Cisco VPN LAB 4 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, June 22, 2014

Cisco VPN LAB 4 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software

Cisco VPN Lab Series:

Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPN
Cisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software

1. Topology:

2. Configurations:

!=== start from a clean default configuration on ASA===
configure factory-default

2.1 EZ VPN Server configuration

asa242-1(config)# sh run

ASA Version 8.4(2)
hostname asa242-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0
 nameif Internet
 security-level 0
 ip address
interface GigabitEthernet1
 nameif Internal
 security-level 100
 ip address
ftp mode passive

!Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel.
access-list EZVPN_SPLIT_TUNNEL standard permit
pager lines 24
mtu Internet 1500
mtu Internal 1500

! for VPN Software Clients to get an ip address
ip local pool remoteuserspool mask

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Internet 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

!setup your Phase 2 parameters and apply it to the interface.
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 

!by default xp vpn client will use following ipsec parameters

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  

crypto dynamic-map OUTDIDE_CRYPTO 65500 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map OUTDIDE_CRYPTO 65535 set ikev1 transform-set ESP-DES-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTDIDE_CRYPTO
crypto map OUTSIDE_MAP interface Internet


!setup the PHASE 1 encryption parameters.
crypto ikev1 enable Internet
crypto ikev1 policy 9
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400

!by default xp vpn client will use following ikev1 isakmp parameters
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel. 

group-policy EZVPN1 internal
group-policy EZVPN1 attributes
 dns-server value

 vpn-tunnel-protocol ikev1 ikev2
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value EZVPN_SPLIT_TUNNEL
 default-domain value domain.local
 secure-unit-authentication disable
 user-authentication disable
 nem enable

!Create a username that you will be using on the client to connect to the server. Like the software VPN, this is the user credentials supplied for additional authentication.
username cisco password 3USUcOPFUiMCO4Jk encrypted
username EZVPN_USER password k.2ZLTNcTBoL6bHt encrypted

!Apply the group policy settings in a tunnel-group. This is where you enter the preshared key for your phase 1 authentication. 
tunnel-group EZVPN1 type remote-access
tunnel-group EZVPN1 general-attributes
 default-group-policy EZVPN1
tunnel-group EZVPN1 ipsec-attributes
 ikev1 pre-shared-key *****

! tunnel group remoteusers  will be used for remote xp vpn clients configuration
tunnel-group remoteusers type remote-access
tunnel-group remoteusers general-attributes
 address-pool remoteuserspool
tunnel-group remoteusers ipsec-attributes
 ikev1 pre-shared-key *****


prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
: end

2.2 EZ VPN Client IOS Router:

R10#sh run
Building configuration...

Current configuration : 1609 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R10
security passwords min-length 1
no aaa new-model
clock timezone CET 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
ip cef
no ipv6 traffic interface-statistics
no ipv6 cef
multilink bundle-name authenticated
username cisco password 0 cisco
crypto isakmp key cisco123 hostname asa242-1

!--- Set the parameters to connect to the 
!--- appropriate Easy VPN group on the Easy VPN server.
crypto ipsec client ezvpn ez
 connect auto
 group EZVPN1 key cisco123
 mode network-extension
 username cisco password cisco
 xauth userid mode local

!--- Use the crypto ipsec client ezvpn <name> command on the
!--- interface that connects to the Easy VPN server
!--- in order to complete the Easy VPN.
interface Ethernet0/0
 ip address
 crypto ipsec client ezvpn ez

!--- Define the inside interfaces that will access 
!--- and can be accessed via Easy VPN.
interface Ethernet0/1
 description inside
 ip address
 crypto ipsec client ezvpn ez inside
ip forward-protocol nd
no ip http server
no ip http secure-server
line con 0
 logging synchronous
line aux 0
line vty 0 4
exception data-corruption buffer truncate

2.3 XP VPN Client Configuration:

2.4 Test

2.4.1 Ping test between hub and Spokes are working fine

2.4.2 Ping test between spokes failed. Solution is in the Notes 3.3

3. Notes:

3.1. The vpnclient command (Easy VPN client) only works on 5505 model; since ASA VM emulates a 5520 or generic F1, that feature isn't available.

3.2. ESXi vSwitch Configuration. Promiscuous mode was used in my ESXi ASA vm network card to communicate with other VMs.

3.3. Enable Communication between Remote Sites.

By default with this configuration, the traffic between spokes are dropped by firewalls, although the traffic between hub and spokes are working well. On ASA, enter following command:

same-security-traffic permit intra-interface

This command will make traffic between spokes working.    


No comments:

Post a Comment