[EVE-NG] ASA - Site to Site VPN between ASA and FTD (Using FDM)

- Eve-ng 네트워크 설정은 Bridge로 내 PC IP와 같은 네트워크. (192.168.2.0/24) 

- My PC : 192.168.2.10/24

ISP_SW

interface Vlan1
 ip address 172.16.10.10 255.255.255.0
 no shut
!
ip route 0.0.0.0 0.0.0.0 172.16.10.1

ASAv

 

- 자세한 설정은 이전문서 참고
- CLI 공유

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 111.111.111.2 255.255.255.252
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.10.1 255.255.255.0 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.2.22 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 111.111.111.1 1
route management 0.0.0.0 0.0.0.0 192.168.2.1 1
!
username admin password cisco privilege 15
http server enable
http 192.168.2.0 255.255.255.0 management
!
object network pWAS
 subnet 192.168.130.0 255.255.255.0
!
object network REMOTE
 host 172.16.10.10
!
access-list outside_cryptomap extended permit ip object REMOTE object pWAS
!
nat (inside,outside) source static REMOTE REMOTE destination static pWAS pWAS no-proxy-arp route-lookup
!
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
!
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 111.111.111.1
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
!
crypto ikev2 policy 1
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
group-policy GroupPolicy_111.111.111.1 internal
group-policy GroupPolicy_111.111.111.1 attributes
 vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
!
tunnel-group 111.111.111.1 type ipsec-l2l
tunnel-group 111.111.111.1 general-attributes
 default-group-policy GroupPolicy_111.111.111.1
tunnel-group 111.111.111.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco 
 ikev2 local-authentication pre-shared-key cisco
!
policy-map global_policy
 class inspection_default
  inspect icmp
!

pWas_Switch

interface Vlan1
 ip address 192.168.130.10 255.255.255.0
 no shut
!
ip route 0.0.0.0 0.0.0.0 192.168.130.1

FirePower (FDM) 접속

- 부팅후 접속계정 정보 (admin / Admin123)

- Management IP 및 비밀번호 설정 

- 아래 링크 참조

Cisco Firepower Threat Defense for the ASA 5508-X and ASA 5516-X Using Firepower Management Center Quick Start Guide

- (FirePower VM은) IP설정후 약 10분후에 WEB접속 가능.

 

1. 인터페이스 IP 설정

 

2. 정적 라우팅

 

3. 개체

 

4. Site to Site VPN설정

IKE2 v2 정책

IKE v2 IPSec 제안

5. 정책 - NAT

5. 정책 - 액세스 제어

 

6. FDM은 설정후 "Deploy" 필수

---

✔ 검증

1. ISP_SW

ISP_SW#ping 192.168.130.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.130.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 7/34/62 ms

2. ASA

3. Windows 10

- ping from Windows 10 to ISP_SW