Azure Virtual Network を ASA 5505 の GUI 画面と対応させてみる

http://msdn.microsoft.com/en-us/library/windowsazure/jj156089.aspx 設定ファイルの文字列を見るだけだと何なのか理解しにくいところがあったので、GUI画面 (Cisco ASDM) のどこに対応しているのか確認してみた。
 
   1:  ! Microsoft Corporation
   2:  ! Windows Azure Virtual Network
   3:   
   4:  ! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
   5:  ! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.
   6:   
   7:  ! ---------------------------------------------------------------------------------------------------------------------
   8:  ! ACL and NAT rules
   9:  ! 
  10:  ! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
  11:  object-group network <RP_AzureNetwork>
  12:   network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>
  13:   exit
  14:  object-group network <RP_OnPremiseNework>
  15:   network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>
  16:   exit
  17:  access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNework> object-group <RP_AzureNetwork>
  18:  nat (inside,outside) source static <RP_OnPremiseNework> <RP_OnPremiseNework> destination static <RP_AzureNetwork> <RP_AzureNetwork>
  19:   
  20:  ! ---------------------------------------------------------------------------------------------------------------------
  21:  ! Internet Key Exchange (IKE) configuration
  22:  ! 
  23:  ! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
  24:  ! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
  25:  ! that happens to conflict with an existing policy, you may choose to use a different policy #.
  26:  crypto isakmp enable outside
  27:  crypto isakmp policy 10
  28:   authentication pre-share
  29:   encryption aes
  30:   hash sha
  31:   group 2
  32:   lifetime 28800
  33:   exit
  34:   
  35:  ! ---------------------------------------------------------------------------------------------------------------------
  36:  ! IPSec configuration
  37:  ! 
  38:  ! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
  39:  ! mode security association. 
  40:  crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
  41:  crypto ipsec security-association lifetime seconds 3600
  42:  crypto ipsec security-association lifetime kilobytes 102400000
  43:   
  44:  ! ---------------------------------------------------------------------------------------------------------------------
  45:  ! Crypto map configuration
  46:  !
  47:  ! This section defines a crypto map that binds the cross-premise network traffic to the
  48:  ! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
  49:  ! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
  50:  crypto map <RP_IPSecCryptoMap> 10 match address <RP_AccessList>
  51:  crypto map <RP_IPSecCryptoMap> 10 set peer <SP_AzureGatewayIpAddress>
  52:  crypto map <RP_IPSecCryptoMap> 10 set transform-set <RP_IPSecTransformSet>
  53:  crypto map <RP_IPSecCryptoMap> interface outside
  54:   
  55:  ! ---------------------------------------------------------------------------------------------------------------------
  56:  ! Tunnel configuration
  57:  !
  58:  ! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
  59:  ! value used for Phase 1 authentication.  
  60:  tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
  61:  tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
  62:   pre-shared-key <SP_PresharedKey>
  63:   exit
  64:   
  65:  ! ---------------------------------------------------------------------------------------------------------------------
  66:  ! TCPMSS clamping
  67:  !
  68:  ! Adjust the TCPMSS value properly to avoid fragmentation
  69:  sysopt connection tcpmss 1350

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

 

基本的に上から順番に探しています。
Object Group の設定は複数個所で可能

ASA5505_01_ObjectGroupASA5505_02_ObjectGroupASA5505_03_ACL
ASA5505_04_NAT
ASA5505_05_crypto_isakmp_enable_outside

Connection Profile の部分は crypto map と tunnel-group の両方に対応していた。

ASA5505_06_ConnectionProfileASA5505_07_ConnectionProfileASA5505_08_ConnectionProfileASA5505_09_ConnectionProfile

その他

ASA5505_10_crypto_isakmp_policy
ipsec transform-set は自分で設定しなくても、GUIの場合 ESP-AES-128-SHA が自動的に定義される。
ASA5505_11_crypto_ipsec_transformset
ASA5505_12_crypto_ipsec_security-association
ASA5505_13_sysopt_connection_tcpmss

広告

コメントを残す

以下に詳細を記入するか、アイコンをクリックしてログインしてください。

WordPress.com ロゴ

WordPress.com アカウントを使ってコメントしています。 ログアウト / 変更 )

Twitter 画像

Twitter アカウントを使ってコメントしています。 ログアウト / 変更 )

Facebook の写真

Facebook アカウントを使ってコメントしています。 ログアウト / 変更 )

Google+ フォト

Google+ アカウントを使ってコメントしています。 ログアウト / 変更 )

%s と連携中

%d人のブロガーが「いいね」をつけました。