Configuring a Site-to-Site VPN between two ASA’s (8.4.2) firewalls

Posted: August 4, 2015 in CISCO

We alredy configured Site to site VPN between CISO routers (https://geekdudes.wordpress.com/2015/07/29/configuring-a-site-to-site-vpn-on-cisco-router/).Concept is the same,we also need to configure IKE1 policy (authentication,encryption,hash algorithm,lifetimeDH group),transformation set,ACL to define which traffic will be encrypted and crypto map

Untitled3

To avoid issues when running 2 ASA’a at the same time (one ASA “freezes”),assign different CPU core for each qemu process:

Untitled6
R3 configuration:

interface FastEthernet0/0
ip address 200.200.200.2 255.255.255.0
!
interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.12.2 255.255.255.0

network 100.0.0.0
network 192.168.12.0
network 200.200.200.0
no auto-summary

 R2 (simulates client)

interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
!
router eigrp 20
network 10.10.10.0 0.0.0.255
no auto-summary

ASA1:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.3.1 255.255.255.0
router eigrp 20

network 172.16.3.0 255.255.255.0
network 200.200.200.0 255.255.255.0
no auto-summary

 ASA2:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0

router eigrp 20
no auto-summary
network 10.10.10.0 255.255.255.0
network 100.100.100.0 255.255.255.0

Configuring ASA1

Create access list to allow internal users to access network 192.168.12.0

ASA1(config)# access-list 110 extended permit ip any 172.16.3.0 255.255.255.0
ASA1(config)#access-group 110 in interface outside

Create ACL which defines which traffic will be encrypted and NAT rule (translate IP address of internal hosts as of it originates from ASA1’s outside interface)

ASA1(config)# object network local_net
ASA1(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA1(config-network-object)# object network remote_net
ASA1(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config)# access-list 120 extended permit ip object local_net object remote_net

For IPSEC to encrypt traffic between peers (ASA1 and ASA2),we must exclude “interesting” traffic (defined by ACL 120):

ASA1(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net

Create  tunnel (establish secure communication channel for data transmission between ASA1 and ASA2)
VPN Peers (ASA1 and ASA2 exchange shared secret keys and security policies)

ASA1(config)# isakmp policy 10
ASA1(config-ikev1-policy)# authentication pre-share
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 5
ASA1(config-ikev1-policy)# encryption 3des
ASA1(config-ikev1-policy)# lifetime 3600
ASA1(config-ikev1-policy)#exit

Activate ISAKMP policy we’ve just created on ASA1’s outside interface and identify ISAKMP policy by IP address:

ASA1(config)#isakmp enable outside
ASA1(config)#isakmp identify address

Create a secure tunnel for data transfer between two networks (172.16.3.0 and 10.10.10.0) .The name of tunnel group will be te IP address of VPN peer (ASA2’s outside interface-100.100.100.2)

ASA1(config)# tunnel-group 100.100.100.2 type ipsec-l2l 
ASA1(config)# tunnel-group 100.100.100.2  ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key cisco !pre shared key as attribute
ASA1(config-tunnel-ipsec)#exit

Now,after we created a tunnel,we must protect it (enctypt the data packets and (negotiate IPSEC security parameters).We will use transform set to encrypt the data and to authenticate it.

ASA1(config)# crypto ipsec ikev1 transform-set mytransformset esp-3des  esp-md5-hmac

We can now put together previously created IPSEC security associations (SA-security parameters which IPSEC peer uses to negotiate when establishing a VPN tunnel).Here we created crypto map named mymap with sequence number 10,this crypto map matches ACL 120 (created in the beginning),set peer (ASA2),transform set we just created.

Perfect forward secrecy (PFS) will ensure the same key will not be generated again,(forcing a new diffie-hellman key exchange).If a private key has been compromized,future data would not be associated with that key ( a new one will be generated).

Security association lifetime  is the lifetime of the keys that the tunnel uses to encrypt data.When these timers run out the tunnel negotiates a new key.

ASA1(config)# crypto map mymap 10 match address 120
ASA1(config)# crypto map mymap 10 set peer 100.100.100.2
ASA1(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA1(config)# crypto map mymap 10 set pfs
ASA1(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map mymap interface outside !apply crypto-map to outside interface

Mirror the same settings on ASA2:

!Object groups,NAT rule,and NAT exemption
ASA2(config)# object network local_net
ASA2(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA2(config-network-object)# object network remote_net
ASA2(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA2(config-network-object)# nat (inside,outside) dynamic interface
ASA2(config)# access-list 120 extended permit ip object local_net object remote_net
ASA2(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net
!IPSEC policy
ASA2(config)# isakmp policy 10
ASA2(config-ikev1-policy)# authentication pre-share
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 5
ASA2(config-ikev1-policy)# encryption 3des
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config-ikev1-policy)#exit
!enable policy on outside inteface 
ASA2(config)#isakmp enable outside
ASA2(config)#isakmp identify address
!Define tunnel group
ASA2(config)# tunnel-group 200.200.200.1 type ipsec-l2l  !ASA1's interace
ASA2(config)# tunnel-group 200.200.200.1  ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key cisco !pre shared key as attribute
ASA2(config-tunnel-ipsec)#exit
!Create transform set
ASA2(config)# crypto ipsec ikev1 transform-set mytransformset esp-3des  esp-md5-hmac
!Create cryto map
ASA2(config)# crypto map mymap 10 match address 120
ASA2(config)# crypto map mymap 10 set peer 200.200.200.1
ASA2(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA2(config)# crypto map mymap 10 set pfs
ASA2(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA2(config)# crypto map mymap interface outside !apply crypto-map to outside interface

Test VPN by pinging from winxp client (172.16.3.10) to R2 (10.10.10.3) and inspect trafic between ASA1 and ASA2:

Untitled

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s