Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 8.3.3 ASA task definition
ASA as transparent firewall
Goal
- Configure ASA as transparent firewall.
- Generate a test message thru HTTP, FTP and ICMP.
- Apply access list and recheck configuration.
- Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig int3 10.0.0.2 netmask 255.255.255.0 ;set IP address route add default gw 10.0.0.1 dev int3 ;set default gw
SERVER
R19@ostrava(config)#hostname SERVER SERVER(config)#interface INT4 SERVER(config-if)#ip address 10.0.0.254 255.255.255.0 SERVER(config-if)#no shutdown SERVER(config)#aaa new-model ;define authentication policy SERVER(config)#aaa authentication login telnet local ;authenticate locally SERVER(config)#username cisco password cisco ;authenticate by this username and password SERVER(config)#enable password cisco ;set enable password for privileged mode SERVER(config)#ip http server ;enable HTTP server SERVER(config)#ftp-server enable ;enable FTP server SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server SERVER(config)#line vty 0 4 ;enable tenlnet connections
ASA
1) Firewall settings
ciscoasa(config)# hostname ASA1 ASA1(config)# firewall transparent ;set up firewall in transparent mode ASA1(config)# interface INT1 ASA1(config-if)# nameif outside ASA1(config-if)# no shutdown ASA1(config)# interface INT2 ASA1(config-if)# nameif inside ASA1(config-if)# no shutdown ASA1(config)# ip address 10.0.0.253 255.255.255.0 ;set management IP address for Firewall device ASA1(config)# debug icmp trace ;turn on debug for icmp traffic thru firewall
Check connection as you can see in Function test before applying access lists.
2)Apply access lists
ASA1(config)# access-list FWRULEIN permit icmp any any ASA1(config)# access-list FWRULEIN permit udp any any eq 20 ASA1(config)# access-list FWRULEIN permit udp any any eq 21 ASA1(config)# access-list FWRULEIN permit tcp any any eq www ASA1(config)# access-list FWRULEIN permit tcp any any eq ftp ASA1(config)# access-group FWRULEIN in interface outside
Function test
Pictures are taken from text web browser lynx. You can get similar results from graphical web browser from Linux and Windows.
F1) Before access lists
outside -> inside
ASA1(config)# debug icmp trace ;turn on debugging for icmp PC1#ping 10.0.0.253 ;ping firewall MGMT address PC1#ping 10.0.0.254 ;ping server PC1#lynx http://10.0.0.254 ;iniciate http connection with server - this traffic is permitted by default. PC1#lynx ftp://10.0.0.254 ;iniciate ftp connection with server
Pictures shows result of these commands.
inside -> outside
SERVER#ping 10.0.0.100 ;ping PC1 from server
Picture shows result of this command.
F2) After access lists application
outside -> inside
PC1#ping 10.0.0.253 ;ping firewall MGMT address PC1#ping 10.0.0.254 ;ping server PC1#lynx http://10.0.0.254 ;iniciate http connection with server PC1#lynx ftp://10.0.0.254 ;iniciate ftp connection with server
Pictures shows result of these commands.
inside -> outside
SERVER#ping 10.0.0.100 ;ping PC1 from server
Picture shows result of this command.
Optional tasks
- Try to configure different types of access lists denying and permitting different types of traffic.
Cisco Labs – Network Security (13) – Easy VPN server on ASA, SW client – physical lab
Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 6.7.1 ASA task definition
Easy VPN server on ASA, SW client
Goal
- Configure WebVPN server on ASA.
- Inicialize tunnel.
- Generate a test connection thru HTTP.
- Use Anyconnect client in advanced task.
- Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT4 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT4
SERVER
R19@ostrava(config)#hostname SERVER SERVER(config)#interface INT3 SERVER(config-if)#ip address 10.0.0.254 255.255.255.0 SERVER(config-if)#no shutdown SERVER(config)#aaa new-model ;define authentication policy SERVER(config)#aaa authentication login telnet local ;authenticate locally SERVER(config)#username cisco password cisco ;authenticate by this username and password SERVER(config)#enable password cisco ;set enable password for privileged mode SERVER(config)#ip http server ;enable HTTP server SERVER(config)#ftp-server enable ;enable FTP server SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server SERVER(config)#line vty 0 4 ;enable tenlnet connections
ASA
1) Interface settings, Access lists
ciscoasa(config)# hostname ASA-GATE ASA-GATE(config)# domain-name test ASA-GATE(config)# interface INT1 ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0 ASA-GATE(config-if)# nameif outside ASA-GATE(config-if)# no shutdown ASA-GATE(config)# interface INT2 ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0 ASA-GATE(config-if)# nameif inside ASA-GATE(config-if)# no shutdown
2) WebVPN configuration
ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20 ;set IP pool for webvpn clients ASA-GATE(config)# route inside 0.0.0.0 0.0.0.0 10.0.0.100 1 ;set default route ASA-GATE(config)# webvpn ;configure WebVPN service ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2023 10.0.0.100 telnet ;configure port forwarding for thin Java client ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2024 10.0.0.100 ftp ASA-GATE(config-webvpn)# enable outside ;select interface on which VebWPN will be available ASA-GATE(config)# group-policy MYPOLICY internal ;configure WebVPN policy ASA-GATE(config)# group-policy MYPOLICY attributes ASA-GATE(config-group-policy)# webvpn ASA-GATE(config-group-webvpn)# port-forward auto-start PORTFORWARD ;enable port forwarding automatically ASA-GATE(config-group-webvpn)# default-domain value test.vsb ASA-GATE(config)# username VPNUSER password cisco ;configure WebVPN profile ASA-GATE(config)# tunnel-group WEBVPNGROUP type remote-access ASA-GATE(config)# tunnel-group WEBVPNGROUP general-attributes ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL ASA-GATE(config-tunnel-general)# default-group-policy MYPOLICY
Function test
F1) Turn on debugging
ASA-GATE(config)# debug crypto isakmp ASA-GATE(config)# debug crypto engine ASA-GATE(config)# debug crypto ipsec ASA-GATE(config)# logging console debugging
F2) Generate test connection
Execute WEB browser and type https://192.168.0.1 to iys address bar.
Enter username and password to logon screen
See picture
Enter web address to https session and you will see its default web page, my example shows Linux Debian web page.
Check increasing number of SSL encrypted packets by issuing this command
ASA-GATE#sh crypto protocol statistics ssl
And finally check VPN sessions.
ASA-GATE(config)# sh vpn-sessiondb webvpn
F5) Delete tunnel and reinitialize new one
Tunnel could be deleted by pressing logout link in your web browser.
Optional tasks
- Configure Anyconnect client part of configuration.
Cisco Labs – Network Security (12) – Easy VPN server on ASA, SW client
Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 6.5.9b ASA task definition
Easy VPN server on ASA, SW client
Goal
- Configure Easy VPN server on ASA.
- Inicialize tunnel.
- Generate a test connection thru HTTP, FTP and ICMP.
- Use text VPN client or Cisco VPN client if you have GUI available on your system.
- Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT4 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT3
SERVER
R19@ostrava(config)#hostname SERVER SERVER(config)#interface INT3 SERVER(config-if)#ip address 10.0.0.254 255.255.255.0 SERVER(config-if)#no shutdown SERVER(config)#aaa new-model ;define authentication policy SERVER(config)#aaa authentication login telnet local ;authenticate locally SERVER(config)#username cisco password cisco ;authenticate by this username and password SERVER(config)#enable password cisco ;set enable password for privileged mode SERVER(config)#ip http server ;enable HTTP server SERVER(config)#ftp-server enable ;enable FTP server SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server SERVER(config)#line vty 0 4 ;enable tenlnet connections
ASA
1) Interface settings, Access lists
ciscoasa(config)# hostname ASA-GATE ASA-GATE(config)# domain-name test ASA-GATE(config)# interface INT1 ASA-GATE(config-if)# switchport mode access ASA-GATE(config-if)# switchport access vlan 10 ASA-GATE(config-if)# no shutdown ASA-GATE(config-if)# interface vlan 10 ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0 ASA-GATE(config-if)# nameif outside ASA-GATE(config-if)# no shutdown ASA-GATE(config)# interface INT2 ASA-GATE(config-if)# switchport mode access ASA-GATE(config-if)# switchport access vlan 20 ASA-GATE(config-if)# no shutdown ASA-GATE(config-if)# interface vlan 20 ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0 ASA-GATE(config-if)# nameif inside ASA-GATE(config-if)# no shutdown ASA-GATE(config)# access-list OUTSIDEIN permit ip any host 192.168.0.1 ASA-GATE(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 ;define which traffic will net be translated ASA-GATE(config)# nat (inside) 0 access-list CRYPTED ;do not translate traffic from access list CRYPTED ASA-GATE(config)# nat (inside) 1 0 0 ASA-GATE(config)# global (outside) 1 interface ASA-GATE(config)# access-group OUTSIDEIN in interface outside ASA-GATE(config)# username VPNUSERNAME password cisco ;username and password defined for VPN connection
2)IPSEC and ISAKMP configuration
ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20 ;ip pool for hosts, connected thru RAS VPN ASA-GATE(config)# tunnel-group VPNGROUP type IPSec_RA ;create tunnel group for RAS connection ASA-GATE(config)# tunnel-group VPNGROUP general-attributes ;and define its attributes ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL ;merge with IP pool ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP ipsec-attributes ;and define second phase parameters ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco ASA-GATE(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac ;define IKE second phase parameters ASA-GATE(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET ASA-GATE(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP
3)Applying Crypto map and access list to interface
ASA-GATE(config)# crypto map CLIENTMAP interface outside
Function test
F1) Turn on debugging
ASA-GATE(config)# debug crypto isakmp ASA-GATE(config)# debug crypto engine ASA-GATE(config)# debug crypto ipsec ASA-GATE(config)# logging console debugging
F2) Generate test connection
F2a) on Unix based PC
Run Terminal and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F2b) on Windows based PC
browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F3) Initialize tunnel
F3a) on Unix – text vpn client
PC1#vpnc ;run text vpn - instert gateway - IP address of VPN concentrator -> 192.168.0.1 - insert VPN group to which you want to connect -> VPNGROUP - insert its pre-shared key -> cisco - insert username and password according to your defined group policy -> VPNUSERNAME/cisco
Picture shows result on PC.
Picture shows ifconfig tun0 command result.
F3b) on Windows – GUI Cisco VPN client
PC1#run cisco VPN client from shortcut - connection entries -> new -> fill in: - name -> TEST - description -> where it creates tunnel - host - IP address of VPN concentrator -> 192.168.0.1 - insert VPN group to which you want to connect -> VPNGROUP - insert its pre-shared key -> cisco (password and confirm password) - go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.
Picture shows configuration window and main window on windows client.
Picture shows result of tunnel initialisation on ASA.
ASA-GATE(config)#show vpn-sessiondb remote
Picture shows result of tunnel sessions on ASA.
F4) generate test connection
F4a) on Unix – text web browser
PC1#lynx ftp://10.0.0.100 ;connect via ftp to the server PC1#lynx http://10.0.0.100 ;connect via http to the server - will work with enabled Java only PC1#ping 10.0.0.100 ;ICMP test
Picture shows result on PC.
F4b) on Windows – graphic web browser
Open web browser and insert following text to address bar
http://10.0.0.100 ;establish http connection to the server ftp://10.0.0.100 ;establish ftp connection to the server
Picture shows result on PC.
Open command line and ftp, then follow result picture for command line refference
ftp ;command line to start ftp connection
Picture shows result on PC (ftp).
F5) Delete tunnel and reinitialize new one
ASA-GATE(config)#clear crypto isakmp sa ASA-GATE(config)#clear crypto ipsec sa
Picture shows result on ASA.
F5a) on Unix based PC – text
PC1#pkill vpnc ;kill vpnc process
F5b) on Windows based PC
Open VPN client and press disconnect button.
Optional tasks
- Try to configure different policies and VPN groups
ASA-GATE(config)# ip local pool VPNADDRESSPOOL2 10.0.0.21-10.0.0.30 ;ip pool for hosts, connected thru RAS VPN group 2 ASA-GATE(config)# tunnel-group VPNGROUP2 type IPSec_RA ;another tunnel group for optional task ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL2 ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP2 ipsec-attributes ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco2 ASA-GATE(config)# group-policy TUNNELPOLICYADDED internal ;create internal policy ASA-GATE(config)# group-policy TUNNELPOLICYADDED attributes ;and define its attributes ASA-GATE(config-group-policy)# wins-server value 10.0.0.200 ;WINS server IP address ASA-GATE(config-group-policy)# dns-server value 10.0.0.201 ;DNS server IP address ASA-GATE(config-group-policy)# default-domain value testdomain.vsb ;domain name ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes ;connect policy with tunnel group ASA-GATE(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED ;policy name is specified here
To test this task connect to VPNGROUP2 and use ipconfig -all on windows. It will show also DNS server and WINS server records for tunnel interface.
In linux browse for file resolve.conf. It will show DNS server record.
Cisco Labs – Network Security (11) – RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA
Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul6 6.4.2 ASA task definition
RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA
Goal
- Remote access VPN tunnel will be established on ASA 5505 using pre-shared key.
- Router3 will only pass traffic to site routers. It simulates internet.
- Only traffic from LAN 1 and LAN 2 will be encrypted.
- Use OSPF routing protocol and static routes.
- a/ client will be set in client mode (NAT).
- b/ client will be set in network-extension mode.
- Do not forget that this task will work only on ASA 5505 – ASA 5510 and higher cannot work as EzVPN clients.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC2
ifconfig INT8 10.0.0.100 netmask 255.255.255.0 route add default gw 10.0.0.1 dev INT8
EzServer – EzVPN server
This configuration is same for both client modes.
1) interface settings + routes
EzServer(config)# interface INT4 EzServer(config-if)# switchport mode access EzServer(config-if)# switchport access vlan 10 EzServer(config-if)# no shutdown EzServer(config-if)# interface vlan 10 EzServer(config-if)# ip address 10.0.0.1 255.255.255.0 EzServer(config-if)# nameif inside EzServer(config-if)# no shutdown EzServer(config)# interface INT3 EzServer(config-if)# switchport mode access EzServer(config-if)# switchport access vlan 20 EzServer(config-if)# no shutdown EzServer(config-if)# interface vlan 20 EzServer(config-if)# ip address 172.16.0.1 255.255.255.0 EzServer(config-if)# nameif outside EzServer(config-if)# no shutdown EzServer(config)# route outside 172.16.1.0 255.255.255.0 172.16.0.2 EzServer(config)# access-list OUTSIDEIN permit ip any host 172.16.0.1 EzServer(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 EzServer(config)# nat (inside) 0 access-list CRYPTED ;this traffic will be crypted EzServer(config)# nat (inside) 1 0 0 EzServer(config)# global (outside) 1 interface
2)EzVPN server configuration
EzServer(config)# username EZVPNUSER password cisco ;set username for EzVPN connection EzServer(config)# isakmp enable outside ;permit isakmp communication on outside interface EzServer(config)# isakmp identity address ;identity address EzServer(config)# isakmp policy 10 ;isakmp policy configuration EzServer(config-isakmp-policy)# authentication pre-share ;authenticated thru pre-shared key EzServer(config-isakmp-policy)# encryption 3des EzServer(config-isakmp-policy)# hash sha EzServer(config-isakmp-policy)# group 2 EzServer(config-isakmp-policy)# lifetime 1000 EzServer(config)# group-policy TUNNELPOLICYADDED internal EzServer(config)# group-policy TUNNELPOLICYADDED attributes EzServer(config-group-policy)# nem enable ;enable network extension mode EzServer(config-group-policy)# password-storage enable ;enable password storage for NEM EzServer(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20 ;set address pool for VPN clients EzServer(config)# tunnel-group EZVPNGROUP type IPSec_RA ;define tunnel group type EzServer(config)# tunnel-group EZVPNGROUP general-attributes ;define tunnel group attributes EzServer(config-tunnel-general)# address-pool VPNADDRESSPOOL EzServer(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED EzServer(config-tunnel-general)# tunnel-group EZVPNGROUP ipsec-attributes EzServer(config-tunnel-ipsec)# pre-shared-key EZVPNKLIC EzServer(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac EzServer(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET EzServer(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP EzServer(config)# crypto map CLIENTMAP interface outside ;apply configuration on interface
Router3 – internet
This configuration is same for both client modes.
Router3(config)#interface INT5 Router3(conf-if)#ip address 172.16.1.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#interface INT6 Router3(conf-if)#ip address 172.16.0.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#router ospf 1 Router3(rout)#network 172.16.1.0 0.0.0.255 area 0 Router3(rout)#network 172.16.0.0 0.0.0.255 area 0
a/ Client mode configuration
PC1
ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7
EzClient – EzVPN Client
1) interface settings static routes
ciscoasa(config)# hostname EzClient
EzClient(config)# domain-name test
EzClient(config)# interface INT1
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 10
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 10
EzClient(config-if)# ip address 192.168.0.1 255.255.255.0
EzClient(config-if)# nameif inside
EzClient(config-if)# no shutdown
EzClient(config)# interface INT2
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 20
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 20
EzClient(config-if)# ip address 172.16.1.1 255.255.255.0
EzClient(config-if)# nameif outside
EzClient(config-if)# no shutdown
EzClient(config)# nat (inside) 1 0 0 ;define nat translations
EzClient(config)# global (outside) 1 interface
EzClient(config)# route outside 10.0.0.0 255.255.255.0 172.16.1.2
EzClient(config)# route outside 172.16.0.0 255.255.255.0 172.16.1.2
EzClient(config)# access-list outsidein permit icmp any host 172.16.1.1
EzClient(config)# access-list outsidein permit ip any host 172.16.1.1
EzClient(config)# access-group outsidein in interface outside ;apply access list to interface
2) client settings
EzClient(config)# sysopt connection permit-vpn
EzClient(config)# vpnclient server 172.16.0.1 ;set EzVPN server address
EzClient(config)# vpnclient mode client
EzClient(config)# vpnclient vpngroup EZVPNGROUP password EZVPNKLIC ;set EzVPN group and key
EzClient(config)# vpnclient username EZVPNUSER password cisco ;set EzVPN password and user
EzClient(config)# vpnclient enable ;turn on EzVPN client
Now provide function test and continue or part b/.
b/ Network extension mode configuration
PC1
ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7
Router2 – EzVPN Client
Configuration does not work. Its experimental text could be found in preconfigured file.
Function test
It is same for both parts.
Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.
F1)Turn on debug
Ezserver#debug crypto ipsec ;second phase debugging Ezserver#debug crypto isakmp ;first phase debugging Ezserver#logging console debugging ;debug messages to console
F2)check IKE/IPSEC server and client configuration
EZServer#sh crypto isakmp policy ;show isakmp policy configuration EZServer#sh crypro dynamic-map ;show dynamic map configuration EZServer#sh crypto map ;crypto map configuration
EZClient#sh run
F3)initialize tunnel
PC1>ping 10.0.0.100 ;inicialize tunnel by pinging remote host
F4)Test initialized tunnel
Check if client has address leased from pool and if ipsec is active.
EZServer#sh ip local pool VPNADDRESSPOOL
EZClient#sh nat
EZClient#sh crypto isakmp sa
Show crypto ipsec statistics.
Ezserver#sh crypto ipsec sa
F5)delete tunnel and then repeat steps F3) to initialize tunnel again
First delete tunnel on client
EZClient(config-if)#shutdown ;shutdown outside interface EZClient#clear crypto ipsec sa EZClient#clear crypto isakmp sa EZServer#clear crypto ipsec sa EZServer#clear crypto isakmp sa
EZServer#clear crypto session
Optional tasks
- Create access list on Router3 which permits only needed traffic.
- Add one more router to topology and create another tunnel to this router.
Cisco Labs – Network Security (10) – RAS VPN using HW client (network and client modes)+ pre-shared keys on Router
NS2 – Modul6 6.4.1 IOS task definition
RAS VPN using HW client (network and client modes)+ pre-shared keys on Router
Goal
- Remote access VPN tunnel will be established on IOS router using pre-shared key.
- Router3 will only pass traffic to site routers. It simulates internet.
- Only traffic from LAN 1 and LAN 2 will be encrypted.
- Use OSPF routing protocol.
- a/ client will be set in client mode (NAT).
- b/ client will be set in network-extension mode.
- Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC2
ifconfig INT8 10.0.0.100 netmask 255.255.255.0 route add default gw 10.0.0.1 dev INT8
Router2 – EzVPN server
This configuration is same for both client modes.
1) interface settings + OSPF
R19@ostrava(config)#hostname EZServer EZServer(config)#interface INT4 EZServer(config-if)#ip address 10.0.0.1 255.255.255.0 EZServer(config-if)#no shutdown EZServer(config)#interface INT3 EZServer(config-if)#duplex half ;setting for Virtlab compatibility EZServer(config-if)#ip address 172.16.0.1 255.255.255.0 EZServer(config-if)#no shutdown EZServer(config)#router ospf 1 EZServer(config-router)#network 172.16.0.0 0.0.0.255 area 0 EZServer(config-router)#network 10.0.0.0 0.0.0.255 area 0
2) aaa settings
EZServer(config-router)#aaa new-model ;define aaa authentication model EZServer(config)#aaa authentication login VPNLIST local ;define local database for authentication EZServer(config)#aaa authorization network VPNLIST local ;define local database for authorisation EZServer(config)#username EZVPNUSER password cisco ;define username and password
3)EzVPN server configuration
EZServer(config)#ip local pool EZVPNPOOL 10.0.0.10 10.0.0.20 ;local pool for ezvpn client computers EZServer(config)#crypto isakmp policy 10 ;first phase policy definition EZServer(config-isakmp)#encryption 3des EZServer(config-isakmp)#authentication pre-share EZServer(config-isakmp)#group 2 EZServer(config)#crypto isakmp keepalive 10 10 ;tunnel keepalive setting EZServer(config)#crypto isakmp client configuration group EZVPNGROUP ;client configuration group - this settings will be pushed to client EZServer(config-isakmp-group)#key EZVPNKLIC ;this key must be configured also in client appliance EZServer(config-isakmp-group)#pool EZVPNPOOL ;connect with named pool EZServer(config-isakmp-group)#save-password ;this option must be present for client auto-connect mode EZServer(config)#crypto ipsec transform-set EZVPNTRSET esp-3des esp-sha-hmac ;define transform set EZServer(config)#crypto dynamic-map DYNAMIC 1 ;define dynamic crypto map EZServer(config-crypto-map)#set transform-set EZVPNTRSET ;define transform set used EZServer(config-crypto-map)#reverse-route remote-peer 172.16.1.1 ;define reverse route for traffic from peer EZServer(config)#crypto map EZVPNMAP client authentication list VPNLIST ;connect with aaa settings EZServer(config)#crypto map EZVPNMAP isakmp authorization list VPNLIST EZServer(config)#crypto map EZVPNMAP 3 ipsec-isakmp dynamic DYNAMIC ;connect with synamic named crypto map EZServer(config)#crypto map EZVPNMAP client configuration address respond ;configure to give IP addresss to client
4) applying point 3) to interface
EZServer(config)#interface INT3 EZServer(config-if)#crypto map EZVPNMAP ;apply crypto map to an interface
Router3 – internet
This configuration is same for both client modes.
Router3(config)#interface INT5 Router3(conf-if)#ip address 172.16.1.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#interface INT6 Router3(conf-if)#ip address 172.16.0.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#router ospf 1 Router3(rout)#network 172.16.1.0 0.0.0.255 area 0 Router3(rout)#network 172.16.0.0 0.0.0.255 area 0
a/ Client mode configuration
PC1
ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7
Router2 – EzVPN Client
1) interface settings + OSPF
R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 192.168.0.1 255.255.255.0
EZClient(config-if)#no shutdown
EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half ;setting for Virtlab compatibility
EZClient(config-if)#no shutdown
EZClient(config)#router ospf 1 ;set routing protocol
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0 ;set routed network
2) client settings
EZClient(config-router)#crypto ipsec client ezvpn VPN ;configure named ezvpn client
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC ;server group and key definition
EZClient(config-crypto-ezvpn)#local-address INT2 ;include local lan address on selected interface
EZClient(config-crypto-ezvpn)#mode client ;define client mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1 ;set remote peer
EZClient(config-crypto-ezvpn)#connect manual ;set connection to manual
3) applying to interface
EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside ;apply ezvpn inside profile to inside interface
EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside ;apply ezvpn outside profile to outside interface
;new virtual interface will be created to which all inside traffic will be NATted
Now provide function test and continue or part b/ or point 4/ – part a/.
4) configure client for auto connection mode
To let client connect automatically you MUST connect manually first time providing xauth as in function test point F3).
EZClient(config-router)#crypto ipsec client ezvpn VPN EZClient(config-crypto-ezvpn)#connect auto ;client auto connection setting
b/ Network extension mode configuration
PC1
ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7
Router2 – EzVPN Client
1) interface settings + OSPF
R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 10.0.1.1 255.255.255.0 ;set network-extension mode - fully routable address with LAN2
EZClient(config-if)#no shutdown
EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half ;setting for Virtlab compatibility
EZClient(config-if)#no shutdown
EZClient(config)#router ospf 1
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0
2) client settings
EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC
EZClient(config-crypto-ezvpn)#local-address INT2
EZClient(config-crypto-ezvpn)#mode network-extension ;set network-extension mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1
EZClient(config-crypto-ezvpn)#connect auto
EZClient(config-crypto-ezvpn)#username EZVPNUSER password cisco
3) applying to interface
EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside
EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside
Function test
It is same for both parts.
Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.
F1)Turn on debug
Ezserver#debug crypto ipsec ;second phase debugging
Ezserver#debug crypto isakmp ;first phase debugging
Ezserver#debug crypto engine ;whole crypto engine debugging
F2)check IKE/IPSEC server and client configuration
EZServer#sh crypto isakmp policy ;show isakmp policy configuration
EZServer#sh crypro dynamic-map ;show dynamic map configuration
EZServer#sh crypto map ;crypto map configuration
EZClient#sh run
F3)initialize tunnel
EZClient>crypto ipsec client ezvpn connect ;connect tunnel
EZClient>crypto ipsec client ezvpn xauth ;insert user credentials
Server retransmits xauth requests.
Before xauth request is provided, you can check tunnel status as shown in picture.
Now interface is up and protocol up after providing xauth request.
F4)Test initialized tunnel
Check if client has address leased from pool and if ipsec is active.
EZServer#sh ip local pool
EZClient#sh crypto ipsec client ezvpn
Use ping command to test traffic prom LAN1 to LAN2 (PC1 to PC2).
If PC2 responds, tunnel works fine. You can check functionality further by using sh crypto ? commands in router privileged mode.
PC1#ping 10.0.0.100
And NAT statistics could be found for EzVPN client mode using following syntax:
EZClient# sh ip nat transactions
F5)delete tunnel and then repeat steps F3) to initialize tunnel again
First delete tunnel on client
EZClient(config-if)#shutdown ;shutdown outside interface
EZClient#clear crypto session ;clear sessions
EZServer#clear crypto session
EZServer#clear crypto ipsec client ezvpn
Optional tasks
- Create access list on Router3 which permits only needed traffic.
- Make client in client mode connecting automatically point a/ – part 4.
- Make client in network extension mode connecting manually point b/ – part 4.
- Add one more router to topology and create another tunnel to this router.
Function test
It is same for both parts.
Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.
F1)Turn on debug
Ezserver#debug crypto ipsec ;second phase debugging Ezserver#debug crypto isakmp ;first phase debugging Ezserver#debug crypto engine ;whole crypto engine debugging
F2)check IKE/IPSEC server and client configuration
EZServer#sh crypto isakmp policy ;show isakmp policy configuration EZServer#sh crypro dynamic-map ;show dynamic map configuration EZServer#sh crypto map ;crypto map configuration
EZClient#sh run
F3)initialize tunnel
EZClient>crypto ipsec client ezvpn connect ;connect tunnel EZClient>crypto ipsec client ezvpn xauth ;insert user credentials
Server retransmits xauth requests.
Before xauth request is provided, you can check tunnel status as shown in picture.
Now interface is up and protocol up after providing xauth request.
F4)Test initialized tunnel
Check if client has address leased from pool and if ipsec is active.
EZServer#sh ip local pool
EZClient#sh crypto ipsec client ezvpn
Use ping command to test traffic prom LAN1 to LAN2 (PC1 to PC2).
If PC2 responds, tunnel works fine. You can check functionality further by using sh crypto ? commands in router privileged mode.
PC1#ping 10.0.0.100
And NAT statistics could be found for EzVPN client mode using following syntax:
EZClient# sh ip nat transactions
F5)delete tunnel and then repeat steps F3) to initialize tunnel again
First delete tunnel on client
EZClient(config-if)#shutdown ;shutdown outside interface EZClient#clear crypto session ;clear sessions
EZServer#clear crypto session EZServer#clear crypto ipsec client ezvpn
Optional tasks
- Create access list on Router3 which permits only needed traffic.
- Make client in client mode connecting automatically point a/ – part 4.
- Make client in network extension mode connecting manually point b/ – part 4.
- Add one more router to topology and create another tunnel to this router.
Cisco Labs – Network Security (9) – Easy VPN server on Router, SW client
Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 6.2.12a IOS task definition
Easy VPN server on Router, SW client
Goal
- Configure VPN client and VPN concentrator on IOS router.
- Inicialize tunnel.
- Generate a test connection thru HTTP, FTP and ICMP.
- Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT3 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT3
SERVER
R19@ostrava(config)#hostname SERVER SERVER(config)#interface INT4 SERVER(config-if)#ip address 10.0.0.254 255.255.255.0 SERVER(config-if)#no shutdown SERVER(config)#aaa new-model ;define authentication policy SERVER(config)#aaa authentication login telnet local ;authenticate locally SERVER(config)#username cisco password cisco ;authenticate by this username and password SERVER(config)#enable password cisco ;set enable password for privileged mode SERVER(config)#ip http server ;enable HTTP server SERVER(config)#ftp-server enable ;enable FTP server SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server SERVER(config)#line vty 0 4 ;enable tenlnet connections
Router
1) Interface settings, Access lists, group policy
R18@ostrava(config)#hostname GATE GATE(config)#interface INT1 GATE(config-if)#ip address 192.168.0.1 255.255.255.0 GATE(config-if)#no shutdown GATE(config)#interface INT2 GATE(config-if)#ip address 10.0.0.1 255.255.255.0 GATE(config-if)#no shutdown GATE(config)#access-list 101 permit ip any host 192.168.0.1 ;permit traffic only to interface on which tunnel will communicate GATE(config)#aaa new-model ;enable local policy lookup GATE(config)#aaa authentication login VPNAUTHEN local ;enable local user authentication GATE(config)#aaa authorization network VPNAUTHOR local ;set aaa authorisation at login GATE(config)#username USERNAME password cisco ;we will use this credentials to secure tunnel connection
2)IPSEC and ISAKMP configuration
GATE(config)#ip local pool VPNADDRESSPOOL 10.0.0.10 10.0.0.20 ;connected client will get address from this pool GATE(config)#crypto isakmp policy 10 ;IKE first phase security parameters definition starts here GATE(config-isakmp)#encryption 3des GATE(config-isakmp)#hash sha GATE(config-isakmp)#authentication pre-share GATE(config-isakmp)#group 2 GATE(config)#crypto isakmp client configuration group VPNGROUP ;specify that we create policy for RAS GATE(config-isakmp-group)#key VPNKLIC ;and pre-shared key for this policy GATE(config-isakmp-group)#pool VPNADDRESSPOOL ;local pool GATE(config-isakmp-group)#domain test ;and domain name specification GATE(config)#crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-md5-hmac ;specify transform set for RAS connection GATE(config)#crypto dynamic-map DYNAMICMAP 10 ;create dynamic crypto map GATE(config-crypto-map)#set transform-set REMOTEVPNTRSET GATE(config-crypto-map)#reverse-route ;enable reverse routing for RAS connection GATE(config)#crypto map CLIENTMAP client configuration address respond ;define behavior of client ip address resloving GATE(config)#crypto map CLIENTMAP isakmp authorization list VPNAUTHOR ;group policy authorization def. GATE(config)#crypto map CLIENTMAP client authentication list VPNAUTHEN ;group policy authentication def. GATE(config)#crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMICMAP ;assign dynamic crypto map to static
3)Applying Crypto map and access list to interface
GATE(config)#interface INT1 GATE(config-if)#crypto map CLIENTMAP ;apply static crypto map to interface GATE(config-if)#ip access-group 101 in ;apply access list to interface
Function test
F1) Turn on debugging
GATE#debug crypto isakmp ;IKE first phase debug GATE#debug crypto engine ;crypto engine debug GATE#debug crypto ipsec ;IKE second phase debug GATE#debug aaa authenticat ;group policy debugs GATE#debug aaa authoriz
F2) Generate test connection
F2a) on Unix based PC
Run Terminal and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F2b) on Windows based PC
browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F3) Initialize tunnel
F3a) on Unix – text vpn client
PC1#vpnc ;run text vpn - instert gateway - IP address of VPN concentrator -> 192.168.0.1 - insert VPN group to which you want to connect -> VPNGROUP - insert its pre-shared key -> cisco - insert username and password according to your defined group policy -> VPNUSERNAME/cisco
Picture shows result on PC.
Picture shows ifconfig tun0 command result.
F3b) on Windows – GUI Cisco VPN client
PC1#run cisco VPN client from shortcut - connection entries -> new -> fill in: - name -> TEST - description -> where it creates tunnel - host - IP address of VPN concentrator -> 192.168.0.1 - insert VPN group to which you want to connect -> VPNGROUP - insert its pre-shared key -> cisco (password and confirm password) - go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.
Picture shows configuration window and main window on windows client.
Picture shows result of tunnel initialisation on Router.
GATE(config)#show vpn-sessiondb remote
Picture shows result of tunnel sessions on Router.
F4) generate test connection
F4a) on Unix – text web browser
PC1#lynx ftp://10.0.0.100 ;connect via ftp to the server PC1#lynx http://10.0.0.100 ;connect via http to the server - will work with enabled Java only PC1#ping 10.0.0.100 ;ICMP test
Picture shows result on PC.
F4b) on Windows – graphic web browser
Open web browser and insert following text to address bar
http://10.0.0.100 ;establish http connection to the server ftp://10.0.0.100 ;establish ftp connection to the server
Picture shows result on PC (http).
Open command line and ftp, then follow result picture for command line refference
ftp ;command line to start ftp connection
Picture shows result on PC (ftp).
F5) Delete tunnel and reinitialize new one
GATE#clear crypto session GATE#clear crypto isakmp
Picture shows result on GATE router.
F5a) on Unix based PC – text
PC1#pkill vpnc ;kill vpnc process
F5b) on Windows based PC
Open VPN client and press disconnect button.
Optional tasks
- Try to configure different policies and VPN groups
Cisco Labs – Network Security (8) – Site to site VPN using CA on ASA
Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul5 5.3.2 ASA task definition
Site to site VPN using CA on ASA
Goal
- Certification authority will be running on Router3 which will also pass only needed traffic.
- Site to site VPN tunnel using Certification authority will be initialized on ASA.
- Only traffic from LAN 1 and LAN 2 will be encrypted.
- Use OSPF routing protocol.
- Clear and reinitialize VPN tunnel.
- Do not forget to have configuration erased before startup.
Required time
3 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT7 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT7
PC2
ifconfig INT8 10.0.0.100 netmask 255.255.255.0 route add default gw 10.0.0.1 dev INT8
ASA, CA router
First of all certification authority and NTP server must be run.
1) NTP + Clock + hostnames + domain:
NTP server.
router#clock set 0:00:00 9 MAR 2008 ;set clock and date router(config)#hostname CA-Router3 ;set hostname CA-Router3(config)#ntp master ;set this router as NTP server CA-Router3(config)#ip domain-name test ;set domain name
NTP clients.
ciscoasa(config)# hostname ASA1 ASA1(config)# ntp server 172.16.1.2 ASA1(config)# domain-name test
ASA21(config)# hostname ASA2 ASA2(config)# ntp server 172.16.1.2 ASA2(config)# domain-name test
2) interface settings static routes
CA-Router3(config)#interface INT5 CA-Router3(conf-if)#ip address 172.16.1.2 255.255.255.0 CA-Router3(conf-if)#no shutdown CA-Router3(config)#interface INT6 CA-Router3(conf-if)#ip address 172.16.0.2 255.255.255.0 CA-Router3(conf-if)#no shutdown CA-Router3(config)#router ospf 1 CA-Router3(rout)#network 172.16.1.0 0.0.0.255 area 0 CA-Router3(rout)#network 172.16.0.0 0.0.0.255 area 0
ASA1(config)# interface INT1 ASA1(config-if)# switchport mode access ASA1(config-if)# switchport access vlan 10 ASA1(config-if)# no shutdown ASA1(config-if)# interface vlan 10 ASA1(config-if)# ip address 192.168.0.1 255.255.255.0 ASA1(config-if)# nameif inside ASA1(config-if)# no shutdown ASA1(config)# interface INT2 ASA1(config-if)# switchport mode access ASA1(config-if)# switchport access vlan 20 ASA1(config-if)# no shutdown ASA1(config-if)# interface vlan 20 ASA1(config-if)# ip address 172.16.1.1 255.255.255.0 ASA1(config-if)# nameif outside ASA1(config-if)# no shutdown ASA1(config)# access-list outsidein permit udp any host 172.16.1.1 eq ntp ;permit NTP communication with NTP server ASA1(config)# access-list outsidein permit icmp any host 172.16.1.1 ASA1(config)# access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 ;define traffic to be encrypted ASA1(config)# access-group outsidein in interface outside ASA1(config)# nat (inside) 1 0 0 ;translate all traffic to outside ip pool ASA1(config)# global (outside) 1 interface ;PAT ASA1(config)# nat (inside) 0 access-list CRYPTOACL ;this traffic will not be translated but passed thru tunnel ASA1(config)# route outside 10.0.0.0 255.255.255.0 172.16.1.2 ;static route instead of OSPF ASA1(config)# route outside 172.16.0.0 255.255.255.0 172.16.1.2 ;static route instead of OSPF
ASA2(config)# interface INT4 ASA2(config-if)# switchport mode access ASA2(config-if)# switchport access vlan 10 ASA2(config-if)# no shutdown ASA2(config-if)# interface vlan 10 ASA2(config-if)# ip address 10.0.0.1 255.255.255.0 ASA2(config-if)# nameif inside ASA2(config-if)# no shutdown ASA2(config)# interface INT3 ASA2(config-if)# switchport mode access ASA2(config-if)# switchport access vlan 20 ASA2(config-if)# no shutdown ASA2(config-if)# interface vlan 20 ASA2(config-if)# ip address 172.16.0.1 255.255.255.0 ASA2(config-if)# nameif outside ASA2(config-if)# no shutdown ASA2(config)# access-list outsidein permit udp any host 172.16.0.1 eq ntp ASA2(config)# access-list outsidein permit icmp any host 172.16.0.1 ASA2(config)# access-list CRYPTOACL permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 ASA2(config)# access-group outsidein in interface outside ASA2(config)# nat (inside) 1 0 0 ASA2(config)# global (outside) 1 interface ASA2(config)# nat (inside) 0 access-list CRYPTOACL ASA2(config)# route outside 192.168.0.0 255.255.255.0 172.16.0.2 ASA2(config)# route outside 172.16.1.0 255.255.255.0 172.16.0.2
3) Access list on Router3 to enable only needed traffic:
CA-Router3(config)#access-list 101 permit ospf any any CA-Router3(config)#access-list 101 permit icmp any 172.16.0.0 255.255.255.0 CA-Router3(config)#access-list 101 permit icmp any 172.16.1.0 255.255.255.0 CA-Router3(config)#access-list 101 permit tcp any host 172.16.1.2 eq www CA-Router3(config)#access-list 101 permit udp any host 172.16.1.2 eq ntp CA-Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1 CA-Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp CA-Router3(config)#access-list 102 permit ospf any any CA-Router3(config)#access-list 102 permit icmp any 172.16.0.0 255.255.255.0 CA-Router3(config)#access-list 102 permit icmp any 172.16.1.0 255.255.255.0 CA-Router3(config)#access-list 102 permit tcp any host 172.16.1.2 eq www CA-Router3(config)#access-list 102 permit udp any host 172.16.1.2 eq ntp CA-Router3(config)#access-list 102 permit esp host 172.16.0.1 host 172.16.1.1 CA-Router3(config)#access-list 102 permit udp host 172.16.0.1 host 172.16.1.1 eq isakmp CA-Router3(config)#interface INT5 CA-Router3(conf-if)#ip access-group 101 in CA-Router3(config)#interface INT6 CA-Router3(conf-if)#ip access-group 102 in
4) CA server + CA requests
CA-Router3(config)#crypto key generate rsa general-keys label KEYPLABEL exportable ;generate exportable RSA keys for CA. (recommended 1024 bits key) ;If this command could not be inserted. CA is not supported by router CA-Router3(config)#crypto key export rsa KEYPLABEL pem url nvram: 3des KEYPHESLO ;export CA private and public key to NVRAM ;requires to add filenames if not confirmed default name CA-Router3(config)#ip http server ;enable http server (certificates are requested thru http) CA-Router3(config)#crypto pki server CASERVER ;create CA instance on a router CA-Router3(cs-server)#Issuer-name CN=Issuername C=country ;set up parameters for CA certificate CA-Router3(cs-server)#lifetime ca-certificate 20 ;lifetime in days for CA certificate CA-Router3(cs-server)#lifetime certificate 20 ;lifetime in days for client certificate CA-Router3(cs-server)#cdp-url http://cdp-list-url-address. ;link to web with CRL list CA-Router3(cs-server)#grant auto ;reply and grant enrollment request automatically CA-Router3(cs-server)#no shutdown ;turn on CA ;you must insert password to protect CA private key after this line
Before continue with configuration turn on debugging to see certification requests – this is done in Function test section.
ASA1(config)# sysopt connection permit-vpn ;permit VPN traffic to pass firewall ASA1(config)# crypto key generate rsa modulus 512 ;generate RSA keys for encryption purpose ASA1(config)# crypto ca trustpoint CASERVER ;define Trustpoint and its parameters, links CA for SCEP ASA1(config-ca-trustpoint)# enrollment url http://172.16.1.2:80 ;url thru which certificates will be enrolled ASA1(config-ca-trustpoint)# enrollment retry count 20 ;number of retries of failed enrollment ASA1(config-ca-trustpoint)# crl optional ;revocation check is optional ASA1(config-ca-trustpoint)# revocation-check crl none ;revocation turned off ASA1(config-ca-trustpoint)# debug crypto ca ;debugging turned on, communication with CA will be visible ASA1(config)# crypto ca authenticate CASERVER ;get and authenticate CA certificate - you must manually check public fingerprint ASA1(config)# crypto ca enroll CASERVER ;receive clinet certificate thru enrollmet url. In this exercise ;certificate will be granted automatically on CA
ASA2(config)# sysopt connection permit-vpn ASA2(config)# crypto key generate rsa modulus 512 ASA2(config)# crypto ca trustpoint CASERVER ASA2(config-ca-trustpoint)# enrollment url http://172.16.1.2:80 ASA2(config-ca-trustpoint)# enrollment retry count 20 ASA2(config-ca-trustpoint)# crl optional ASA2(config-ca-trustpoint)# revocation-check crl none ASA2(config-ca-trustpoint)# debug crypto ca ASA2(config)# crypto ca authenticate CASERVER ASA2(config)# crypto ca enroll CASERVER
5a) VPN tunnel settings phase 1 IKE/ISAKMP:
Policy must be the same on both ends of tunnel (priority could be different)
ASA1(config)# isakmp enable outside ;enable isakmp negotiation on outside interface ASA1(config)# isakmp policy 10 ASA1(config-isakmp-policy)# authentication rsa-sig ;define authentication thru RSA keys ASA1(config-isakmp-policy)# group 2 ASA1(config-isakmp-policy)# hash sha ASA1(config-isakmp-policy)# encryption 3des
ASA2(config)# isakmp enable outside ASA2(config)# isakmp policy 10 ASA2(config-isakmp-policy)# authentication rsa-sig ASA2(config-isakmp-policy)# group 2 ASA2(config-isakmp-policy)# hash sha ASA2(config-isakmp-policy)# encryption 3des
5b) VPN tunnel settings phase 2 IPSEC
ASA1(config)# tunnel-group 172.16.0.1 type ipsec-l2l ;define site to site VPN tunnel mode ASA1(config)# tunnel-group 172.16.0.1 ipsec-attributes ;define its second phase attributes ASA1(config-tunnel-ipsec)# peer-id-validate cert ;client will be identified thru its certificate ASA1(config-tunnel-ipsec)# chain ;specify CA chain will be used to authenticate peer ASA1(config-tunnel-ipsec)# trust-point CASERVER ;define which CA will validate certificates ASA1(config)# crypto ipsec transform-set TRSETASA1 esp-md5-hmac es-des ASA1(config)# crypto map CRMAPASA1 10 match address CRYPTOACL ASA1(config)# crypto map CRMAPASA1 10 set peer 172.16.0.1 ASA1(config)# crypto map CRMAPASA1 10 set trustpoint CASERVER ;define which CA will be used in this crypto map section ASA1(config)# crypto map CRMAPASA1 10 set transform-set TRSETASA1 ASA1(config)# crypto map CRMAPASA1 interface outside
Apply analogical settings to other side of the tunnel.
ASA2(config)# tunnel-group 172.16.1.1 type ipsec-l2l ASA2(config)# tunnel-group 172.16.1.1 ipsec-attributes ASA2(config-tunnel-ipsec)# peer-id-validate cert ASA2(config-tunnel-ipsec)# chain ASA2(config-tunnel-ipsec)# trust-point CASERVER ASA2(config)# crypto ipsec transform-set TRSETASA2 esp-md5-hmac esp-des ASA2(config)# crypto map CRMAPASA2 10 match address CRYPTOACL ASA2(config)# crypto map CRMAPASA2 10 set peer 172.16.1.1 ASA2(config)# crypto map CRMAPASA2 10 set trustpoint CASERVER ASA2(config)# crypto map CRMAPASA2 10 set transform-set TRSETASA2 ASA2(config)# crypto map CRMAPASA2 interface outside
Function test
F1)Turn on debug
On CA to see enrollment requests and key exchanges
CA-Router3#debug crypto pki server CA-Router3#debug crypto pki validation CA-Router3#debug crypto pki messages
Pictures shows result of these commands.
On ASA to see tunnel status and CA client status
Router1#debug crypto pki transactions
ASA1#debug crypto ipsec ASA1#debug crypto isakmp ASA1#debug crypto ? ;show other debug possibilities
F2)initialize tunnel
Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.
Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.
F3)Check statuses
CA
CA-Router3#sh crypto ca trustpoint status ;show CA hash keys CA-Router3#sh crypto ca certificate NAME verbose ;show CA certificate CA-Router3#dir NVRAM: ;sh key pair files in NVRAM
Picture shows exported key pair.
ASA
ASA1#sh crypto ca certificates ;display CA certificate on ASA
Picture shows CA certificate.
check IKE/IPSEC ASA configuration
ASA1#sh crypto isakmp policy ;display first part of tunnel configuration. RASA1#sh crypto ipsec sa ;display send/receive packet statistics
And show ipsec and isakmp statuses.
ASA1#sh crypto isakmp sa ASA1#sh crypto ipsec sa
Picture shows first phase – IKE.
Picture shows second phase – IPSEC.
F5)delete tunnel
ASA1#clear crypto isakmp ;clear tunnel initialisation configuration ASA1#clear crypto sa ;clear existing tunnels ASA1#clear crypto session ;clear existing tunnels
Picture shows deleted tunnel.
F6)reinitialize tunnel from other side
Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.
Optional tasks
Access list and certificates:
delete client certidicates and RSA keys and request new ones
ASA1#crypto key zeroize rsa ASA1(config)#crypto key generate rsa ASA1(config)# crypto ca trustpoint CASERVER ;disable trustpoint copnfiguration
and follow point 4 to reconfigure CA and get new certificates
Two or more tunnels to different locations and peers:
This will be accomplished by adding:
- New policy section with definition of needed settings.
- New access list to define which traffic have to be encrypted.
- New or existing transform set must be added to new crypto map section.
Cisco Labs – Network Security (7) – Site to site VPN using CA on Router
Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul5 5.2.6 IOS task definition
Site to site VPN using CA on Router
Goal
- Certification authority will be running on Router3 which will also pass only needed traffic.
- Site to site VPN tunnel using Certification authority will be initialized on Router.
- Only traffic from LAN 1 and LAN 2 will be encrypted.
- Use OSPF routing protocol.
- Clear and reinitialize VPN tunnel.
- Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.
Required time
3 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT7 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT7
PC2
ifconfig INT8 10.0.0.100 netmask 255.255.255.0 route add default gw 10.0.0.1 dev INT8
Routers
First of all certification authority and NTP server must be run.
1) NTP + Clock + hostnames + domain:
NTP server.
router#clock set 0:00:00 9 MAR 2008 ;set clock and date router(config)#hostname CA-Router3 ;set hostname CA-Router3(config)#ntp master ;set this router as NTP server CA-Router3(config)#ip domain-name test ;set domain name
NTP clients.
Router1(config)#ntp server 172.16.1.2 ;set NTP server to CA-Router3 ip address Router1(config)#ip domain-name test
Router2(config)#ntp server 172.16.1.2 Router2(config)#ip domain-name test
2) interface settings + OSPF:
Router1(config)#interface INT1 Router1(config-if)#ip address 192.168.0.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config)#interface INT2 Router1(config-if)#ip address 172.16.1.1 255.255.255.0 Router1(config-if)#no shutdown Router1(config)#router ospf 1 Router1(rout)#network 192.168.0.0 0.0.0.255 area 0 Router1(rout)#network 1972.16.0.0 0.0.0.255 area 0
Router2(config)#interface INT4 Router2(config-if)#ip address 10.0.0.1 255.255.255.0 Router2(config-if)#no shutdown Router2(config)#interface INT3 Router2(config-if)#ip address 172.16.0.1 255.255.255.0 Router2(config-if)#no shutdown Router2(config)#router ospf 1 Router2(rout)#network 10.0.0.0 0.0.0.255 area 0 Router2(rout)#network 172.16.0.0 0.0.0.255 area 0
CA-Router3(config)#interface INT5 CA-Router3(config-if)#ip address 172.16.1.2 255.255.255.0 CA-Router3(config-if)#no shutdown CA-Router3(config)#interface INT6 CA-Router3(config-if)#ip address 172.16.0.2 255.255.255.0 CA-Router3(config-if)#no shutdown CA-Router3(config)#router ospf 1 CA-Router3(rout)#network 172.16.1.0 0.0.0.255 area 0 CA-Router3(rout)#network 172.16.0.0 0.0.0.255 area 0
3) Access list on Router3 to enable only needed traffic:
CA-Router3(config)#access-list 101 permit ospf any any CA-Router3(config)#access-list 101 permit icmp any 172.16.0.0 255.255.255.0 CA-Router3(config)#access-list 101 permit icmp any 172.16.1.0 255.255.255.0 CA-Router3(config)#access-list 101 permit tcp any host 172.16.1.2 eq www CA-Router3(config)#access-list 101 permit udp any host 172.16.1.2 eq ntp CA-Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1 CA-Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp CA-Router3(config)#access-list 102 permit ospf any any CA-Router3(config)#access-list 102 permit icmp any 172.16.0.0 255.255.255.0 CA-Router3(config)#access-list 102 permit icmp any 172.16.1.0 255.255.255.0 CA-Router3(config)#access-list 102 permit tcp any host 172.16.1.2 eq www CA-Router3(config)#access-list 102 permit udp any host 172.16.1.2 eq ntp CA-Router3(config)#access-list 102 permit esp host 172.16.0.1 host 172.16.1.1 CA-Router3(config)#access-list 102 permit udp host 172.16.0.1 host 172.16.1.1 eq isakmp CA-Router3(config)#interface INT5 CA-Router3(config-if)#ip access-group 101 in CA-Router3(config)#interface INT6 CA-Router3(config-if)#ip access-group 102 in
4) CA server + CA requests:
CA-Router3(config)#crypto key generate rsa general-keys label KEYPLABEL exportable ;generate exportable RSA keys for CA. (recommended 1024 bits key) ;If this command could not be inserted. CA is not supported by router CA-Router3(config)#crypto key export rsa KEYPLABEL pem url nvram: 3des KEYPHESLO ;export CA private and public key to NVRAM ;require to add filenames if not confirmed default name CA-Router3(config)#ip http server ;enable http server (certificates are requested thru http) CA-Router3(config)#crypto pki server CASERVER ;create CA instance on a router CA-Router3(cs-server)#Issuer-name CN=Issuername C=country ;set up parameters for CA certificate CA-Router3(cs-server)#lifetime ca-certificate 20 ;lifetime in days for CA certificate CA-Router3(cs-server)#lifetime certificate 20 ;lifetime in days for client certificate CA-Router3(cs-server)#cdp-url http://cdp-list-url-address. ;link to web with CRL list CA-Router3(cs-server)#grant auto ;reply and grant enrollment request automatically CA-Router3(cs-server)#no shutdown ;turn on CA ;you must insert password to protect CA private key after this line
Before continue with configuration turn on debugging to see certification requests – this is done in Function test section.
Router1(config)#crypto key generate rsa ;generate RSA usage-keys Router1(config)#crypto ca trustpoint CASERVER ;link to CA server for SCEP ;use "crypto ca trustpoint CASERVER" on some IOS versions Router1(ca-trustpoint)#enrollment url http://172.16.1.2 ;URL thru which certificates will be enrolled Router1(ca-trustpoint)#revocation-check none ;set, that link for CRL list is not mandatory ;use "crl optional" for some IOS version Router1(config)#crypto ca authenticate CASERVER ;get and authenticate CA certificate - you must manually check public fingerprint Router1(config)#crypto ca enroll CASERVER ;get client certificate from CA after it is authenticated *Router1(config)#crypto ca certificate query ;this optional command can store client certificates on CA, not FLASH
Router2(config)#crypto key generate rsa Router2(config)#crypto ca identity CASERVER ;link to CA server for SCEP ;use "crypto ca trustpoint CASERVER" on some IOS versions Router2(ca-trustpoint)#enrollment url http://172.16.1.2 ;URL thru which certificates will be enrolled Router2(ca-trustpoint)#revocation-check none ;set, that link for CRL list is not mandatory ;use "crl optional" for some IOS version Router2(config)#crypto ca authenticate CASERVER ;request CA certificate - you must manually check public fingerprint Router2(config)#crypto ca enroll CASERVER ;request client certificate from CA *Router2(config)#crypto ca certificate query ;this optional command can store client certificates on CA, not FLASH
5a) VPN tunnel settings phase 1 IKE/ISAKMP:
Policy must be the same on both ends of tunnel (priority could be different)
Router1(config)#crypto isakmp policy 10 Router1(config-isakmp)#encryption 3des Router1(config-isakmp)#hash md5 Router1(config-isakmp)#group 1 Router1(config-isakmp)#authentication rsa-sig ;define authentication thru RSA signatures (using certificates) Router1(config-isakmp)#lifetime 200
Router2(config)#crypto isakmp policy 10 Router2(config-isakmp)#encryption 3des Router2(config-isakmp)#hash md5 Router2(config-isakmp)#group 1 Router2(config-isakmp)#authentication rsa-sig ;define authentication thru RSA signatures (using certificates) Router2(config-isakmp)#lifetime 200
5b) VPN tunnel settings phase 2 IPSEC:
Router1(config)#crypto ipsec transform-set TRSETRouter1 esp-des esp-md5-hmac Router1(config)#access-list 111 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 Router1(config)#crypto map LOKALNIMAPARouter1 10 ipsec-isakmp Router1(config-crypto-map)#match address 111 Router1(config-crypto-map)#set transform-set TRSETRouter1 Router1(config-crypto-map)#set peer 172.16.0.1 Router1(config)#interface INT2 Router1(config-if)#crypto map LOKALNIMAPARouter1
Apply analogical settings to other side of the tunnel.
Router2(config)#crypto ipsec transform-set TRSETRouter2 esp-des esp-md5-hmac Router2(config)#access-list 111 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 Router2(config)#crypto map LOKALNIMAPARouter2 10 ipsec-isakmp Router2(config-crypto-map)#match address 111 Router2(config-crypto-map)#set transform-set TRSETRouter2 Router2(config-crypto-map)#set peer 172.16.1.1 Router2(config)#interface INT3 Router2(config-if)#crypto map LOKALNIMAPARouter2
Function test
F1)Turn on debug
On CA to see enrollment requests and key exchanges
CA-Router3#debug crypto pki server CA-Router3#debug crypto pki validation CA-Router3#debug crypto pki messages
Picture shows result of these commands.
On router to see tunnel status and CA client status
Router1#debug crypto pki transactions
Picture shows result of this command.
Router1#debug crypto ipsec Router1#debug crypto isakmp Router1#debug crypto ? ;show other debug possibilities
Picture shows deleted tunnel debug.
F2)initialize tunnel
Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.
Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.
F3)Check statuses
CA
CA-Router3#sh crypto ca trustpoint status ;show CA hash keys CA-Router3#sh crypto ca certificate NAME verbose ;show CA certificate
Picture shows enrollment communication.
On router to see tunnel status
Router1#sh crypto ipsec sa Router1#sh ntp stat ;show NTP connection statistics Router1#sh crypto pubkey-chain rsa ;show public keys on router
Pictures show tunnel parameters.
Picture shows NTP statistics.
Picture shows keys on router.
check IKE/IPSEC router configuration
Router1#sh crypto isakmp policy ;display first part of tunnel configuration. Router1#sh crypto ipsec sa ;display send/receive packet statistics
F4)delete tunnel
Router1#clear crypto isakmp ;clear tunnel initialisation configuration Router1#clear crypto sa ;clear existing tunnels
F5)reinitialize tunnel from other side
Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.
If SPI is mismatched, please refer to exercise 4.4.7, where this command is refferenced further: crypto isakmp invalid-spi-recovery .
Optional tasks
Delete certificates and request new ones
delete client certidicates and RSA keys and request new ones
Router1#crypto key zeroize rsa Router1(config)#crypto key generate rsa Router1(config)#no crypto ca trustpoint CASERVER ;disable trustpoint configuration
follow point 4 to request certificate from CA again
Two or more tunnels to different locations and peers:
This will be accomplished by adding:
- New policy section with definition of needed settings.
- New access list to define which traffic have to be encrypted.
- New or existing transform set must be added to new crypto map section.
Cisco Labs – Network Security (6) – Site to site VPN tunnel using pre-shared keys ASA,Router
NS2 – Modul4 4.5.5b ASA – IOS task definition
Site to site VPN tunnel using pre-shared keys ASA,Router
Goal
- Site to site VPN tunnel using pre-share keys will be inicialized.
- Router3 will only pass traffic to site routers. It simulates internet.
- Only traffic from LAN 1 and LAN 2 will be encrypted.
- Static routes or rip routing protocol.
- This task demonstrates ASA to IOS tunneling.
- Clear and reinitialize VPN tunnel.
- Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.
Required time
3 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT7 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT7
PC2
ifconfig INT8 10.0.0.100 netmask 255.255.255.0 route add default gw 10.0.0.1 dev INT8
Asa1, Router2, Router3
1) interface settings + static routes + NAT:
ASA1(config)#domain-name test ;set domain name ASA1(config)#interface INT1 ;on interface set following ASA1(conf-if)#switchport mode access ;set port on a switch to access mode ASA1(conf-if)#switchport access vlan 10 ;access to vlan 10 ASA1(conf-if)#no shutdown ;turn on switchport ASA1(config)#interface vlan 10 ;on vlan interface set following ASA1(conf-if)#ip address 192.168.0.1 255.255.255.0 ;set ip address and mask ASA1(conf-if)#nameif inside ;name interface and security level will be set by default ASA1(conf-if)#no shutdown ASA1(config)#interface INT2 ;on interface set following ASA1(conf-if)#switchport mode access ASA1(conf-if)#switchport access vlan 20 ASA1(conf-if)#no shutdown ASA1(config)#interface vlan 20 ASA1(conf-if)#ip address 172.16.1.1 255.255.255.0 ASA1(conf-if)#nameif outside ASA1(conf-if)#no shutdown ASA1(config)#access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 ;access list to define which traffic will be encrypted ASA1(config)#access-list outsidein permit icmp any host 172.16.1.1 ;access list to permit icmp traffic for test reasons ASA1(config)#access-group outsidein in interface outside ;apply access list to an interface ASA1(config)#route outside 10.0.0.0 255.255.255.0 172.16.1.2 ;static route instead of dynamic routing protocols ASA1(config)#route outside 172.16.0.0 255.255.255.0 172.16.1.2 ASA1(config)#nat (inside) 1 0 0 ;nat all traffic ASA1(config)#global (outside) 1 interface ;and using PAT ASA1(config)#nat (inside) 0 access-list CRYPTOACL ;do not translate ip addresses for traffic to be encrypted
Router2(config)#interface INT3 Router2(conf-if)#ip address 172.16.0.1 255.255.255.0 Router2(conf-if)#no shutdown Router2(conf-if)#exit Router2(config)#interface INT4 Router2(conf-if)#ip address 10.0.0.1 255.255.255.0 Router2(conf-if)#no shutdown Router2(conf-if)#exit Router2(config)#ip route 172.16.1.0 255.255.255.0 172.16.0.2 Router2(config)#ip route 192.168.0.0 255.255.255.0 172.16.0.2
Router3(config)#interface INT5 Router3(conf-if)#ip address 172.16.1.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#interface INT6 Router3(conf-if)#ip address 172.16.0.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#ip route 192.168.0.0 255.255.255.0 172.16.1.1 Router3(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1
2a) VPN tunnel settings phase 1 IKE/ISAKMP:
Policy must be the same on both ends of tunnel (priority could be different)
ASA1(config)#sysopt connection permit-vpn ;permit ipsec and isakmp traffic in system. Otherwise access list must be defined ASA1(config)#isakmp policy 10 ;set up policy section ASA1(isakmp)#authentication pre-share ;authenticated using pre-shared keys ASA1(isakmp)#group 2 ;Diffie-Hellman group 2 ASA1(isakmp)#hash sha ;hashing type ASA1(isakmp)#encryption 3des ;encryption algorithm
Router2(config)#crypto isakmp policy 10 Router2(isakmp)#encryption 3des Router2(isakmp)#hash sha Router2(isakmp)#group 2 Router2(isakmp)#authentication pre-share Router2(isakmp)#lifetime 200
2b) VPN tunnel settings phase 2 IPSEC:
ASA1(config)#isakmp identity address ;to send phase 2 id to the peer ASA1(config)#tunnel-group 172.16.0.1 type ipsec-l2l ;set peer address and tunnel type (use ? to get more options) ASA1(config)#tunnel-group 172.16.0.1 ipsec-attributes ;set tunneling protocol attributes ASA1(config)#pre-shared-key Cisco ;define pre-shared key ASA1(config)#isakmp enable outside ;enable isakmp on outside interface ASA1(config)#crypto ipsec transform-set TRSETASA1 esp-md5-hmac esp-des ;Define a transform set - acceptable combination of security protocols and algorithms ASA1(config)#crypto map CRMAPASA1 10 match address CRYPTOACL ;define local policy, used within crypto map, which we defined ASA1(config)#crypto map CRMAPASA1 10 set peer 172.16.0.1 ;remote peer setting ASA1(config)#crypto map CRMAPASA1 10 set transform-set TRSETASA1 ;apply transform set in a map section ASA1(config)#crypto map CRMAPASA1 interface outside ;apply crypto map on interface
Apply analogical settings to other side of the tunnel.
Router2(config)#crypto ipsec transform-set TRSETR2 esp-md5-hmac esp-des Router2(config)#access-list 122 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 Router2(config)#crypto isakmp key Cisco address 172.16.1.1 Router2(config)#crypto map LOKALNIMAPAR2 10 ipsec-isakmp Router2(cr-m)#set peer 172.16.1.1 Router2(cr-m)#match address 122 Router2(cr-m)#set transform-set TRSETR2 Router2(config)#interface INT3 Router2(conf-if)# crypto map LOKALNIMAPAR2
3) Access list on Router3 to enable only needed traffic:
Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1 ;enable tunnel inicialisation thru ESP Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp ;enable tunnel traffic thru UDP Router3(config)#interface INT5 Router3(conf-if)#ip access-group 101 in ;apply access list to an interface
Function test
F1) check IKE/IPSEC ASA configuration
Diagnose of this task is already performed during exercises 4.4.7 and 4.5.5a. Please use same one.
ASA1#sh crypto isakmp sa ;display first part of tunnel configuration. ASA1#sh crypto ipsec sa ;display send/receive packet statistics
Ping from LAN 1 to LAN 2 should inicialize VPN tunnel and hosts on LAN2 should be accessible.
F2) clear tunnels
ASA1#clear crypto isakmp sa ;clear tunnel inicialisation configuration ASA1#clear crypto ipsec sa ;clear existing tunnels
Optional tasks
- Define more transform sets to be able to select which could be fit to the other site of the tunnel.
- Define different encryption and hashing algorithms – see point 2a.
- Add one more router(asa) to topology and create another tunnel to this router(asa).
Two or more tunnels to different locations and peers:
This will be accomplished by adding:
- New policy section with definition of needed settings.
- New access list.
- New or existing transform set must be added to new crypto map.
Cisco Labs – Network Security (5) – Site to site VPN tunnel using pre-shared keys on ASA
Introduction
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul4 4.5.5a ASA task definition
Site to site VPN tunnel using pre-shared keys on ASA
Goal
- Site to site VPN tunnel using pre-share keys will be inicialized on ASA.
- Router3 will only pass traffic to site routers. It simulates internet.
- Only traffic from LAN 1 and LAN 2 will be encrypted.
- Static routes or rip routing protocol.
- Clear and reinitialize VPN tunnel.
- Do not forget to have configuration erased before startup.
Required time
3 hours
Theoretical background
Here will be short theoretical background for solving this task.
Configuration
PC1
ifconfig INT7 192.168.0.100 netmask 255.255.255.0 route add default gw 192.168.0.1 dev INT7
PC2
ifconfig INT8 10.0.0.100 netmask 255.255.255.0 route add default gw 10.0.0.1 dev INT8
Asa1, Asa2, Router3
1) interface settings + static routes + NAT:
ASA1(config)#domain-name test ;set domain name ASA1(config)#interface INT1 ;on interface set following ASA1(conf-if)#switchport mode access ;set port on a switch to access mode ASA1(conf-if)#switchport access vlan 10 ;access to vlan 10 ASA1(conf-if)#no shutdowd ;turn on switchport ASA1(config)#interface vlan 10 ;on vlan interface set following ASA1(conf-if)#ip address 192.168.0.1 255.255.255.0 ;set ip address and mask ASA1(conf-if)#nameif inside ;name interface and security level will be set by default ASA1(conf-if)#no shutdown ASA1(config)#interface INT2 ;on interface set following ASA1(conf-if)#switchport mode access ASA1(conf-if)#switchport access vlan 20 ASA1(conf-if)#no shutdown ASA1(config)#interface vlan 20 ASA1(conf-if)#ip address 172.16.1.1 255.255.255.0 ASA1(conf-if)#nameif outside ASA1(conf-if)#no shutdown ASA1(config)#access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 ;access list to define which traffic will be encrypted ASA1(config)#access-list outsidein permit icmp any host 172.16.1.1 ;access list to permit icmp traffic for test reasons ASA1(config)#access-group outsidein in interface outside ;apply access list to an interface ASA1(config)#route outside 10.0.0.0 255.255.255.0 172.16.1.2 ;static route instead of dynamic routing protocols ASA1(config)#route outside 172.16.0.0 255.255.255.0 172.16.1.2 ASA1(config)#nat (inside) 1 0 0 ;nat all traffic ASA1(config)#global (outside) 1 interface ;and using PAT ASA1(config)#nat (inside) 0 access-list CRYPTOACL ;do not translate ip addresses for traffic to be encrypted
ASA2(config)#domain-name test ASA2(config)#interface INT4 ASA2(conf-if)#switchport mode access ASA2(conf-if)#switchport access vlan 10 ASA2(conf-if)#no shutdown ASA2(config)#interface vlan 10 ASA2(conf-if)#ip address 10.0.0.1 255.255.255.0 ASA2(conf-if)#nameif inside ASA2(conf-if)#no shutdown ASA2(config)#interface INT3 ASA2(conf-if)#switchport mode access ASA2(conf-if)#switchport access vlan 20 ASA2(conf-if)#no shutdown ASA2(config)#interface vlan 20 ASA2(conf-if)#ip address 172.16.0.1 255.255.255.0 ASA2(conf-if)#nameif outside ASA2(conf-if)#no shutdown ASA2(config)#access-list CRYPTOACL permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 ASA2(config)#access-list outsidein permit icmp any host 172.16.0.3 ASA2(config)#access-group outsidein in interface outside ASA2(config)#route outside 192.168.0.0 255.255.255.0 172.16.0.2 ASA2(config)#route outside 172.16.1.0 255.255.255.0 172.16.0.2 ASA2(config)#nat (inside) 1 0 0 ASA2(config)#global (outside) 1 interface ASA2(config)#nat (inside) 0 access-list CRYPTOACL
Router3(config)#interface INT5 Router3(conf-if)#ip address 172.16.1.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#interface INT6 Router3(conf-if)#ip address 172.16.0.2 255.255.255.0 Router3(conf-if)#no shutdown Router3(config)#ip route 192.168.0.0 255.255.255.0 172.16.1.1 Router3(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1
2a) VPN tunnel settings phase 1 IKE/ISAKMP:
Policy must be the same on both ends of tunnel (priority could be different)
ASA1(config)#sysopt connection permit-vpn ;permit ipsec and isakmp traffic in system. Otherwise access list must be defined ASA1(config)#isakmp policy 10 ;set up policy section ASA1(isakmp)#authentication pre-share ;authenticated using pre-shared keys ASA1(isakmp)#group 2 ;Diffie-Hellman group 2 ASA1(isakmp)#hash sha ;hashing type ASA1(isakmp)#encryption 3des ;encryption algorithm
ASA2(config)#isakmp policy 10 ASA2(isakmp)#authentication pre-share ASA2(isakmp)#group 2 ASA2(isakmp)#hash sha ASA2(isakmp)#encryption 3des
2b) VPN tunnel settings phase 2 IPSEC:
ASA1(config)#isakmp identity address ;to send phase 2 id to the peer ASA1(config)#tunnel-group 172.16.0.1 type ipsec-l2l ;set peer address and tunnel type (use ? to get more options) ASA1(config)#tunnel-group 172.16.0.1 ipsec-attributes ;set tunneling protocol attributes ASA1(config)#pre-shared-key Cisco ;define pre-shared key ASA1(config)#isakmp enable outside ;enable isakmp on outside interface ASA1(config)#crypto ipsec transform-set TRSETASA1 esp-md5-hmac esp-des ;Define a transform set - acceptable combination of security protocols and algorithms ASA1(config)#crypto map CRMAPASA1 10 match address CRYPTOACL ;define local policy, used within crypto map, which we defined ASA1(config)#crypto map CRMAPASA1 10 set peer 172.16.0.1 ;remote peer setting ASA1(config)#crypto map CRMAPASA1 10 set transform-set TRSETASA1 ;apply transform set in a map section ASA1(config)#crypto map CRMAPASA1 interface outside ;apply crypto map on interface
Apply analogical settings to other side of the tunnel.
ASA2(config)#isakmp identity address ASA2(config)#tunnel-group 172.16.1.1 type ipsec-l2l ASA2(config)#tunnel-group 172.16.1.1 ipsec-attributes ASA2(config)#pre-shared-key Cisco crypto ipsec transform-set TRSETASA2 esp-md5-hmac esp-des crypto map CRMAPASA2 10 match address CRYPTOACL crypto map CRMAPASA2 10 set peer 172.16.1.1 crypto map CRMAPASA2 10 set transform-set TRSETASA2 crypto map CRMAPASA2 interface outside
3) Access list on Router3 to enable only needed traffic:
Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1 ;enable tunnel inicialisation thru ESP Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp ;enable tunnel traffic thru UDP Router3(config)#interface INT5 Router3(conf-if)#ip access-group 101 in ;apply access list to an interface
Function test
Use debug crypto ipsec , debug crypto isakmp and logging console debugging in order to solve issues with configuring VPN tunnels.
F1)check IKE/IPSEC router configuration:
ASA1#sh crypto isakmp stat ;display first part of tunnel configuration. ASA1#sh crypto ipsec stat ;display send/receive packet statistics
Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.
F2)initialize tunnel:
Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which ASA a tunnel was initialized.
ASA1#sh crypto ipsec sa
Picture displays existing tunnel 1st phase.
And 2nd phase.
F3)delete tunnel
ASA1#clear crypto isakmp sa ;clear tunnel initialisation configuration ASA1#clear crypto ipsec sa ;clear existing tunnels
Picture displays cleared tunnel.
Picture displays dropped packed after cleared SAs. Debug used.
F4)reinitialize tunnel from other side
Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which ASA a tunnel was initialized.
Picture shows debugged traffic during tunnel initialisation.
Optional tasks
- Define more transform sets to be able to select which could be fit to the other site of the tunnel.
- Define different encryption and hashing algorithms – see point 2a.
- Add one more router(asa) to topology and create another tunnel to this router(asa).
Two or more tunnels to different locations and peers:
This will be accomplished by adding:
- New policy section with definition of needed settings.
- New access list.
- New or existing transform set must be added to new crypto map.