffie Hellman Group (DH), lifetime threshold for the tunnel etc) [ Pobierz caÅ‚ość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • lo2chrzanow.htw.pl