The Scenario:
You want your workstation at H.Q. at your.local.subnet.15 to be able to Remote Desktop (TCP3389) to you server at your.remote.subnet.34. Your remote branch has a WAN IP address of your.remote.wan.29:
!
! Define "interesting" traffic to determine which traffic gets encrypted.
! In this case it's any packet from the local box with a destination address of the remote server, TCP port 3389 and ICMP traffic.
! Note that THIS ACL must be exacly the same, with source and destination addresses reversed, on the IPSEC peer at the other end.
! If you don't control both peers then it may be advisable to use simple host-based ACLs and leave off the ports.
! Naturally, this is less secure that specifying the ports here. You can always add an additional ACL (which doesn't have to match at the far end)
! on the tunnel-group with the "vpn-group-policy" option.
!
access-list outside_60_cryptomap extended permit tcp host your.local.subnet.15 host your.remote.subnet.34 eq 3389
access-list outside_60_cryptomap extended permit icmp host your.local.subnet.15 host your.remote.subnet.34
!
! Define IKE Phase I Parameters
! IKE Phase I authenticates IPSec peers and negotiates IKE SAs during this phase.
! This sets up a secure channel for negotiating IPSec SAs in phase 2.
!
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 14400
!
! Define IKE Phase II IPSEC transformations
! IKE Phase II negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
!
crypto ipsec transform-set esp-aes-md5 esp-aes-256 esp-md5-hmac
!
!
! NAT considerations
! You may want to disable NAT across the IPSEC tunnel. In a SMB environment, there is probably no need or desire to source NAT.
! So, add and additional line to your existing nat exception ACL or create one. Here, we add a line to the existing inside_nat0_outbound ACL.
! This bit is a bet beyond the scope of this article
access-list inside_nat0_outbound extended permit ip host your.local.subnet.15 host your.remote.subnet.34
!
! Define the IPSEC peer and its IKE Phase II. PFS is optional
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer your.remote.wan.29
crypto map outside_map 60 set transform-set esp-aes-md5
! optionally enable Perfect Forwarding Secrecy. Disabled by default. It's more secure, but requires more processor.
crypto map outside_map 60 set pfs group5
! optionally enable aggressive mode (off by default and not encouraged). Aggressive mode is faster to setup but less secure.
crypto map outside_map 60 set phase1-mode aggressive
!
! Define the tunnel-group peer address and Pre-Shared Key. This is also where you configure address-pool, deafult-group-policy
tunnel-group your.remote.wan.29 type ipsec-l2l
tunnel-group your.remote.wan.29 ipsec-attributes
pre-shared-key #your.complex.key.here#
!
! Attach it to the outside interface. Note that you'll use your outside intefaces "ifname" and it IS case sensitive.
! If you already have IPSEC running then this is already done.
crypto map outside_map interface Outside
crypto isakmp enable Outside
!
Tuesday, July 6, 2010
Subscribe to:
Posts (Atom)
Posts
