Cisco Cisco Identity Services Engine 1.2 Manual Técnico
crypto map CM1 10 ipsec−isakmp dynamic DMAP1
crypto map CM1 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre−share
encryption aes
hash sha
group 2
lifetime 86400
!
ip local pool VPN 192.168.5.1−192.168.5.100
!
group−policy DfltGrpPolicy attributes
dns−server value 192.168.101.3
!−−− The VPN User needs to be able to resolve the CN from the
!−−− ISE HTTPS Certificate (which is sent in the radius response)
vpn−tunnel−protocol IPSec svc webvpn
split−tunnel−policy tunnelspecified
split−tunnel−network−list value split
address−pools value VPN
!
tunnel−group cisco general−attributes
address−pool VPN
authentication−server−group ISE
accounting−server−group ISE
!−−− Does not work without this (see introduction)
!
tunnel−group cisco ipsec−attributes
pre−shared−key cisco
!
route outside 0.0.0.0 0.0.0.0 10.48.39.5 1
route ISE 192.168.0.0 255.255.0.0 192.168.102.254 1
!−−− You need to make sure the traffic to the local subnets
!−−− are going through the inline ISE
!
ISE Configuration
iPEP Configuration
The first thing to do is to add an ISE as an iPEP Node. You can find additional information about the process
here:
here:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html#wp1110248.
This is basically what you have to configure in the various tabs (screenshots provided in this section illustrate
this):
this):
Configure untrusted IP and Global IP settings (in this case, untrusted IP is 192.168.102.254).
•
Deployment is routed mode.
•
Put a static filter for the ASA to be allowed to go through the iPEP box (otherwise, connectivity
to/from the ISE thru iPEP box is dropped).
to/from the ISE thru iPEP box is dropped).
•
Configure the Policy ISE as Radius server and the ASA as Radius client.
•
Add a route to the VPN Subnet that points to the ASA.
•