Pages

Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Monday, 14 May 2012

Cisco ASA 5500 Site to Site VPN (From CLI)


Cisco ASA 5500 Site to Site VPN (From CLI)
Do the same from ASDM
 
Problem
You want a secure IPSEC VPN between two sites.
Solution
Note: There have been a number of changes both in NAT and IKE on the Cisco ASA that mean commands will vary depending on the OS that the firewall is running, make sure you know what version your firewall is running (either by looking and the running config or issue a "sho ver" command).
Note 2: Cisco introduced IKE version 2 with ASA 8.4(x) This assumes we are configurug a tunnel using IKE version 1. (For version 2, both ends need to be running version 8.4(x) or greater).
Before you start - you need to ask yourself "Do I already have any IPSEC VPN's configured on this firewall?" Because if its not already been done, you need to enable ISAKMP on the outside interface. To ascertain whether yours is on, or off, issue a "show run crypto " command and check the results, if you do NOT see "crypto isakmp enable outside" or "crypto ikev1 enable outside" then you need to issue that command.
Firewall Running an OS of 8.4(x) or newer
PetesASA# show run crypto
crypto ikev1 enable outside << Mines already enabled and its IKE version1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#
Firewall Running an OS Earlier than 8.4(x)
PetesASA# show run crypto
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#
1. Im going to create access control lists next, one to tell the ASA what is "Interesting traffic", that's traffic that it needs to encrypt. If you are running an ASA older than version 8.3(x) you will need to create a second access list to STOP the ASA performing NAT on the traffic that travels over the VPN.
Warning: (ASA Version 8.3 or older): If you already have NAT excluded traffic on the firewall (for other VPN's) this will BREAK THEM - to see if you do, issue a "show run nat" command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.
So below I'm saying "Don't NAT Traffic from the network behind the ASA (10.254.254.0) that's going to network behind the VPN device at the other end of the tunnel (172.16.254.0).
Firewall Running an OS of 8.3(x) or newer
PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN
Firewall Running an OS Earlier than 8.3(x)
PetesASA(config)#
PetesASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)# access-list NO-NAT-TRAFFIC line 1 extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)# nat (inside) 0 access-list NO-NAT-TRAFFIC
PetesASA(config)#
2. Now I'm going to create a "Tunnel Group" to tell the firewall its a site to site VPN tunnel "l2l", and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.
NoteEnsure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.
PetesASA(config)#
PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit
PetesASA(config)#
3. Now we need to create a policy that will setup how "Phase 1" of the VPN tunnel will be established, we have already put in a shared secret, this policy will make sure we use it, it also sets the encryption type (3DES), the hashing algorithm (SHA) and the Level of PFS (Group 2). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That's 1440 Minutes - or 24 hours if your still confused :)
Firewall Running an OS of 8.4(x) or newer
PetesASA(config)# crypto ikev1 policy 10
PetesASA(config-ikev1-policy)#authentication pre-share
PetesASA(config-ikev1-policy)#hash sha
PetesASA(config-ikev1-policy)#group 2 
PetesASA(config-ikev1-policy)#lifetime 86400
Firewall Running an OS Earlier than 8.4(x)
PetesASA(config)#
PetesASA(config)# crypto isakmp policy 10 authen pre-share
PetesASA(config)# crypto isakmp policy 10 encrypt 3des
PetesASA(config)# crypto isakmp policy 10 hash sha
PetesASA(config)# crypto isakmp policy 10 group 2
PetesASA(config)# crypto isakmp policy 10 lifetime 86400
PetesASA(config)#
4. We stated above that we are going to use 3DES and SHA so we need a "Transform Set" that matches.
Firewall Running an OS of 8.4(x) or newer
PetesASA(config)#
PetesASA(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesASA(config)#
Firewall Running an OS Earlier than 8.4(x)
PetesASA(config)#
PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesASA(config)#
4. Finally we need to create a "Cryptomap" to handle "Phase 2" of the VPN Tunnel, that also will use 3DES and SHA and PFS. And last od all we apply that Cryptomap to the outside interface.
Firewall Running an OS of 8.4(x) or newer
PetesASA(config)#
PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
PetesASA(config)# crypto map outside_map 1 set pfs group2
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123
PetesASA(config)# crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
PetesASA(config)# crypto map outside_map interface outside
PetesASA(config)#
Firewall Running an OS Earlier than 8.4(x)
PetesASA(config)#
PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
PetesASA(config)# crypto map outside_map 1 set pfs group2
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123
PetesASA(config)# crypto map outside_map 1 set transform-set ESP-3DES-SHA
PetesASA(config)# crypto map outside_map interface outside
PetesASA(config)#
5. Don't forget to save your hard work with a "write mem" command.
PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
6. Simply configure the other end as a "Mirror Image" of this one.
Posted by at No comments:
Labels: ,

Cisco ASA IKEv1 and IKEv2 Support for IPSEC



IETF proposed an updated Internet Key Exchange (IKE) protocol, called IKEv2, which is used to simplify and improve the legacy IKE protocol (IKEv1). Cisco ASA introduced support for IPSEC IKEv2 in software version 8.4(1) and later. In this ASA version, IKEv2 was added to support IPsec IKEv2 connections for AnyConnect and LAN-to-LAN VPN implementations. Of course, legacy IKEv1 is still supported and is widely used in almost all VPN configurations up to now.
In this article I will show the differences between the commands used in ASA versions prior to 8.4(1) with commands used in versions 8.4(1) and later.
ASA version prior to 8.4(1)
Let’s start with a basic IPSEC Lan-to-Lan VPN configuration for ASA versions prior to 8.4(1). Note that the following are just a part of the commands required for successful Lan-to-Lan VPN. The following are the commands which have some differences with the commands used in version 8.4(1) and later.
crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-REMOTE
crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
pre-shared-key *****
ASA version 8.4(1) and later
Now let’s see how the IPSEC Lan-to-Lan VPN commands are changed in ASA version 8.4(1) and later. In red color you see the commands which are changed:
crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-REMOTE
crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
ikev1 pre-shared-key *****
The Table below shows a site by site comparison of commands for even older ASA versions. The leftmost column shows commands for ASA versions lower than 7.2(1). The middle column shows the commands in versions higher than 7.2(1) and lower than 8.4(1). The right column shows the commands from 8.4(1) and higher.
Table with Cisco ASA versions and command differences regarding Site-to-Site IPSEC VPN commands:

ASA version < 7.2(1)
7.2(1)<ASA version<8.4(1)
ASA version  > 8.4(1)
isakmp policy [policy #]crypto isakmp policy [policy #]crypto ikev1 policy [policy #]
isakmp enable [interface-name]crypto isakmp enable [interface-name]crypto ikev1 enable [interface-name]
isakmp identity addresscrypto isakmp identity addresscrypto isakmp identity address
crypto ipsec transform-setcrypto ipsec transform-setcrypto ipsec ikev1 transform-set
tunnel-group nameipsec-attributes
  pre-shared-key xxxxxxx		tunnel-group name ipsec-attributes
  pre-shared-key xxxxxxx		tunnel-group name ipsec-attributes
  ikev1 pre-shared-key xxxxxxx

Posted by at No comments:
Labels:

Tuesday, 8 May 2012

Allow VPN Clients Internet Access without Split Tunneling


Allow VPN Clients Internet Access without Split Tunneling



This quck question and answer comes from a recent forum thread at networking-forum.com.  I especially like how texanmutt tried sending traffic to the proxy server.  This very clearly illustrates the idea of same-security-traffic permit intra-interface.
Question: I have setup remote access VPN on an ASA 5505. The remote access works good, but when I try to browse web pages with the remote client, it times out. But if I map the remote client web browser to the proxy server behind the ASA, it works just fine. I am guessing this might be some kind NAT issue.
Read on for the answer.
Answer: It’s a NAT issue and an ASA behavior issue. The success with the proxy makes sense, too.
By default, the ASA does not allow traffic to enter and exit the same interface of the security appliance. Since the clients are on the outside and the Internet is on the outside, client traffic is not allowed to flow that way by default. When you send the client traffic to the proxy first, the source of the traffic is changed to the proxy and now the flow is allowed from inside to outside.
You can change this behavior with the same-security-traffic command:
same-security-traffic permit intra-interface
Once you’ve allowed traffic to flow in and out of the same interface, you still need to NAT the traffic of your VPN clients just like you do your internal clients. Don’t forget that they are coming from the outside:
global (outside) 1 interface
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)