Lesson 16

Question 1

Configure an IKE Phase One Policy

Answer 1

fw1(config)# crypto ikev1 enable outside
fw1( config )# isakmp policy 10
fw1(config - isakmp - policy)# encryption aes
fw1( config - isakmp - policy)# hash sha
fw1( config - isakmp - policy)# authentication pre - share
fw1( config - isakmp - policy)# group 2
fw1( config - isakmp - policy)# lifetime 86400

Question 2

Configuring Tunnel Groups: IPsec Attributes

Answer 2

fw1 ( config )# tunnel - group ipsec - attributes
fw1 (config)# tunnel - group 172.16.2.1 ipsec - attributes
fw1 ( config - tunnel - ipsec )# pre - shared - key cisco123

fw2 ( config )# tunnel - group ipsec - attributes
fw2(config)# tunnel - group 172.16.1.1 ipsec - attributes
fw2( config - tunnel - ipsec )# pre - shared - key cisco12

Question 3

Configuring Interesting Traffic: Crypto ACLs

Answer 3

fw1 (config)#access - list CRYPTOACL permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

fw2 (config)#access - list CRYPTOACL permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

Question 4

Configure an IPsec Transform Set

Answer 4

fw1( config )# crypto ipsec transform - set FW2 esp - aes esp - sha - hmac

Question 5

Configure the Crypto Map

Answer 5

fw1(config)# crypto map FW1MAP 10 match address CRYPTOACL
fw1(config)# crypto map FW1MAP 10 set peer 172.16.2.1
fw1( config )# crypto map FW1MAP 10 set transform - set FW2
fw1( config )# crypto map FW1MAP 10 set security - association lifetime seconds 28800

Question 6

Apply the Crypto Map to an Interface

Answer 6

fw1( config )# crypto map FW1MAP interface outside