ASA Configuration:
ASA#conf t
ASA(config)#crypto isakmp enable outside
ASA(config)#object network local
ASA(config-network-object)#subnet 192.168.2.0 255.255.255.0
ASA(config-network-object)# object network remote
ASA(config-network-object)#subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)#exit
ASA(config)#crypto isakmp enable
ASA(config)#access-list outside_crypto permit ip object local object remote
CISCOASA(config)#tunnel-group 10.10.10.2 type ipsec-l2l
CISCOASA(config)#tunnel-group 10.10.10.2 ipsec-attributes
CISCOASA(config-tunnel-ipsec)#pre-shared key sitetosite
CISCOASA(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
CISCOASA(config-tunnel-ipsec)#exit
IKE called Internet Association and key management protocol. I KE that used for two host agree to hoe build an IPSec security association. There are two part of IKE negotiation that are phase1 and phase2.
ASA(config)#crypto isakmp policy 10 authentication pre-share
ASA(config)#crypto isakmp policy 10 3des
ASA(config)#crypto isakmp policy 10 hash sha
ASA(config)#crypto isakmp policy 10 group 2
ASA(config)#crypto isakmp policy 10 lifetime 66400
ASA(config)#crypto isakmp transform-set ESP-3DES esp-sha-hmac
ASA(config)#crypto map outside-map 1 set match address outside_crypto
ASA(config)#crypto map outside-map 1 set pfs group1
ASA(config)#crypto map outside-map 1 set peer 10.10.10.2
ASA(config)#crypto map outside-map 1 set transform-set ESP-3DES-SHA
ASA(config)#crypto map outside-map interface outside
CISCOASA(config)#nat (inside,outside) 1 source static local local destination remote remote
CISCOASA(config)#route 0 0 (Gateway Address)
CISCOASA(config)#wr
CISCO ASA Verification:
#show crypto map
Mikrotik Router Peer Configuration:
[admin@MikroTik] /ip ipsec peer>add address=20.20.20.2/32:500 auth-method=pre-shared-key secret="sitetosite"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik] /ip ipsec policy>add src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=20.20.20.2 sa-dst-address=10.10.10.2 proposal=default
priority=0
[admin@MikroTik] /ip ipsec proposal>add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[admin@MikroTik] /ip firewall nat>add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24
[admin@MikroTik] /ip firewall nat>chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=ether1
No comments:
Post a Comment