Nextelco:VPN setup
From its-wiki.no
VPN
Cisco ASA supports different types of VPNs. In this section Lan2Lan or Site2Site IPsec VPN is explained. We have two ASA 5505 devices and we want to create an IPsec VPN. The following figure shows the network diagram.
In order to set up the VPN we will start with ASA1 configuration. We assume that ASA is not configured yet.
- Connect from console port, configure hostname, interfaces and ssh connection.
- Now we can establish ssh connection and configure it through User 1 pc. So let start with some preliminary steps. We are going to configure some network objects in order to identify our local and remote inside subnets.
- Next we are going to configure the access control lists. These access control lists will identify the traffic flows, identifying the traffic that goes from our inside subnet to the remote inside subnet.
- So now we will configure the tunnel.
- Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.
- Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).
- Establish the tunnel attributes
- The first attribute will be the pre-shared key
- Keepalive time
- After setting the preliminary configuration let continue with tunnel phase 1 (hand-shake [key exchange])
- First we will set that we are going to use pre-shared key
- Next we need to set our encryption
- The hashing algorithm
- Finally the diffie-helman group and the key livetime
- Now is time for phase 2 (setting up the tunnel)
- The first thing is to define the transform set
- Now we have to map the cryptomap to the access control list
- Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security
- Next we are going to identify our peer, the other end of the connection
- Then we are going to say to our cryptomap which transform set to use
- Finally we are going to apply the cryptomap to the outside interface
- So now we are going to configure NAT in order to specify not to translate this addresses.
- Finally we are going to configure the default route
ciscoasa>enable Password: ciscoasa#configure terminal ciscoasa(config)#hostname ASA1 ASA1(config)#interface vlan 1 ASA1(config-if)#ip address 192.168.1.1 255.255.255.0 ASA1(config-if)#nameif inside INFO: Security level for "inside" set to 100 by default. ASA1(config-if)#interface vlan 2 ASA1(config-if)#ip address 10.10.10.1 255.255.255.0 ASA1(config-if)#nameif outside INFO: Security level for "outside" set to 0 by default. ASA1(config-if)#exit ASA1(config)#interface ethernet0/0 ASA1(config-if)#switchport access vlan 2 ASA1(config-if)#no shutdown ASA1(config-if)#exit ASA1(config)#interface ethernet0/1 ASA1(config-if)#no shutdown ASA1(config-if)#exit ASA1(config)#username basicinternet password basicinternet privilege 15 ASA1(config)#crypto key generate rsa modulus 2048 WARNING: You have a RSA keypair already defined name <Default-RSA-Key>. Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Please wait... ASA1(config)#aaa authentication ssh console LOCAL ASA1(config)#ssh 192.168.1.0 255.255.255.0 inside ASA1(config)#write memory ASA1(config)#exit ASA1#exit ASA1>
terminal$ ssh basicinternet@192.168.1.1 basicinternet@192.168.1.1's password: ASA1>enable Password: ASA1#configure terminal ASA1(config)#object network net-local ASA1(config-network-object)#subnet 192.168.1.0 255.255.255.0 ASA1(config-network-object)#object network net-remote ASA1(config-network-object)#subnet 192.168.2.0 255.255.255.0 ASA1(config-network-object)#exit ASA1(config)#
ASA1(config)#access-list outside_1_cryptomap permit ip object net-local object net-remote
ASA1(config)#crypto isakmp enable outside
ASA1(config)#tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)#tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)#pre-shared-key whatever
ASA1(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2 ASA1(config-tunnel-ipsec)#exit
ASA1(config)#crypto isakmp policy (1-65534) authentication pre-share
ASA1(config)#crypto isakmp policy 10 encrypt 3des
ASA1(config)#crypto isakmp policy 10 hash sha
ASA1(config)#crypto isakmp policy 10 group 2 ASA1(config)#crypto isakmp policy 10 lifetime 86400
ASA1(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
ASA1(config)#crypto map outside_map 1 match address outside_1_cryptomap
ASA1(config)#crypto map outside_map 1 set pfs group1
ASA1(config)#crypto map outside_map 1 set peer 10.10.10.2
ASA1(config)#crypto map outside_map 1 set transform-set ESP-3DES-SHA
ASA1(config)#crypto map outside_map interface outside
ASA1(config)#nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
ASA1(config)#route outside 0 0 default-gateway-ip
So lets continue with ASA2 configuration. We assume that ASA is not configured yet.
- Connect from console port, configure hostname, interfaces and ssh connection.
- Now we can establish ssh connection and configure it through User 1 pc. So let start with some preliminary steps. We are going to configure some network objects in order to identify our local and remote inside subnets.
- Next we are going to configure the access control lists. These access control lists will identify the traffic flows, identifying the traffic that goes from our inside subnet to the remote inside subnet.
- So now we will configure the tunnel.
- Firts of all, we will enable isakmp in the outside interface. isakmp (Internet Security Association Key Management Protocol) is the hand-shake part of the configuration.
- Then we set up tunnel's remote ip address and the type of tunnel. In this case Lan2Lan (l2l).
- Establish the tunnel attributes
- The first attribute will be the pre-shared key
- Keepalive time
- After setting the preliminary configuration let continue with tunnel phase 1 (hand-shake [key exchange])
- First we will set that we are going to use pre-shared key
- Next we need to set our encryption
- The hashing algorithm
- Finally the diffie-helman group and the key livetime
- Now is time for phase 2 (setting up the tunnel)
- The first thing is to define the transform set
- Now we have to map the cryptomap to the access control list
- Then we are going to configure perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security
- Next we are going to identify our peer, the other end of the connection
- Then we are going to say to our cryptomap which transform set to use
- Finally we are going to apply the cryptomap to the outside interface
- So now we are going to configure NAT in order to specify not to translate this addresses.
- Finally we are going to configure the default route
ciscoasa>enable Password: ciscoasa#configure terminal ciscoasa(config)#hostname ASA2 ASA2(config)#interface vlan 1 ASA2(config-if)#ip address 192.168.2.1 255.255.255.0 ASA2(config-if)#nameif inside INFO: Security level for "inside" set to 100 by default. ASA2(config-if)#interface vlan 2 ASA2(config-if)#ip address 10.10.10.2 255.255.255.0 ASA2(config-if)#nameif outside INFO: Security level for "outside" set to 0 by default. ASA2(config-if)#exit ASA2(config)#interface ethernet0/0 ASA2(config-if)#switchport access vlan 2 ASA2(config-if)#no shutdown ASA2(config-if)#exit ASA2(config)#interface ethernet0/1 ASA2(config-if)#no shutdown ASA2(config-if)#exit ASA2(config)#username basicinternet password basicinternet privilege 15 ASA2(config)#crypto key generate rsa modulus 2048 WARNING: You have a RSA keypair already defined name <Default-RSA-Key>. Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Please wait... ASA2(config)#aaa authentication ssh console LOCAL ASA2(config)#ssh 192.168.2.0 255.255.255.0 inside ASA2(config)#write memory ASA2(config)#exit ASA2#exit ASA2>
terminal$ ssh basicinternet@192.168.2.1 basicinternet@192.168.2.1’s password: ASA2>enable Password: ASA2#configure terminal ASA2(config)#object network net-local ASA2(config-network-object)#subnet 192.168.2.0 255.255.255.0 ASA2(config-network-object)#object network net-remote ASA2(config-network-object)#subnet 192.168.1.0 255.255.255.0 ASA2(config-network-object)#exit ASA2(config)#
ASA2(config)#access-list outside_1_cryptomap permit ip object net-local object net-remote
ASA2(config)#crypto isakmp enable outside
ASA2(config)#tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)#tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)#pre-shared-key whatever
ASA2(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2 ASA2(config-tunnel-ipsec)#exit
ASA2(config)#crypto isakmp policy (1-65534) authentication pre-share
ASA2(config)#crypto isakmp policy 10 encrypt 3des
ASA2(config)#crypto isakmp policy 10 hash sha
ASA2(config)#crypto isakmp policy 10 group 2 ASA2(config)#crypto isakmp policy 10 lifetime 86400
ASA2(config)#crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
ASA2(config)#crypto map outside_map 1 match address outside_1_cryptomap
ASA2(config)#crypto map outside_map 1 set pfs group1
ASA2(config)#crypto map outside_map 1 set peer 10.10.10.1
ASA2(config)#crypto map outside_map 1 set transform-set ESP-3DES-SHA
ASA2(config)#crypto map outside_map interface outside
ASA2(config)#nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
ASA2(config)#route outside 0 0 default-gateway-ip
These are all the steps, now we should be able to ping User 2 computer from User 1 computer.