Monday, May 27, 2013

Configuring Site-to-Site VPN in ASA firewall

VPN is used to create a secure connection over an insecure network (Internet).The internet is an insecure medium, so the data pass through the internet cannot be reliable. We cannot be sure about the security of the data. To provide security of the data through internet, we can use VPN.
There is a wide variety of VPNs available nowadays. The VPN supportedby the appliance include
 IPSec VPN
SSL VPN(web VPN)
PPTP (Point to Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)



What is a Site-to-Site VPN?
site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

For the Site-to Site VPN we have to configure in both ends (firewalls).

The configuration of VPN is a two step process.

  1. IPSec Phase 1 configuration
  2. IPSec Phase 2 configuration 

Configuration of IPSec Site-to-Site VPN

You can configure the same Site-to-Site VPN using the ASDM. But I prefer to use the CLI.



I hope you already know something about the ISAKMP process and the steps it would take for initiating a connection. So we are not going to discuss that in this scenario.
First we have to set IP and Routing in all these Devices. We will use OSPF protocol for routing.

R2 Router

R2#conf t
R2(config)#interface e1/0
R2(config-if)#ip add 10.0.0.2 255.0.0.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#network 10.0.0.0 255.0.0.0 area 0

R3 Router


R3#conf t
R3(config)#interface e1/0
R3(config-if)#ip add 30.0.0.2 255.0.0.0
R3(config-if)#no shut
R3(config-if)#exit
R3(config)#router ospf  1
R3(config-router)#network 30.0.0.0 255.0.0.0 area 1

ASA1

Asa#config t
Asa(config)#int e0/0
Asa(config-if)#ip add 10.0.0.1 255.0.0.0
Asa(config-if)#nameif inside
Asa(config-if)#no shut
Asa(config-if)#exit

Asa(config)#int e0/1
Asa(config-if)#ip add 20.0.0.1 255.0.0.0
Asa(config-if)#nameif outside
Asa(config-if)#no shut
Asa(config-if)#exit

Asa(config)#router ospf 1
Asa(config-router)#network 10.0.0.0 255.0.0.0 area 0
Asa(config-router)#network 20.0.0.0 255.0.0.0 area 1
Asa(config-router)#exit

we will add an access list that will permit the ICMP protocol. It would be helpful if we allow the ping request to pass through your appliance.

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo-reply
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any source-quench
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any time-exceeded
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any unreachable
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any
Asa (config)#access-group  INBOUND_ACL in interface outside

Now we will create an ISAKMP policy 

Asa(config)#crypto isakmp policy 1
Asa(config-isakmp-policy)#authentication pre-share
Asa(config-isakmp-policy)#encryption aes-256
Asa(config-isakmp-policy)#hash sha
Asa(config-isakmp-policy)#group 2
Asa(config-isakmp-policy)#lifetime 86400
Asa(config-isakmp-policy)#exit
Asa(config)#tunnel-group  20.0.0.2  type   ipsec-l2l
Asa(config)#tunnel-group   20.0.0.2  ipsec-attributes
Asa(config-tunnel-ipsec)#pre-shared-key    cisco
Asa(config)#access-list encrypt_acl extended permit ip 30.0.0.0 255.0.0.0   10.0.0.0 255.0.0.0
Asa(config)#nat    (inside)   0   access-list encrypt-acl
Asa(config)#crypto    ipsec   transform-set    myset    esp-aes-256  esp-sha-hmac
Asa(config)#crypto   map   IPSECMAP   10  match   address   encrypt_acl
Asa(config)#crypto   map   IPSECMAP   10  set peer    20.0.0.2
Asa(config)#crypto   map   IPSECMAP   10 set  transform-set  myset
Asa(config)#crypto   map   IPSECMAP   interface outside
Asa(config)#crypto   isakmp  enable  outside

We have to do the same configurations in the second ASA also, make sure you are typing the same pre-shared key and encryption algorithm and also pay attention to the lifetime.
ASA2

Asa#config t
Asa(config)#int e0/1
Asa(config-if)#ip add 30.0.0.1 255.0.0.0
Asa(config-if)#nameif inside
Asa(config-if)#no shut
Asa(config-if)#exit

Asa(config)#int e0/0
Asa(config-if)#ip add 20.0.0.2 255.0.0.0
Asa(config-if)#nameif outside
Asa(config-if)#no shut
Asa(config-if)#exit

Asa(config)#router ospf 1
Asa(config-router)#network 30.0.0.0 255.0.0.0 area 1
Asa(config-router)#network 20.0.0.0 255.0.0.0 area 1
Asa(config-router)#exit

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo-reply
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any source-quench
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any time-exceeded
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any unreachable
Asa (config)#access-list  INBOUND_ACL extended permit icmp any any
Asa (config)#access-group  INBOUND_ACL extended in interface outside

Asa(config)#crypto isakmp policy 1
Asa(config-isakmp-policy)#authentication pre-share
Asa(config-isakmp-policy)#encryption aes-256
Asa(config-isakmp-policy)#hash sha
Asa(config-isakmp-policy)#group 2
Asa(config-isakmp-policy)#lifetime 86400
Asa(config-isakmp-policy)#exit
Asa(config)#tunnel-group  20.0.0.1  type   ipsec-l2l
Asa(config)#tunnel-group   20.0.0.1  ipsec-attributes
Asa(config-tunnel-ipsec)#pre-shared-key    cisco
Asa(config)#access-list encrypt_acl extended permit ip 10.0.0.0 255.0.0.0   30.0.0.0 255.0.0.0
Asa(config)#nat    (inside)   0   access-list encrypt-acl
Asa(config)#crypto    ipsec   transform-set    myset    esp-aes-256  esp-sha-hmac
Asa(config)#crypto   map   IPSECMAP   10  match   address   encrypt_acl
Asa(config)#crypto   map   IPSECMAP   10  set peer    20.0.0.1
Asa(config)#crypto   map   IPSECMAP   10 set  transform-set  myset
Asa(config)#crypto   map   IPSECMAP   interface outside
Asa(config)#crypto   isakmp  enable  outside

In these commands we set VPN for the IP traffic.

If we need to check the ICMP traffic…then you have to permit ICMP traffic through VPN

For that in each ASA please enter this command

Ciscoasa(config)#access-list   encrypt_acl   extended permit   icmp   any   any



For verifying the VPN use the command

Ciscoasa(config)#debug   crypto   isakmp   127

 After setting all these configuration and if you start a ping from one router to another. It will trigger the VPN tunnel and automatically start the site-to-site VPN.




Posted by at

1 comment:

  1. UnknownJuly 15, 2019 at 1:45 AM

    Thank you a bunch for sharing this with all of us you actually realize what you are talking about! Bookmarked. Please also seek advice from my site =). We could have a hyperlink change contract between us! save money with vpn

    ReplyDelete

Subscribe to: Post Comments (Atom)