SlideShare una empresa de Scribd logo

How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs

Descargar como DOC, PDF
3Anetwork com
3Anetwork com

Leading Cisco networking products distributor-3network.com LAN-to-LAN VPNs are typically used to transparently connect geographically disparate LANs over an untrusted medium (e.g. the public Internet).

Tecnología
1 de 6
How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs What needs to be done to create a Lan to Lan VPN tunnel on an ASA firewall with IPv6 addressing? First let’s begin with the fundamentals: -IPv6 L2L VPN support was added in the latest version available of the ASA 8.3 track -The ASA will be able to build a VPN site to site tunnel running IPv6 ONLY with another ASA. LAN-to-LAN VPNs are typically used to transparently connect geographically disparate LANs over an untrusted medium (e.g. the public Internet). Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances: •The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces). •The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces). •The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces) If we want to run a VPN tunnel with a third-party unit or another Cisco router then we must go with the IPv4 address scheme only. Now, let’s take a look at the Scenario: 1
Our main goal here is to create a VPN tunnel using IPSec between Company A and Company B across an IPv6 network. IPv6 addressing and routing has been configured previously. The IPsec configuration 1) Specify as usual the phase 1 and phase 2 configuration Site A: crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 crypto ikev1 enable outside crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac Site B: crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 crypto ikev1 enable outside crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac 2) Now let’s move forward to the Interesting traffic configuration: Site A Inside Subnet 2001:AAAA::/64 2
Site B Inside Subnet 2001:DDDD::/64 On Site A: ipv6 access-list IPv6-Lab permit ip 2001:AAAA::/64 2001:DDDD::/64 On Site B: ipv6 access-list VPN-Traffic permit ip 2001:dddd::/64 2001:aaaa::/64 So the Crypto ACL is the same thing, just that now we use Hex notation instead of Decimal notation 3) Crypto-Map Setup Site A outside IPv6 address is 2001:BBBB::1 Site B outside IPv6 address is 2001:CCCC::2 So let’s go to the Firewall on Site A Site A: crypto map IPv6-L2L 1 match address IPv6-Lab crypto map IPv6-L2L 1 set peer 2001:cccc::2 crypto map IPv6-L2L 1 set ikev1 transform-set cisco crypto map IPv6-L2L interface outside Site B: crypto map IPv6-Lab 1 match address VPN-Traffic crypto map IPv6-Lab 1 set peer 2001:bbbb::1 crypto map IPv6-Lab 1 set ikev1 transform-set cisco crypto map IPv6-Lab interface outside Now we will configure the final part. Is the Tunnel-group setup? … Site A: tunnel-group 2001:CCCC::2 type ipsec-l2l tunnel-group 2001:CCCC::2 ipsec-attributes ikev1 pre-shared-key cisco123 Site B: tunnel-group 2001:BBBB::1 type ipsec-l2l tunnel-group 2001:BBBB::1 ipsec-attributes ikev1 pre-shared-key cisco123 Where is the NAT setup? On IPv6 we do not have to use NAT in order to be routable over the internet so unless specific desing requirements we will not need to use NAT so we can forget about the NAT Exemption setup in our VPN cases. 3
Now let’s ping from Client A to Client B and see if the tunnel gets established: SiteA-Client#ping 2001:DDDD::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DDDD::1, timeout is 2 seconds: Now let’s check the tunnel On Site A SiteA config)# sh crypto ikev1 sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2001:cccc::2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE On Site B: SiteB(config)# sh crypto ikev1 sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2001:bbbb::1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE SiteB(config)# Final notes: -Configuration is the same, except for the fact that now we write down the IPs in Hex format ( That’s what IPv6 uses ) -There is no need for NAT Exemption anymore -Debugs,Packet-tracers are the same ( For troubleshooting purposes ). If you plan to use CAPTURES, remember that in IPv6 you cannot use the match keyword, you must match the capture with an IPv6 ACL. -Discussing about IPv6 ACL’s: Before 9.0(1) you must create a dedicated IPv6 access-list for IPv6 traffic as shown in this example but starting on 9.0(1) and higher versions now we can use the regular syntax for IPv6 access-list as well. So we can use IPv6 and IPv4 on the same ACL, no need to create a dedicated IPv6 access-list. In fact the ASA will not allow you to do that. 4
More related: About Cisco IOS ver for 1941 router to do IPSec VPN tunnels (DMVPN) Configuring Microsoft Lync to use Cisco 3925 as a PSTN Gateway More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at competitive price and ship to worldwide. Our website: http://www.3anetwork.com Telephone: +852-3069-7733 Email: info@3Anetwork.com Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong 5
More related: About Cisco IOS ver for 1941 router to do IPSec VPN tunnels (DMVPN) Configuring Microsoft Lync to use Cisco 3925 as a PSTN Gateway More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at competitive price and ship to worldwide. Our website: http://www.3anetwork.com Telephone: +852-3069-7733 Email: info@3Anetwork.com Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong 5

Recomendados

Junos
JunosJunos
Junosalexandrujuncu
 
Cisco vpn client to site by woonshine
Cisco vpn client to site by woonshineCisco vpn client to site by woonshine
Cisco vpn client to site by woonshinewoonshine
 
Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501robertguerra
 
Baocaocuoiky
BaocaocuoikyBaocaocuoiky
Baocaocuoikywoonshine
 
Panduan ukk tkj 2016 paket 1 lengkap dengan gambar
Panduan ukk tkj 2016 paket 1 lengkap dengan gambarPanduan ukk tkj 2016 paket 1 lengkap dengan gambar
Panduan ukk tkj 2016 paket 1 lengkap dengan gambarChandra Hacktor
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorialtutorialsruby
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands sandeep kumar
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseHarris Andrea
 

Recomendados

Junos
JunosJunos
Junosalexandrujuncu
 
Cisco vpn client to site by woonshine
Cisco vpn client to site by woonshineCisco vpn client to site by woonshine
Cisco vpn client to site by woonshinewoonshine
 
Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501robertguerra
 
Baocaocuoiky
BaocaocuoikyBaocaocuoiky
Baocaocuoikywoonshine
 
Panduan ukk tkj 2016 paket 1 lengkap dengan gambar
Panduan ukk tkj 2016 paket 1 lengkap dengan gambarPanduan ukk tkj 2016 paket 1 lengkap dengan gambar
Panduan ukk tkj 2016 paket 1 lengkap dengan gambarChandra Hacktor
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorialtutorialsruby
 
Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands Junos vs ios Troubleshooting comands
Junos vs ios Troubleshooting comands sandeep kumar
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseHarris Andrea
 
Tutorial konfigurasi clearos Web Server, FTP Server, Mailing Server
Tutorial konfigurasi clearos Web Server, FTP Server, Mailing ServerTutorial konfigurasi clearos Web Server, FTP Server, Mailing Server
Tutorial konfigurasi clearos Web Server, FTP Server, Mailing Server匿名の 匿名の
 
The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls david rom
 
Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanFebrian ‎
 
Juniper Platform Overview
Juniper Platform OverviewJuniper Platform Overview
Juniper Platform OverviewHussein Elmenshawy
 
Skema UKK Tahun 2017
Skema UKK Tahun 2017Skema UKK Tahun 2017
Skema UKK Tahun 2017DeKos DeKos
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from JuniperNam Nguyen
 
Juniper JNCIA – Juniper RIP and OSPF Route Configuration
Juniper JNCIA – Juniper RIP and OSPF Route ConfigurationJuniper JNCIA – Juniper RIP and OSPF Route Configuration
Juniper JNCIA – Juniper RIP and OSPF Route ConfigurationHamed Moghaddam
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble ShootingMike(Haobin) Zheng
 
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulrais
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulraisTutorial ukk mikrotik paket ganda 2 3 @2017 abdulrais
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulraisabdul rais
 
JUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingJUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingZenith Networks
 
pfSense, OpenSource Firewall
pfSense, OpenSource FirewallpfSense, OpenSource Firewall
pfSense, OpenSource FirewallErik Kirschner
 
Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3Beni Krisbiantoro
 
Pembahasan Soal UKK TKJj 2017 - Paket 2
Pembahasan Soal UKK TKJj 2017 - Paket 2Pembahasan Soal UKK TKJj 2017 - Paket 2
Pembahasan Soal UKK TKJj 2017 - Paket 2Beni Krisbiantoro
 
pfSense Installation Slide
pfSense Installation SlidepfSense Installation Slide
pfSense Installation SlideSopon Tumchota
 
Bgp
BgpBgp
BgpFebrian ‎
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGPZenith Networks
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecturelawuah
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 
Cisco sfp modules
Cisco sfp modulesCisco sfp modules
Cisco sfp modules3Anetwork com
 
Cisco 3900 and cisco 2900 series routers
Cisco 3900 and cisco 2900 series routersCisco 3900 and cisco 2900 series routers
Cisco 3900 and cisco 2900 series routers3Anetwork com
 
Cisco catalyst 2960 x series
Cisco catalyst 2960 x seriesCisco catalyst 2960 x series
Cisco catalyst 2960 x series3Anetwork com
 
Cisco catalyst 3750 x series switches
Cisco catalyst 3750 x series switchesCisco catalyst 3750 x series switches
Cisco catalyst 3750 x series switches3Anetwork com
 

Más contenido relacionado

Destacado

Tutorial konfigurasi clearos Web Server, FTP Server, Mailing Server
Tutorial konfigurasi clearos Web Server, FTP Server, Mailing ServerTutorial konfigurasi clearos Web Server, FTP Server, Mailing Server
Tutorial konfigurasi clearos Web Server, FTP Server, Mailing Server匿名の 匿名の
 
The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls david rom
 
Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanFebrian ‎
 
Skema UKK Tahun 2017
Skema UKK Tahun 2017Skema UKK Tahun 2017
Skema UKK Tahun 2017DeKos DeKos
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from JuniperNam Nguyen
 
Juniper JNCIA – Juniper RIP and OSPF Route Configuration
Juniper JNCIA – Juniper RIP and OSPF Route ConfigurationJuniper JNCIA – Juniper RIP and OSPF Route Configuration
Juniper JNCIA – Juniper RIP and OSPF Route ConfigurationHamed Moghaddam
 
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulrais
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulraisTutorial ukk mikrotik paket ganda 2 3 @2017 abdulrais
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulraisabdul rais
 
JUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingJUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingZenith Networks
 
pfSense, OpenSource Firewall
pfSense, OpenSource FirewallpfSense, OpenSource Firewall
pfSense, OpenSource FirewallErik Kirschner
 
Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3Beni Krisbiantoro
 
Pembahasan Soal UKK TKJj 2017 - Paket 2
Pembahasan Soal UKK TKJj 2017 - Paket 2Pembahasan Soal UKK TKJj 2017 - Paket 2
Pembahasan Soal UKK TKJj 2017 - Paket 2Beni Krisbiantoro
 
pfSense Installation Slide
pfSense Installation SlidepfSense Installation Slide
pfSense Installation SlideSopon Tumchota
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecturelawuah
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 

Destacado (18)

Tutorial konfigurasi clearos Web Server, FTP Server, Mailing Server
Tutorial konfigurasi clearos Web Server, FTP Server, Mailing ServerTutorial konfigurasi clearos Web Server, FTP Server, Mailing Server
Tutorial konfigurasi clearos Web Server, FTP Server, Mailing Server
 
The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls
 
Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by Irzan
 
Juniper Platform Overview
Juniper Platform OverviewJuniper Platform Overview
Juniper Platform Overview
 
Skema UKK Tahun 2017
Skema UKK Tahun 2017Skema UKK Tahun 2017
Skema UKK Tahun 2017
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from Juniper
 
Juniper JNCIA – Juniper RIP and OSPF Route Configuration
Juniper JNCIA – Juniper RIP and OSPF Route ConfigurationJuniper JNCIA – Juniper RIP and OSPF Route Configuration
Juniper JNCIA – Juniper RIP and OSPF Route Configuration
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble Shooting
 
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulrais
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulraisTutorial ukk mikrotik paket ganda 2 3 @2017 abdulrais
Tutorial ukk mikrotik paket ganda 2 3 @2017 abdulrais
 
JUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and TroubleshootingJUNOS - Monitoring and Troubleshooting
JUNOS - Monitoring and Troubleshooting
 
pfSense, OpenSource Firewall
pfSense, OpenSource FirewallpfSense, OpenSource Firewall
pfSense, OpenSource Firewall
 
Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3Pembahasan Soal UKK TKJ 2017 - Paket 3
Pembahasan Soal UKK TKJ 2017 - Paket 3
 
Pembahasan Soal UKK TKJj 2017 - Paket 2
Pembahasan Soal UKK TKJj 2017 - Paket 2Pembahasan Soal UKK TKJj 2017 - Paket 2
Pembahasan Soal UKK TKJj 2017 - Paket 2
 
pfSense Installation Slide
pfSense Installation SlidepfSense Installation Slide
pfSense Installation Slide
 
Bgp
BgpBgp
Bgp
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGP
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecture
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guide
 

Más de 3Anetwork com

Cisco 3900 and cisco 2900 series routers
Cisco 3900 and cisco 2900 series routersCisco 3900 and cisco 2900 series routers
Cisco 3900 and cisco 2900 series routers3Anetwork com
 
Cisco catalyst 2960 x series
Cisco catalyst 2960 x seriesCisco catalyst 2960 x series
Cisco catalyst 2960 x series3Anetwork com
 
Cisco catalyst 3750 x series switches
Cisco catalyst 3750 x series switchesCisco catalyst 3750 x series switches
Cisco catalyst 3750 x series switches3Anetwork com
 
Cisco switches for small business
Cisco switches for small businessCisco switches for small business
Cisco switches for small business3Anetwork com
 
How to recover the password for cisco 2900 integrated services router
How to recover the password for cisco 2900 integrated services routerHow to recover the password for cisco 2900 integrated services router
How to recover the password for cisco 2900 integrated services router3Anetwork com
 
Cisco 4 and 8-port gigabit ethernet ehwi cs
Cisco 4 and 8-port gigabit ethernet ehwi csCisco 4 and 8-port gigabit ethernet ehwi cs
Cisco 4 and 8-port gigabit ethernet ehwi cs3Anetwork com
 
Configuring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup programConfiguring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup program3Anetwork com
 
Cisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configurationCisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configuration3Anetwork com
 
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity3Anetwork com
 
Cisco catalyst 3850 series switches datasheet
Cisco catalyst 3850 series switches datasheetCisco catalyst 3850 series switches datasheet
Cisco catalyst 3850 series switches datasheet3Anetwork com
 
Cisco catalyst 2960 series switches overview
Cisco catalyst 2960 series switches overviewCisco catalyst 2960 series switches overview
Cisco catalyst 2960 series switches overview3Anetwork com
 
Enterprise Network Manager: the Router-On-A-stick
Enterprise Network Manager: the Router-On-A-stickEnterprise Network Manager: the Router-On-A-stick
Enterprise Network Manager: the Router-On-A-stick3Anetwork com
 
Cisco Catalyst 2960-X Datasheet
Cisco Catalyst 2960-X DatasheetCisco Catalyst 2960-X Datasheet
Cisco Catalyst 2960-X Datasheet3Anetwork com
 
How to configure a catalyst 3750 x
How to configure a catalyst 3750 xHow to configure a catalyst 3750 x
How to configure a catalyst 3750 x3Anetwork com
 
Hubs vs switches vs routers
Hubs vs switches vs routersHubs vs switches vs routers
Hubs vs switches vs routers3Anetwork com
 
Installing and removing sfp and sfp+ transceiver modules
Installing and removing sfp and sfp+ transceiver modulesInstalling and removing sfp and sfp+ transceiver modules
Installing and removing sfp and sfp+ transceiver modules3Anetwork com
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example3Anetwork com
 
Cisco unified access from vision to reality
Cisco unified access from vision to realityCisco unified access from vision to reality
Cisco unified access from vision to reality3Anetwork com
 
How to use time domain reflectometer (tdr)
How to use time domain reflectometer (tdr)How to use time domain reflectometer (tdr)
How to use time domain reflectometer (tdr)3Anetwork com
 

Más de 3Anetwork com (20)

Cisco sfp modules
Cisco sfp modulesCisco sfp modules
Cisco sfp modules
 
Cisco 3900 and cisco 2900 series routers
Cisco 3900 and cisco 2900 series routersCisco 3900 and cisco 2900 series routers
Cisco 3900 and cisco 2900 series routers
 
Cisco catalyst 2960 x series
Cisco catalyst 2960 x seriesCisco catalyst 2960 x series
Cisco catalyst 2960 x series
 
Cisco catalyst 3750 x series switches
Cisco catalyst 3750 x series switchesCisco catalyst 3750 x series switches
Cisco catalyst 3750 x series switches
 
Cisco switches for small business
Cisco switches for small businessCisco switches for small business
Cisco switches for small business
 
How to recover the password for cisco 2900 integrated services router
How to recover the password for cisco 2900 integrated services routerHow to recover the password for cisco 2900 integrated services router
How to recover the password for cisco 2900 integrated services router
 
Cisco 4 and 8-port gigabit ethernet ehwi cs
Cisco 4 and 8-port gigabit ethernet ehwi csCisco 4 and 8-port gigabit ethernet ehwi cs
Cisco 4 and 8-port gigabit ethernet ehwi cs
 
Configuring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup programConfiguring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup program
 
Cisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configurationCisco 2960 basic configuration – vlan configuration
Cisco 2960 basic configuration – vlan configuration
 
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
 
Cisco catalyst 3850 series switches datasheet
Cisco catalyst 3850 series switches datasheetCisco catalyst 3850 series switches datasheet
Cisco catalyst 3850 series switches datasheet
 
Cisco catalyst 2960 series switches overview
Cisco catalyst 2960 series switches overviewCisco catalyst 2960 series switches overview
Cisco catalyst 2960 series switches overview
 
Enterprise Network Manager: the Router-On-A-stick
Enterprise Network Manager: the Router-On-A-stickEnterprise Network Manager: the Router-On-A-stick
Enterprise Network Manager: the Router-On-A-stick
 
Cisco Catalyst 2960-X Datasheet
Cisco Catalyst 2960-X DatasheetCisco Catalyst 2960-X Datasheet
Cisco Catalyst 2960-X Datasheet
 
How to configure a catalyst 3750 x
How to configure a catalyst 3750 xHow to configure a catalyst 3750 x
How to configure a catalyst 3750 x
 
Hubs vs switches vs routers
Hubs vs switches vs routersHubs vs switches vs routers
Hubs vs switches vs routers
 
Installing and removing sfp and sfp+ transceiver modules
Installing and removing sfp and sfp+ transceiver modulesInstalling and removing sfp and sfp+ transceiver modules
Installing and removing sfp and sfp+ transceiver modules
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example
 
Cisco unified access from vision to reality
Cisco unified access from vision to realityCisco unified access from vision to reality
Cisco unified access from vision to reality
 
How to use time domain reflectometer (tdr)
How to use time domain reflectometer (tdr)How to use time domain reflectometer (tdr)
How to use time domain reflectometer (tdr)
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 

How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs

  • 1. How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs What needs to be done to create a Lan to Lan VPN tunnel on an ASA firewall with IPv6 addressing? First let’s begin with the fundamentals: -IPv6 L2L VPN support was added in the latest version available of the ASA 8.3 track -The ASA will be able to build a VPN site to site tunnel running IPv6 ONLY with another ASA. LAN-to-LAN VPNs are typically used to transparently connect geographically disparate LANs over an untrusted medium (e.g. the public Internet). Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances: •The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces). •The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces). •The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces) If we want to run a VPN tunnel with a third-party unit or another Cisco router then we must go with the IPv4 address scheme only. Now, let’s take a look at the Scenario: 1
  • 2. Our main goal here is to create a VPN tunnel using IPSec between Company A and Company B across an IPv6 network. IPv6 addressing and routing has been configured previously. The IPsec configuration 1) Specify as usual the phase 1 and phase 2 configuration Site A: crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 crypto ikev1 enable outside crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac Site B: crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 crypto ikev1 enable outside crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac 2) Now let’s move forward to the Interesting traffic configuration: Site A Inside Subnet 2001:AAAA::/64 2
  • 3. Site B Inside Subnet 2001:DDDD::/64 On Site A: ipv6 access-list IPv6-Lab permit ip 2001:AAAA::/64 2001:DDDD::/64 On Site B: ipv6 access-list VPN-Traffic permit ip 2001:dddd::/64 2001:aaaa::/64 So the Crypto ACL is the same thing, just that now we use Hex notation instead of Decimal notation 3) Crypto-Map Setup Site A outside IPv6 address is 2001:BBBB::1 Site B outside IPv6 address is 2001:CCCC::2 So let’s go to the Firewall on Site A Site A: crypto map IPv6-L2L 1 match address IPv6-Lab crypto map IPv6-L2L 1 set peer 2001:cccc::2 crypto map IPv6-L2L 1 set ikev1 transform-set cisco crypto map IPv6-L2L interface outside Site B: crypto map IPv6-Lab 1 match address VPN-Traffic crypto map IPv6-Lab 1 set peer 2001:bbbb::1 crypto map IPv6-Lab 1 set ikev1 transform-set cisco crypto map IPv6-Lab interface outside Now we will configure the final part. Is the Tunnel-group setup? … Site A: tunnel-group 2001:CCCC::2 type ipsec-l2l tunnel-group 2001:CCCC::2 ipsec-attributes ikev1 pre-shared-key cisco123 Site B: tunnel-group 2001:BBBB::1 type ipsec-l2l tunnel-group 2001:BBBB::1 ipsec-attributes ikev1 pre-shared-key cisco123 Where is the NAT setup? On IPv6 we do not have to use NAT in order to be routable over the internet so unless specific desing requirements we will not need to use NAT so we can forget about the NAT Exemption setup in our VPN cases. 3
  • 4. Now let’s ping from Client A to Client B and see if the tunnel gets established: SiteA-Client#ping 2001:DDDD::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DDDD::1, timeout is 2 seconds: Now let’s check the tunnel On Site A SiteA config)# sh crypto ikev1 sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2001:cccc::2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE On Site B: SiteB(config)# sh crypto ikev1 sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2001:bbbb::1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE SiteB(config)# Final notes: -Configuration is the same, except for the fact that now we write down the IPs in Hex format ( That’s what IPv6 uses ) -There is no need for NAT Exemption anymore -Debugs,Packet-tracers are the same ( For troubleshooting purposes ). If you plan to use CAPTURES, remember that in IPv6 you cannot use the match keyword, you must match the capture with an IPv6 ACL. -Discussing about IPv6 ACL’s: Before 9.0(1) you must create a dedicated IPv6 access-list for IPv6 traffic as shown in this example but starting on 9.0(1) and higher versions now we can use the regular syntax for IPv6 access-list as well. So we can use IPv6 and IPv4 on the same ACL, no need to create a dedicated IPv6 access-list. In fact the ASA will not allow you to do that. 4
  • 5. More related: About Cisco IOS ver for 1941 router to do IPSec VPN tunnels (DMVPN) Configuring Microsoft Lync to use Cisco 3925 as a PSTN Gateway More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at competitive price and ship to worldwide. Our website: http://www.3anetwork.com Telephone: +852-3069-7733 Email: info@3Anetwork.com Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong 5
  • 6. More related: About Cisco IOS ver for 1941 router to do IPSec VPN tunnels (DMVPN) Configuring Microsoft Lync to use Cisco 3925 as a PSTN Gateway More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at competitive price and ship to worldwide. Our website: http://www.3anetwork.com Telephone: +852-3069-7733 Email: info@3Anetwork.com Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong 5