Cisco VPN Lab Series:
Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPNCisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software
 Protocols and standards used in IPsec protocol suite:
- ESP (Encapsulation Security Payload)
- AH (Authentication header)
- IKE (Internet Key Exchange) - IKE phase 1 is used to secure management channel and setup the vpn channel
- encryption algorithms (DES,3DES,AES)
- DH (Diffie-Hellman group)
- Hash algorithms (MD5,SH1)
- SA (Security association)
- IPSEC -IPSEC or (IKE phase 2) is used to secure the real data thats wants to be secured.
Topology
Â
Configuration:
1. ASA842-1
asa842-1(config)#Â sh run: Saved
:
ASA Version 8.4(2)
!
hostname asa842-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 description WAN
 nameif WAN
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 description LAN
 nameif LAN
 security-level 100
 ip address 11.11.11.11 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
!!!create access control lists to tell the ASA what is "Interesting traffic", that's traffic that it needs to encrypt.
!!!for no-natting traffic , new command will be something like "nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN"
access-list 102 extended permit ip host 11.11.11.12 host 22.22.22.23 log
pager lines 24
logging enable
logging buffered debugging
mtu WAN 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route WAN 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!!! IKE Phase 2 IPSEC Transform-set
crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmacÂ
!!! create a "Cryptomap" to handle "Phase 2" of the VPN Tunnel, that also will use 3DES and SHA and PFS.
crypto map outside_map 1 match address 102
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.2 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set myset1
!!! Apply that Cryptomap to the outside interface.
crypto map outside_map interface WAN
!!! Enable IKEv1 on WAN Interface
crypto ikev1 enable WAN
!!! create a policy that will setup how "Phase 1" of the VPN tunnel will be established
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!!!create a "Tunnel Group" to tell the firewall its a site to site VPN tunnel "l2l", and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. Tunnel group name must be peer gateway's ip address.
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email [email protected]
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:4d98c8c61ec98419f0152f3c7193373d
: end
2. ASA842-2
asa842-2(config)# sh run: Saved
:
ASA Version 8.4(2)
!
hostname asa842-2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 description WAN
 nameif WAN
 security-level 0
 ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet1
 description LAN
 nameif LAN
 security-level 100
 ip address 22.22.22.22 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list 102 extended permit ip host 22.22.22.23 host 11.11.11.12
pager lines 24
mtu WAN 1500Â
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route WAN 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmac
crypto map outside_map 1 match address 102
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set myset1
crypto map outside_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email [email protected]
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:688f0053e33cccccd01e3cacdf9c0fff
: end
3. Logging and Verification
asa842-1(config)# show crypto ipsec sainterface: WAN
   Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
     access-list 102 extended permit ip host 11.11.11.12 host 22.22.22.23 log
     local ident (addr/mask/prot/port): (11.11.11.12/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (22.22.22.23/255.255.255.255/0/0)
     current_peer: 1.1.1.2
     #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
     #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
     #send errors: 0, #recv errors: 0
     local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 1.1.1.2/0
     path mtu 1500, ipsec overhead 58, media mtu 1500
     current outbound spi: 373F0E5C
     current inbound spi : 9F4A47B4
   inbound esp sas:
     spi: 0x9F4A47B4 (2672445364)
        transform: esp-des esp-sha-hmac no compression
        in use settings ={L2L, Tunnel, PFS Group 2, }
        slot: 0, conn_id: 8192, crypto-map: outside_map
        sa timing: remaining key lifetime (kB/sec): (3914999/28791)
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
         0x00000000 0x00000003
   outbound esp sas:
     spi: 0x373F0E5C (926879324)
        transform: esp-des esp-sha-hmac no compression
        in use settings ={L2L, Tunnel, PFS Group 2, }
        slot: 0, conn_id: 8192, crypto-map: outside_map
        sa timing: remaining key lifetime (kB/sec): (3914999/28791)
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
         0x00000000 0x00000001
asa842-1(config)# sh log
Syslog logging: enabled
   Facility: 20
   Timestamp logging: disabled
   Standby logging: disabled
   Debug-trace logging: disabled
   Console logging: disabled
   Monitor logging: disabled
   Buffer logging: level debugging, 639 messages logged
   Trap logging: disabled
   Permit-hostdown logging: disabled
   History logging: disabled
   Device ID: disabled
   Mail logging: disabled
   ASDM logging: disabled
 1.1.1.2, IP = 1.1.1.2, constructing pfs ke payload
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, constructing proxy ID
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, Transmitting Proxy Id:
 Local host: 11.11.11.12 Protocol 0 Port 0
 Remote host: 22.22.22.23 Protocol 0 Port 0
%ASA-7-714007: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending Initial Contact
%ASA-7-715046: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
%ASA-7-714004: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending 1st QM pkt: msg id = 7dde16b5
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 324
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 296
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
%ASA-7-714011: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
11.11.11.12
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
%ASA-7-714011: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
22.22.22.23
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, loading all IPSEC SAs
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, Generating Quick Mode Key!
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, Generating Quick Mode Key!
%ASA-5-713049: Group = 1.1.1.2, IP = 1.1.1.2, Security negotiation complete for LAN-to-LAN Group (1.1.1.2)Â Initiator, Inbound SPI = 0x9f4a47b4, Outbound SPI = 0x373f0e5c
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, oakley constructing final quick mode
%ASA-7-714006: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending 3rd QM pkt: msg id = 7dde16b5
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + NONE (0) total length : 76
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x373F0E5C) between 1.1.1.1 and 1.1.1.2 (user= 1.1.1.2) has been created.
%ASA-7-715007: Group = 1.1.1.2, IP = 1.1.1.2, IKE got a KEY_ADD msg for SA: SPI = 0x373f0e5c
%ASA-7-746012: user-identity: Add IP-User mapping 1.1.1.2 - LOCAL\1.1.1.2 Succeeded - VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 22.22.22.23 - LOCAL\1.1.1.2 Succeeded - VPN user
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x9F4A47B4) between 1.1.1.1 and 1.1.1.2 (user= 1.1.1.2) has been created.
%ASA-7-715077: Group = 1.1.1.2, IP = 1.1.1.2, Pitcher: received KEY_UPDATE, spi 0x9f4a47b4
%ASA-7-715080: Group = 1.1.1.2, IP = 1.1.1.2, Starting P2 rekey timer: 24480 seconds.
%ASA-5-713120: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 2 COMPLETED (msgid=7dde16b5)
%ASA-5-752016: IKEv1 was successful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.
%ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 1.
%ASA-7-609001: Built local-host LAN:11.11.11.12
%ASA-7-609001: Built local-host WAN:22.22.22.23
%ASA-6-302020: Built outbound ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302020: Built inbound ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302021: Teardown ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302021: Teardown ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-7-609002: Teardown local-host WAN:22.22.22.23 duration 0:00:02
%ASA-7-609002: Teardown local-host LAN:11.11.11.12 duration 0:00:02
%ASA-7-111009: User 'enable_15' executed cmd: show crypto ipsec sa
No comments:
Post a Comment