-
Notifications
You must be signed in to change notification settings - Fork 0
/
asavpn251
175 lines (135 loc) · 5.13 KB
/
asavpn251
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/bin/sh
echo Generate asa vpn configs
echo by William Burns
echo "(edit this script to change the paramters)"
echo
LIVE=false
LIVE=true
# central inside address
CEN_IN_ADD=10.192.119.249
CEN_IN_MASK=255.255.255.0
CEN_IN_GATE=10.192.119.254
# central outside address
CEN_OUT_ADD=10.192.210.6
CEN_OUT_MASK=255.255.255.0
CEN_OUT_GATE=10.192.210.60
CEN_NET=10.192.0.0
CEN_MASK=255.255.0.0
# satellite inside address
SAT_IN_ADD=10.192.251.254
SAT_IN_NET=10.192.251.0
SAT_IN_MASK=255.255.255.0
SAT_TUN_NAME=tun251
# satellite outside address
#SAT_OUT_ADD=192.168.1.2
#?
SAT_OUT_ADD=96.56.124.34
#SAT_OUT_MASK=255.255.255.0
#?
SAT_OUT_MASK=255.255.255.248
#SAT_OUT_GATE=192.168.1.1
#?
SAT_OUT_GATE=96.56.123.33
# satellite inside DHCP range
SAT_IN_DHCP_START=10.192.251.2
SAT_IN_DHCP_END=10.192.251.100
# A security association defines the parameters for a one-way tunnel
echo "! Building a minimal VPN config to a Satellite 5505 at:"
echo "! ${SAT_IN_ADD}/${SAT_OUT_ADD} ${SAT_IN_MASK}/${SAT_OUT_MASK} ${SAT_IN_NET}/${SAT_OUT_GATE}"
echo "! from a central 5510 at:"
echo "! ${CEN_IN_ADD}/${CEN_OUT_ADD} ${CEN_IN_MASK}/${CEN_OUT_MASK} ${CEN_IN_GATE}/${CEN_OUT_GATE}"
echo
echo "! remote 5505 base config"
echo "int vlan1"
echo " ip address $SAT_IN_ADD $SAT_IN_MASK"
$LIVE && echo " exit"
echo "management-access inside"
echo "int vlan2"
echo " ip address $SAT_OUT_ADD $SAT_OUT_MASK"
$LIVE && echo " exit"
echo "route outside 0.0.0.0 0.0.0.0 $SAT_OUT_GATE"
echo "! route inside $CEN_NET $CEN_MASK $CEN_IN_GATE"
echo "access-list allowacl permit icmp any any"
echo "access-list allowacl permit ip any any"
echo "access-group allowacl in interface inside"
echo "access-group allowacl in interface outside"
echo "! dhcpd address ${SAT_IN_DHCP_START}-${SAT_IN_DHCP_END} inside"
echo "! dhcpd enable inside"
echo
echo "! satellite 5505 tunnel config"
echo "! send all non-local traffic through the tunnel"
echo
#./asa_sa ${SAT_TUN_NAME} $SAT_IN_NET $SAT_IN_MASK $SAT_OUT_GATE $CEN_NET $CEN_MASK $CEN_OUT_ADD
./asa_sa ${SAT_TUN_NAME} $SAT_IN_NET $SAT_IN_MASK $SAT_OUT_ADD $SAT_OUT_GATE 0.0.0.0 0.0.0.0 $CEN_OUT_ADD
echo "! access-list outside permit ip any $SAT_IN_NET $SAT_IN_MASK"
echo "! access-list inside permit ip $SAT_IN_NET $SAT_IN_MASK any"
#echo "access-list tun100 extended permit ip 0.0.0.0 0.0.0.0 $SAT_IN_NET $SAT_IN_MASK"
#echo "! route outside $CEN_NET $CEN_MASK $SAT_OUT_GATE"
#echo "crypto ipsec transform-set myset esp-3des esp-sha-hmac"
#echo "crypto map outside_map 20 match address tun100"
#echo "crypto map outside_map 20 set peer $CEN_OUT_ADD"
#echo "crypto map outside_map 20 set transform-set myset"
#echo "crypto map outside_map interface outside"
#echo "crypto isakmp enable outside"
#echo "crypto isakmp policy 10"
#echo " authentication pre-share"
#echo " encryption 3des"
#echo " hash sha"
#echo " group 2"
#echo " lifetime 86400"
#$LIVE && echo " exit"
#echo "tunnel-group $CEN_OUT_ADD ipsec-l2l"
#echo "tunnel-group $CEN_OUT_ADD ipsec-attributes"
#echo " pre-shared-key UseABetterPassword"
echo
echo "! #######################################"
echo
echo "! central 5510 base config"
echo "int Management0/0"
echo " ip address 192.168.101.1"
echo " !route management 192.168.101.254"
$LIVE && echo " exit"
echo "dhcpd address 192.168.101.200 192.168.101.220 management"
echo "dhcpd enable management"
echo "int eth0/0"
echo " no shutdown"
echo " nameif outside"
echo " ip address $CEN_OUT_ADD $CEN_OUT_MASK"
$LIVE && echo " exit"
echo "int eth0/1"
echo " no shutdown"
echo " nameif inside"
echo " ip address $CEN_IN_ADD $CEN_IN_MASK"
$LIVE && echo " exit"
echo "route outside 0.0.0.0 0.0.0.0 $CEN_OUT_GATE"
echo "route inside 0.0.0.0 0.0.0.0 $CEN_IN_GATE tunneled"
echo "route inside $CEN_NET $CEN_MASK $CEN_IN_GATE"
echo "access-list inside permit icmp any any"
echo "access-list outside permit icmp any any"
echo "access-group inside in interface inside"
echo "access-group outside in interface outside"
echo "! central 5510 per-tunnel config"
echo
#echo ./asa_sa ${SAT_TUN_NAME} 0.0.0.0 0.0.0.0 $CEN_OUT_GATE $SAT_IN_NET $SAT_IN_MASK $SAT_OUT_ADD
./asa_sa ${SAT_TUN_NAME} 0.0.0.0 0.0.0.0 $CEN_OUT_ADD $CEN_OUT_GATE $SAT_IN_NET $SAT_IN_MASK $SAT_OUT_ADD
echo "access-list inside extended permit ip 0.0.0.0 0.0.0.0 $SAT_IN_NET $SAT_IN_MASK"
echo "access-list outside extended permit ip $SAT_IN_NET $SAT_IN_MASK 0.0.0.0 0.0.0.0"
#echo "access-list tun100 extended permit ip $SAT_IN_NET $SAT_IN_MASK 0.0.0.0 0.0.0.0"
#echo "access-list tun100 extended permit ip 0.0.0.0 0.0.0.0 $CEN_NET $CEN_MASK"
#echo "route outside $SAT_OUT_ADD $SAT_OUT_MASK $CEN_OUT_GATE"
#echo "crypto ipsec transform-set myset esp-3des esp-sha-hmac"
#echo "crypto map outside_map 20 match address tun100"
#echo "crypto map outside_map 20 set peer $SAT_OUT_ADD"
#echo "crypto map outside_map 20 set transform-set myset"
#echo "crypto map outside_map interface outside"
#echo "crypto isakmp enable outside"
#echo "crypto isakmp policy 10"
#echo " authentication pre-share"
#echo " encryption 3des"
#echo " hash sha"
#echo " group 2"
#echo " lifetime 86400"
#$LIVE && echo " exit"
#echo "tunnel-group $SAT_OUT_ADD type ipsec-l2l"
#echo "tunnel-group $SAT_OUT_ADD ipsec-attributes"
#echo " pre-shared-key UseABetterPassword"