Below is a template I created while doing an ASA 5505 (directly out of box) for a remote site. It had one VPN and the rest was a just plane Jane config. Below is my template for such a config. Its a pre8.3 config. Make sure you upgrade something like this before you send it onsite:
ASA(config)# username shane pass password
ASA(config)# enable pass apasswordthatissecret
ASA(config)# hostname ASA
ASA(config)# aaa authentication ssh con LOCAL
ASA(config)# crypto key generate rsa mod 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA(config)# ssh 0.0.0.0 0.0.0.0 outside
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
ASA(config)# route outside 0.0.0.0 0.0.0.0 7.8.9.106
ASA(config)# int vlan 2
ASA(config-if)# ip add 7.8.9.105 255.255.255.252
ASA(config-if)# no shut
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address 10.10.1.5-10.10.1.254 inside
ASA(config)#
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address 10.10.1.5-10.10.1.254 inside
ASA(config)# interface Vlan1
ASA(config-if)# no ip add
ASA(config-if)# ip add 10.10.199.1 255.255.255.0
ASA(config-if)# no shut
ASA(config-if)# route inside 10.10.4.0 255.255.255.0 10.10.199.2
ASA(config)# route inside 10.10.14.0 255.255.255.0 10.10.199.2
ASA(config)#
ASA(config)# aaa authentication serial console LOCAL
ASA(config)# crypto isakmp policy 10
ASA(config-isakmp-policy)# authentication pre-share
ASA(config-isakmp-policy)# encryption aes-256
ASA(config-isakmp-policy)# hash sha
ASA(config-isakmp-policy)# group 2
ASA(config-isakmp-policy)# lifetime 86400
ASA(config-isakmp-policy)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASA(config)# access-list 2HQ permit ip 10.10.4.0 255.255.255.0 10.10.2.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.12.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.13.0 255.255.255.0
ASA(config)# access-list 2HQ permit ip 10.10.14.0 255.255.255.0 10.10.11.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.4.0 255.255.255.0 10.10.2.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.12.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.13.0 255.255.255.0
ASA(config)# access-list nonat permit ip 10.10.14.0 255.255.255.0 10.10.11.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list nonat
ASA(config)# tunnel-group 20.30.40.55 type ipsec-l2l
ASA(config)# tunnel-group 20.30.40.55 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key veryprivatevpnkeynothisisnotwhatiuse
ASA(config-tunnel-ipsec)# exit
ASA(config)# crypto map outside_map 10 match address 2HQ
ASA(config)# crypto map outside_map 10 set peer 20.30.40.55
ASA(config)# crypto map outside_map 10 set transform-set ESP-3DES-SHA
ASA(config)# crypto map outside_map interface outside
ASA(config)# crypto isakmp enable outside
You might want to use 2048 bit RSA keys (or longer).
ReplyDeletehttps://media.ccc.de/v/32c3-7210-pqchacks
And you might also want to stop using DH Group 2 in your ISAKMP and IPsec policies.
ReplyDeleteIs it just me or are you not using PFS at all here?
Really, the template is meant to be modified. Not for me to do the work for you. You should modify to fit your security needs appropriately.
Delete