#######Tạo POOL IP gán cho user VPN##########ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0 #######Chỉ ra dải mạng LAN mà user VPN được gọi vào########## access-
Trang 1TASK 1: Đặt IP and Security-Level
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 200.200.200.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
TASK 2:
object network DMZ-Server-172.16.1.100
host 172.16.1.100
nat (dmz,outside) static 200.200.200.100
access-list OUTSIDE-to-DMZ extended permit ip any host 172.16.1.100
access-group OUTSIDE-to-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.1
policy-map global_policy
class inspection_default
inspect icmp
TASK 3,4: SSL VPN
https://bit.ly/3oCxPu3
https://www.youtube.com/watch?v=oSgTqDQtmG0
###Bật tính năng vpn ssl####
webvpn
#####Chỉ ra Gói nào sẽ được down về client khi họ connect#####
anyconnect image flash:/anyconnect-win-4.1.08005-k9.pkg ****lấy từ lệnh show flash: trên firewall ra*******
#####cho phép gọi đến IP outside để VPN######
enable outside
####mở tính năng anyconnect kết nối#####
anyconnect enable
#####cho phép traffic VPN đi từ ngoài vào####
sysopt connection permit-vpn
Trang 2#######Tạo POOL IP gán cho user VPN##########
ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0
#######Chỉ ra dải mạng LAN mà user VPN được gọi vào##########
access-list ALLOW-ACCESS-LAN standard permit 192.168.1.0 255.255.255.0
#######Tạo policy áp đặt cho những người kết nối VPN########
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ALLOW-ACCESS-LAN
dns-server value 8.8.8.8
exit
#######Tạo tunnel vpn và gắn với policy vừa tạo##########
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
default-group-policy ANYCONNECT_POLICY
address-pool VPN_POOL
exit
tunnel-group MY_TUNNEL webvpn-attributes
group-alias CHI_NHANH_01 enable
webvpn
tunnel-group-list enable
#######Tạo account#########
username hainm password hainm
username hainm attributes
service-type remote-access
####Verify trên ASA######
ciscoasa# show vpn-sessiondb anyconnect
TASK 5: VPN site-to-site
PHA 1: TREN FIREWALL 1
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
exit
crypto ikev1 enable outside
crypto isakmp identity address
Trang 3tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
ikev1 pre-shared-key key1234
access-list LAN1-to-LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
PHA 2: TREN FIREWALL 1
crypto map MY_CRYPTO_MAP 10 match address LAN1-to-LAN2
crypto map MY_CRYPTO_MAP 10 set peer 100.100.100.2
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
crypto map MY_CRYPTO_MAP interface outside