SNPA50SL11
SNPA50SL11
SNPA50SL11
Network
Configuration
Lesson 11
Intranet VPNs
have low-cost
Remote Office
connections with
rich VPN services,
which lead to cost POP
Main
savings and new
applications. Office
VPN
POP Remote access
VPNs are
cost-effective.
Extranet VPNs
extend WANs to
business partners,
which leads to new Business Partner
applications and
business models.
Mobile Worker
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-4
What Is IPsec?
Internet
IPsec
Security Security
Host A Appliance A Appliance B Host B
IKE Phase 1:
10.0.1.3 10.0.2.3
Main Mode Exchange
DH Exchange DH Exchange
10.0.1.3 10.0.2.3
Policy Set 10 Policy Set 15
3DES 3DES
MD5 MD5
Pre-share IKE Policy Sets Pre-share
DH1 DH1
Lifetime Lifetime
Policy Set 20
DES
SHA
Pre-share
DH1
Lifetime
Merchant Bank
Public Key B Public Key A
+ Private Key A + Private Key B
Shared Secret Shared Secret
Key (BA)
Key = Key
Key (AB)
HR
Servers
Peer
Authentication
Transform Set 40
ESP A transform set is a combination of
DES
MD5 algorithms and protocols that enacts
Tunnel
Lifetime a security policy for traffic.
SAD
Destination IP address
SPI
Protocol
192.168.2.1
SPD SPI–12
Encryption algorithm ESP/3DES/SHA
Algorithm authentication Tunnel
28800
Mode
Key lifetime
Internet
192.168.12.1
SPI–39
ESP/DES/MD5
Tunnel
28800
Data-Based Time-Based
Security Security
Host A Host B
Appliance A Appliance B
IPsec Session
IPsec Session
A tunnel is terminated:
– By an SA lifetime timeout
– If the packet counter is exceeded
Removes IPsec SA
ciscoasa(config)#
isakmp enable interface-name
ciscoasa(config)#
tunnel-group name type type
10.0.1.11
Do Not
Translate 10.0.2.11
Do Not
Translate
ciscoasa(config)#
ciscoasa(config)#
crypto map map-name interface interface-name
Applies the crypto map to an interface
Activates IPsec policy
asa1(config)# crypto map ASA1MAP interface outside
Student PC Student PC