NS2 – Modul4 4.5.5b ASA – IOS task definition
Site to site VPN tunnel using pre-shared keys ASA,Router
Goal
- Site to site VPN tunnel using pre-share keys will be inicialized.
- Router3 will only pass traffic to site routers. It simulates internet.
- Only traffic from LAN 1 and LAN 2 will be encrypted.
- Static routes or rip routing protocol.
- This task demonstrates ASA to IOS tunneling.
- Clear and reinitialize VPN tunnel.
- Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.
Required time
3 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT7 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT7
PC2
ifconfig INT8 10.0.0.100 netmask 255.255.255.0 route add default gw 10.0.0.1 dev INT8
Asa1, Router2, Router3
1) interface settings + static routes + NAT:
ASA1(config)#domain-name test ;set domain name ASA1(config)#interface INT1 ;on interface set following ASA1(conf-if)#switchport mode access ;set port on a switch to access mode ASA1(conf-if)#switchport access vlan 10 ;access to vlan 10 ASA1(conf-if)#no shutdown ;turn on switchport ASA1(config)#interface vlan 10 ;on vlan interface set following ASA1(conf-if)#ip address 192.168.0.1 255.255.255.0 ;set ip address and mask ASA1(conf-if)#nameif inside ;name interface and security level will be set by default ASA1(conf-if)#no shutdown ASA1(config)#interface INT2 ;on interface set following ASA1(conf-if)#switchport mode access ASA1(conf-if)#switchport access vlan 20 ASA1(conf-if)#no shutdown ASA1(config)#interface vlan 20 ASA1(conf-if)#ip address 172.16.1.1 255.255.255.0 ASA1(conf-if)#nameif outside ASA1(conf-if)#no shutdown ASA1(config)#access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 ;access list to define which traffic will be encrypted ASA1(config)#access-list outsidein permit icmp any host 172.16.1.1 ;access list to permit icmp traffic for test reasons ASA1(config)#access-group outsidein in interface outside ;apply access list to an interface ASA1(config)#route outside 10.0.0.0 255.255.255.0 172.16.1.2 ;static route instead of dynamic routing protocols ASA1(config)#route outside 172.16.0.0 255.255.255.0 172.16.1.2 ASA1(config)#nat (inside) 1 0 0 ;nat all traffic ASA1(config)#global (outside) 1 interface ;and using PAT ASA1(config)#nat (inside) 0 access-list CRYPTOACL ;do not translate ip addresses for traffic to be encrypted
Router2(config)#interface INT3 Router2(conf-if)#ip address 172.16.0.1 255.255.255.0 Router2(conf-if)#no shutdown Router2(conf-if)#exit Router2(config)#interface INT4 Router2(conf-if)#ip address 10.0.0.1 255.255.255.0 Router2(conf-if)#no shutdown Router2(conf-if)#exit Router2(config)#ip route 172.16.1.0 255.255.255.0 172.16.0.2 Router2(config)#ip route 192.168.0.0 255.255.255.0 172.16.0.2
Router3(config)#interface INT5 Router3(conf-if)#ip address 172.16.1.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#interface INT6 Router3(conf-if)#ip address 172.16.0.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#ip route 192.168.0.0 255.255.255.0 172.16.1.1 Router3(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1
2a) VPN tunnel settings phase 1 IKE/ISAKMP:
Policy must be the same on both ends of tunnel (priority could be different)
ASA1(config)#sysopt connection permit-vpn ;permit ipsec and isakmp traffic in system. Otherwise access list must be defined ASA1(config)#isakmp policy 10 ;set up policy section ASA1(isakmp)#authentication pre-share ;authenticated using pre-shared keys ASA1(isakmp)#group 2 ;Diffie-Hellman group 2 ASA1(isakmp)#hash sha ;hashing type ASA1(isakmp)#encryption 3des ;encryption algorithm
Router2(config)#crypto isakmp policy 10 Router2(isakmp)#encryption 3des Router2(isakmp)#hash sha Router2(isakmp)#group 2 Router2(isakmp)#authentication pre-share Router2(isakmp)#lifetime 200
2b) VPN tunnel settings phase 2 IPSEC:
ASA1(config)#isakmp identity address ;to send phase 2 id to the peer ASA1(config)#tunnel-group 172.16.0.1 type ipsec-l2l ;set peer address and tunnel type (use ? to get more options) ASA1(config)#tunnel-group 172.16.0.1 ipsec-attributes ;set tunneling protocol attributes ASA1(config)#pre-shared-key Cisco ;define pre-shared key ASA1(config)#isakmp enable outside ;enable isakmp on outside interface ASA1(config)#crypto ipsec transform-set TRSETASA1 esp-md5-hmac esp-des ;Define a transform set - acceptable combination of security protocols and algorithms ASA1(config)#crypto map CRMAPASA1 10 match address CRYPTOACL ;define local policy, used within crypto map, which we defined ASA1(config)#crypto map CRMAPASA1 10 set peer 172.16.0.1 ;remote peer setting ASA1(config)#crypto map CRMAPASA1 10 set transform-set TRSETASA1 ;apply transform set in a map section ASA1(config)#crypto map CRMAPASA1 interface outside ;apply crypto map on interface
Apply analogical settings to other side of the tunnel.
Router2(config)#crypto ipsec transform-set TRSETR2 esp-md5-hmac esp-des Router2(config)#access-list 122 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 Router2(config)#crypto isakmp key Cisco address 172.16.1.1 Router2(config)#crypto map LOKALNIMAPAR2 10 ipsec-isakmp Router2(cr-m)#set peer 172.16.1.1 Router2(cr-m)#match address 122 Router2(cr-m)#set transform-set TRSETR2 Router2(config)#interface INT3 Router2(conf-if)# crypto map LOKALNIMAPAR2
3) Access list on Router3 to enable only needed traffic:
Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1 ;enable tunnel inicialisation thru ESP Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp ;enable tunnel traffic thru UDP Router3(config)#interface INT5 Router3(conf-if)#ip access-group 101 in ;apply access list to an interface
Function test
F1) check IKE/IPSEC ASA configuration
Diagnose of this task is already performed during exercises 4.4.7 and 4.5.5a. Please use same one.
ASA1#sh crypto isakmp sa ;display first part of tunnel configuration. ASA1#sh crypto ipsec sa ;display send/receive packet statistics
Ping from LAN 1 to LAN 2 should inicialize VPN tunnel and hosts on LAN2 should be accessible.
F2) clear tunnels
ASA1#clear crypto isakmp sa ;clear tunnel inicialisation configuration ASA1#clear crypto ipsec sa ;clear existing tunnels
Optional tasks
- Define more transform sets to be able to select which could be fit to the other site of the tunnel.
- Define different encryption and hashing algorithms – see point 2a.
- Add one more router(asa) to topology and create another tunnel to this router(asa).
Two or more tunnels to different locations and peers:
This will be accomplished by adding:
- New policy section with definition of needed settings.
- New access list.
- New or existing transform set must be added to new crypto map.