Friday, 6 December 2019

Configure Remote Access IPsec VPNs at Cisco ASA firewall via CLI

Configure Remote Access IPsec VPNs


This section describes how to configure remote access VPNs.


Configure Interfaces

An ASA has at least two interfaces, referred to here as outside and inside. Typically, the outside interface is connected to the public Internet, while the inside interface is connected to a private network and is protected from public access.
To begin, configure and enable two interfaces on the ASA. Then assign a name, IP address and subnet mask. Optionally, configure its security level, speed and duplex operation on the security appliance.

Procedure :-
Step 1
Enter interface configuration mode from global configuration mode.
interface {interface}
Example:
hostname(config)# interface ethernet0
hostname(config-if)#



Step 2
Set the IP address and subnet mask for the interface.
ip address ip_address [mask] [standby ip_address]
Example:
hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0



Step 3
Specify a name for the interface (maximum of 48 characters). You cannot change this name after you set it.
nameif name
Example:
hostname(config-if)# nameif outside
hostname(config-if)#



Step 4
Enable the interface. By default, interfaces are disabled.shutdown
Example:
hostname(config-if)# no shutdown
hostname(config-if)#

Configure ISAKMP Policy and Enabling ISAKMP on the Outside Interface
Procedure

Step 1
Specify the authentication method and the set of parameters to use during IKEv1 negotiation.
Priority uniquely identifies the Internet Key Exchange (IKE) policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.
In the steps that follow, we set the priority to 1.


Step 2
Specify the encryption method to use within an IKE policy.
crypto ikev1 policy priority encryption {aes | aes-192 | aes-256 | des | 3des}
Example:
hostname(config)#
 crypto ikev1 policy 1 encryption 3des

hostname(config)#



Step 3
Specify the hash algorithm for an IKE policy (also called the HMAC variant).

crypto ikev1 policy priority hash {md5 | sha}
Example:
hostname(config)# crypto ikev1 policy 1 hash sha
hostname(config)#



Step 4
Specify the Diffie-Hellman group for the IKE policy—the crypto protocol that allows the IPsec client and the ASA to establish a shared secret key.
crypto ikev1 policy priority group {1 | 2 | 5| }
Example:
hostname(config)# crypto ikev1 policy 1 group 2
hostname(config)#



Step 5
Specify the encryption key lifetime—the number of seconds each security association should exist before expiring.
crypto ikev1 policy priority lifetime {seconds}
The range for a finite lifetime is 120 to 2147483647 seconds. Use 0 seconds for an infinite lifetime.
Example:
hostname(config)# crypto ikev1 policy 1 lifetime 43200
hostname(config)#




Step 6
Enable ISAKMP on the interface named outside.
crypto ikev1 enable interface-name
Example:
hostname(config)# crypto ikev1 enable outside
hostname(config)#



Step 7
Save the changes to the configuration.
write memory

Configure an Address Pool
The ASA requires a method for assigning IP addresses to users. This section uses address pools as an example.
Procedure

Create an address pool with a range of IP addresses, from which the ASA assigns addresses to the clients.
ip local pool poolname first-address—last-address [mask mask]
The address mask is optional. However, You must supply the mask value when the IP addresses assigned to VPN clients belong to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces.
Example:
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)#

Add a User
Procedure

Create a user, password, and privilege level.
username name {nopassword | password password [mschap | encrypted | nt-encrypted]}  [privilege priv_level]
Example:
Hostname(config)# username testuser password 12345678

Create an IKEv1 Transform Set or IKEv2 Proposal
This section shows how to configure a transform set (IKEv1) or proposal (IKEv2), which combines an encryption method and an authentication method.
The following steps show how to create both an IKEv1 and an IKEv2 proposal.
Procedure
Step 1
Configure an IKEv1 transform set that specifies the IPsec IKEv1 encryption and hash algorithms to be used to ensure data integrity.
crypto ipsec ikev1 transform-set transform-set-name encryption-method [authentication]
Use one of the following values for encryption:
·       esp-aes to use AES with a 128-bit key.
·       esp-aes-192 to use AES with a 192-bit key.
·       esp-aes-256 to use AES with a 256-bit key.
·       esp-des to use 56-bit DES-CBC.
·       esp-3des to use triple DES algorithm.
·       esp-null to not use encryption.
Use one of the following values for authentication:
·       esp-md5-hmac to use the MD5/HMAC-128 as the hash algorithm.
·       esp-sha-hmac to use the SHA/HMAC-160 as the hash algorithm.
·       esp-none to not use HMAC authentication.
Example:
To configure an IKEv1 transform set:
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac




Step 2
Configure an IKEv2 proposal set that specifies the IPsec IKEv2 protocol, encryption, and integrity algorithms to be used.
esp specifies the Encapsulating Security Payload (ESP) IPsec protocol (currently the only supported protocol for IPsec).
crypto ipsec ikev2 ipsec-proposal proposal_name
protocol {esp} {encryption {des | 3des | aes | aes-192 | aes-256 | null} | integrity {md5 | sha-1}
Use one of the following values for encryption:
·       des to use 56-bit DES-CBC encryption for ESP.
·       3des (default) to use the triple DES encryption algorithm for ESP.
·       aes to use AES with a 128-bit key encryption for ESP.
·       aes-192 to use AES with a 192-bit key encryption for ESP.
·       aes-256 to use AES with a 256-bit key encryption for ESP.
·       null to not use encryption for ESP.
Use one of the following values for integrity:
·       md5 specifies the md5 algorithm for the ESP integrity protection.
·       sha-1 (default) specifies the Secure Hash Algorithm (SHA) SHA-1, defined in the U.S. Federal Information Processing Standard (FIPS), for ESP integrity protection.
To configure an IKEv2 proposal:
hostname(config)# crypto ipsec ikev2 ipsec-proposal secure_proposal
hostname(config-ipsec-proposal)# protocol esp encryption des integrity md5

Define a Tunnel Group
A tunnel group is a collection of tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define a default group policy. The ASA stores tunnel groups internally.
There are two default tunnel groups in the ASA system: DefaultRAGroup, which is the default remote-access tunnel group, and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You can change these groups, but do not delete them. The ASA uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.
Procedure
Step 1
Create an IPsec remote access tunnel-group (also called connection profile).
tunnel-group name type type
Example:
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)#


Step 2
Enter tunnel group general attributes mode where you can enter an authentication method.
tunnel-group name general-attributes
Example:
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#


Step 3
Specify an address pool to use for the tunnel group.
address-pool [(interface name)address_pool1 [...address_pool6]
Example:
hostname(config-general)# address-pool testpool


Step 4
Enter tunnel group ipsec attributes mode where you can enter IPsec-specific attributes for IKEv1 connections.
tunnel-group name ipsec-attributes
Example:
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-tunnel-ipsec)#


Step 5
(Optional) Configure a pre-shared key (IKEv1 only). The key can be an alphanumeric string from 1-128 characters.
The keys for the adaptive security appliance and the client must be identical. If a Cisco VPN Client with a different preshared key size tries to connect, the client logs an error message indicating it failed to authenticate the peer.
ikev1 pre-shared-key key
Example:
hostname(config-tunnel-ipsec)# pre-shared-key 44kkaol59636jnfx

Create a Dynamic Crypto Map
Dynamic crypto maps define policy templates in which not all the parameters are configured. This lets the ASA receive connections from peers that have unknown IP addresses, such as remote access clients.
Dynamic crypto map entries identify the transform set for the connection. You can also enable reverse routing, which lets the ASA learn routing information for connected clients, and advertise it via RIP or OSPF.
Perform the following task:
Procedure
Step 1
Create a dynamic crypto map and specifies an IKEv1 transform set or IKEv2 proposal for the map.
·       For IKEv1, use this command:
crypto dynamic-map dynamic-map-name seq-num set ikev1 transform-set transform-set-name
·       For IKEv2, use this command:
crypto dynamic-map dynamic-map-name seq-num set ikev2 ipsec-proposal proposal-name
Example:
hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
hostname(config)#
hostname(config)# crypto dynamic-map dyn1 1 set ikev2 ipsec-proposal secure_proposal
hostname(config)#


Step 2
(Optional) Enable Reverse Route Injection for any connection based on this crypto map entry.
crypto dynamic-map dynamic-map-name dynamic-seq-num set reverse-route
Example:
hostname(config)# crypto dynamic-map dyn1 1 set reverse route
hostname(config)#

Create a Crypto Map Entry to Use the Dynamic Crypto Map
Create a crypto map entry that lets the ASA use the dynamic crypto map to set the parameters of IPsec security associations.
In the following examples for this command, the name of the crypto map is mymap, the sequence number is 1, and the name of the dynamic crypto map is dyn1, which you created in the previous section.
Procedure
Step 1
Create a crypto map entry that uses a dynamic crypto map.
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
Example:
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1


Step 2
Apply the crypto map to the outside interface.
crypto map map-name interface interface-name
Example:
hostname(config)# crypto map mymap interface outside


Step 3
Saves the changes to the configuration.
write memory

Configuring IPSec IKEv2 Remote Access VPN in Multi-Context Mode
For more information about configuring Remote Access IPsec VPNs, see the following sections:
·       Configure Interfaces
·       Configure an Address Pool
·       Add a User
·       Create an IKEv1 Transform Set or IKEv2 Proposal
·       Define a Tunnel Group
·       Create a Dynamic Crypto Map
·       Create a Crypto Map Entry to Use the Dynamic Crypto Map
Configuration Examples for Remote Access IPsec VPNs
The following example shows how to configure a remote access IPsec/IKEv1 VPN:

hostname(config)# crypto ikev1 policy 10
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption aes-256
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config)# crypto ikev1 enable outside
hostname(config)# ip local pool POOL 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev1 transform set AES256-SHA
esp-aes-256 esp-sha-hmac
hostname(config)# tunnel-group RAVPN type remote-access
hostname(config)# tunnel-group RAVPN general-attributes
hostname(config-general)# address-pool POOL
hostname(config)# tunnel-group RAVPN ipsec-attributes
hostname(config-ipsec)# ikev1 pre-shared-key ravpnkey
hostname(config)# crypto dynamic-map DYNMAP 1 set ikev1
transform-set AES256-SHA
hostname(config)# crypto dynamic-map DYNMAP 1 set reverse-route
hostname(config)# crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
hostname(config)# crypto map CMAP interface outside

The following example shows how to configure a remote access IPsec/IKEv2 VPN:

hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)# integrity sha512
hostname(config-ikev2-policy)# prf sha512
hostname(config)# crypto ikev2 enable outside
hostname(config)# ip local pool POOL 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev2 ipsec-proposal  AES256-SHA512
hostname(config-ipsec-proposal)# protocol esp encryption  aes-256
hostname(config-ipsec-proposal)# protocol esp integrity sha-512
hostname(config)# tunnel-group RAVPN type remote-access
hostname(config)# tunnel-group RAVPN general-attributes
hostname(config-general)# address-pool POOL
hostname(config)# tunnel-group RAVPN ipsec-attributes
hostname(config-tunnel-ipsec)# ikev2 local-authentication
pre-shared-key localravpnkey
hostname(config-tunnel-ipsec)# ikev2 remote-authentication
pre-shared-key remoteravpnkey
hostname(config)# crypto dynamic-map DYNMAP 1 set ikev2
ipsec-proposal AES256-SHA512
hostname(config)# crypto dynamic-map DYNMAP 1 set reverse-route
hostname(config)# crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
hostname(config)# crypto map CMAP interface outside



class default
  limit-resource All 0
  limit-resource Mac-addresses 65536
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
  limit-resource VPN AnyConnect 4.0%

Posted by at No comments:
Labels:

Tuesday, 2 April 2019

Site to Site - IPSec VPN on ASA

             

Configure Via the ASDM VPN Wizard

Complete these steps in order to set up the site-to-site VPN tunnel via the ASDM wizard:
  1. Open the ASDM and navigate to Wizards > VPN Wizards > Site-to-site VPN Wizard:

  2. Click Next once you reach the wizard home page:

  3. Configure the peer IP address. In this example, the peer IP address is set to 192.168.1.1 on Site B. If you configure the peer IP address on Site A, it must be changed to 172.16.1.1. The interface through which the remote end can be reached is also specified. Click Next once complete.

  4. Configure the local and remote networks (traffic source and destination). This image shows the configuration for Site B (the reverse applies for Site A):

  5. On the Security page, configure the pre-shared key (it must match on both of the ends). Click Next once complete.

  6. Configure the source interface for the traffic on the ASA. The ASDM automatically creates the Network Address Translation (NAT) rule based on the ASA version and pushes it with the rest of the configuration in the final step.

    7. The wizard now provides a summary of the configuration that will be pushed to the ASA. Review and verify the configuration settings, and then click Finish.

    Configure Via the CLI

    Phase 1 (IKEv1)
    Complete these steps for the Phase 1 configuration:
    1. Enter this command into the CLI in order to enable IKEv1 on the outside interface:

      crypto ikev1 enable outside
    2. Create an IKEv1 policy that defines the algorithms/methods to be used for hashing, authentication, Diffie-Hellman group, lifetime, and encryption:

      crypto ikev1 policy 1
!The 1 in the above command refers to the Policy suite priority
 (1 highest, 65535 lowest)
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
    3. Create a tunnel group under the IPsec attributes and configure the peer IP address and the tunnel pre-shared key:

      tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 ikev1 pre-shared-key cisco
!Note the IKEv1 keyword at the beginning of the pre-shared-key command
    Phase 2 (IPsec)
    Complete these steps for the Phase 2 configuration:
    1. Create an access list that defines the traffic to be encrypted and tunneled. In this example, the traffic of interest is the traffic from the tunnel that is sourced from the 10.2.2.0 subnet to the 10.1.1.0. It can contain multiple entries if there are multiple subnets involved between the sites.

      In Versions 8.4 and later, objects or object groups can be created that serve as containers for the networks, subnets, host IP addresses, or multiple objects. Create two objects that have the local and remote subnets and use them for both the crypto Access Control List (ACL) and the NAT statements.

      object network 10.2.2.0
 subnet 10.2.2.0 255.255.255.0
object network 10.1.1.0
 subnet 10.1.1.0 255.255.255.0

access-list 100 extended permit ip object 10.2.2.0 object 10.1.1.0
    2. Configure the Transform Set (TS), which must involve the keyword IKEv1. An identical TS must be created on the remote end as well.

      crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
    3. Configure the crypto map, which contains these components:

      • The peer IP address
      • The defined access list that contains the traffic of interest
      • The TS
      • An optional Perfect Forward Secrecy (PFS) setting, which creates a new pair of Diffie-Hellman keys that are used in order to protect the data (both sides must be PFS-enabled before Phase 2 comes up)
    4. Apply the crypto map on the outside interface:

      crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 192.168.1.1
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map 20 set pfs
crypto map outside_map interface outside
    NAT Exemption
    Ensure that the VPN traffic is not subjected to any other NAT rule. This is the NAT rule that is used:
       
    nat (inside,outside) 1 source static 10.2.2.0 10.2.2.0 destination static 10.1.1.0 10.1.1.0 no-proxy-arp route-lookup
    object-group  network 10.x.x.x_SOURCE
 network-object  10.4.4.0 255.255.255.0
 network-object  10.2.2.0 255.255.255.0

object network 10.x.x.x_DESTINATION
 network-object  10.3.3.0 255.255.255.0
 network-object  10.1.1.0 255.255.255.0

nat (inside,outside) 1 source static 10.x.x.x_SOURCE 10.x.x.x_SOURCE destination
    

    
Complete Sample Configuration
    

    
Here is the complete configuration for Site B:
    

    crypto ikev1 enable outside

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 ikev1 pre-shared-key cisco
 !Note the IKEv1 keyword at the beginning of the pre-shared-key command.

object network 10.2.2.0 
 subnet 10.2.2.0 255.255.255.0 
object network 10.1.1.0
 subnet 10.1.1.0 255.255.255.0

access-list 100 extended permit ip object 10.2.2.0 object 10.1.1.0

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac

crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 192.168.1.1
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map 20 set pfs
crypto map outside_map interface outside

nat (inside,outside) 1 source static 10.2.2.0 10.2.2.0 destination static 10.1.1.0 10.1.1.0 no-proxy-arp route-lookup static 10.x.x.x_DESTINATION  10.x.x.x_DESTINATION no-proxy-arp route-lookup 
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)