Site2siteVPN
Transcript of Site2siteVPN
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 1/30
http://forum.saigonctt.com.vn/showthread.php?157-H%E1%BB%8Fi-v%E1%BB%81-VPN-tren-FTTH-d%E1%BB%B1a-tr%EAn-thi%E1%BA%BFt-b%E1%BB%8B-Cisco.
http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml
Following is a turnkey solution for a site-to-site IPSec based VPN between a Cisco ASA5505
running version 7.3(4) on one end (Site A) and a Cisco router 2621 running IOS version 12.3
on the other end (Site B).
This scenario was tested in the Lab with a router in between the ASA and the 2621 end router inorder to better simulate the Internet. This ³middle´ WAN router is optional but it surely adds
more realism to the Lab.
The IP addresses used in this LAB are private for the two sites behind the ASA and the router and public on the WAN (Internet) sides. You can adjust the following configurations to your
own IP addressing schema depending on your personal needs.
SITE A Internet (simulated) SITE B
Enc. Domain: 192.168.9.0/24,Cisco ASA 5505 Version 7.3(4) Interface E0 IP: 172.100.99.65/29
Interface E1 IP: 192.168.9.254/24,Test PC: 192.168.9.22,
192.168.9.50
WAN Router Cisco 2611 (in betweenASA and End Router): E0/0:172.100.99.70/29 (ASA¶s Gateway)
E0/1: 172.77.200.193/28 (Router¶sGateway)
Enc. Domain: 192.168Cisco 2621 IOS VersioIP: 172.77.200.206/28,
192.168.50.1/24, Test P192.168.50.23, 192.168
Network Diagram
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 2/30
IPSec Tunnel Parameters
y Pre-shared key: Cisco123
y Encryption: 3des y Hash: md5
y Group: 2 y Lifetime: 86400
Site A: Cisco ASA5505 Configuration
TechCity-ASA5505# sh run : Saved :
ASA Version 7.2(4) ! hostname TechCity-ASA5505 domain-name cgngroup.com enable password [--removed--] encrypted
passwd [--removed--] encrypted
names ! interface Vlan1 description Most Secure Inside LAN Connection nameif inside security-level 100 ip address 192.168.9.254 255.255.255.0 ! interface Vlan2 description Outside WAN Connection
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 3/30
nameif outside security-level 0 ip address 172.100.99.65 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 interface Ethernet0/2 interface Ethernet0/3 interface Ethernet0/4 interface Ethernet0/5 interface Ethernet0/6 interface Ethernet0/7 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns server-group DefaultDNS
domain-name cgngroup.com access-list ACL_INBOUND remark --- allow return traffic back for ICMP from inside --- access-list ACL_INBOUND extended permit icmp any any unreachable access-list ACL_INBOUND extended permit icmp any any echo-reply access-list ACL_INBOUND extended permit icmp any any time-exceeded access-list ACL_INBOUND extended permit icmp any any source-quench access-list ACL_ENCRYPTION remark --- Link to Cisco 2621 TechCity_Lab_C2621 --- access-list ACL_ENCRYPTION extended permit ip 192.168.9.0 255.255.255.0192.168.50.0 255.255.255.0 access-list ACL_NONAT remark --- NO NAT ACL --- access-list ACL_NONAT extended permit ip 192.168.9.0 255.255.255.0
192.168.50.0 255.255.255.0
pager lines 60 logging enable logging timestamp logging buffer-size 16384 logging asdm informational logging device-id ipaddress outside
mtu inside 1500 mtu outside 1454 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 icmp deny any outside asdm image disk0:/asdm-524.bin
asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list ACL_NONAT nat (inside) 1 192.168.9.0 255.255.255.0 access-group ACL_INBOUND in interface outside route outside 0.0.0.0 0.0.0.0 172.100.99.70 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 4/30
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication serial console LOCAL http server enable http 192.168.9.0 255.255.255.0 inside crypto ipsec transform-set labset esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outside crypto map labmap 1 match address ACL_ENCRYPTION crypto map labmap 1 set pfs crypto map labmap 1 set peer 172.77.200.206 crypto map labmap 1 set transform-set labset crypto map labmap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10
authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 client-update enable telnet 192.168.9.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.9.0 255.255.255.0 inside ssh timeout 25 console timeout 25
management-access inside username cris password [--removed--] encrypted privilege 15
username Admin password [--removed--] encrypted privilege 15
tunnel-group 172.77.200.206 type ipsec-l2l tunnel-group 172.77.200.206 ipsec-attributes pre-shared-key Cisco123 !
prompt hostname context Cryptochecksum:[--removed--] : end TechCity-ASA5505#
Site B: Cisco 2621 Router Configuration
TechCity_Lab_C2621#sh run Building configuration...
Current configuration : 2110 bytes ! version 12.3 service timestamps debug uptime service timestamps log uptime service password-encryption !
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 5/30
hostname TechCity_Lab_C2621 !
boot-start-marker boot-end-marker ! enable secret [--removed--] enable password [--removed--] ! aaa new-model aaa authentication login default local aaa session-id common ip subnet-zero ip cef ! no ip domain lookup ip domain name cgngroup.com ip audit po max-events 100 ! username cris privilege 15 secret [--removed--] username Admin privilege 15 secret [--removed--]
! ip ssh time-out 5 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key Cisco123 address 172.100.99.65 ! crypto ipsec transform-set labset esp-3des esp-md5-hmac ! crypto map labmap 1 ipsec-isakmp
description --- Link to the ASA TechCity-ASA5505 ---
set peer 172.100.99.65 set security-association lifetime seconds 86400 set transform-set labset set pfs group2
match address 101 ! interface FastEthernet0/0 description LAN Connection Interface to SITE B ip address 192.168.50.1 255.255.255.0 ip nat inside ! interface FastEthernet0/1 description WAN Connection Interface
ip address 172.77.200.206 255.255.255.240 ip nat outside crypto map labmap ! ip nat inside source route-map nonat interface FastEthernet0/1 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 172.77.200.193 !
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 6/30
access-list 100 remark --- NO NAT ACL --- access-list 100 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 access-list 100 permit ip 192.168.50.0 0.0.0.255 any access-list 101 remark --- Link to the Cisco 2621 TechCity-ASA5505 --- access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 ! route-map nonat permit 10 match ip address 100 ! line con 0 session-timeout 3600 exec-timeout 60 0
password [--removed--] line aux 0 line vty 0 4 session-timeout 60 exec-timeout 3600 0
password [--removed--] transport input all !
! end
TechCity_Lab_C2621#
The ³Middle´ Cisco 2611 WAN Router Configuration
TechCity_Lab_C2611WAN# sh run Building configuration...
Current configuration : 899 bytes
! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname TechCity_Lab_C2611WAN ! username cris password [--removed--] ! ip subnet-zero no ip finger no ip domain-lookup ip domain-name cgngroup.com ! interface Ethernet0/0 description Connected to the Cisco ASA5505 Outside Interface ip address 172.100.99.70 255.255.255.248 ip accounting output-packets ! interface Ethernet0/1 description Connected to the Cisco 2621 F0/1 Interface ip address 172.77.200.193 255.255.255.240
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 7/30
ip accounting output-packets ! ip classless no ip http server ! line con 0 session-timeout 60 exec-timeout 60 0
password [--removed--] login transport input none line aux 0 line vty 0 4 session-timeout 60 exec-timeout 60 0
password [--removed--] login ! no scheduler allocate end
TechCity_Lab_C2611WAN#
Various investigative commands related to VPN
ASA troubleshooting commands Router troubleshooting commands
sh ipsec sa peer 172.77.200.206 sh isakmp sa
sh crypto isakmp sh crypto protocol statistics ipsec
sh access-list [acl_name] debug crypto isakmp debug crypto ipsec
sh crypto ipsec sa sh crypto engine connections active
sh access-list [acl_name] debug crypto isakmp
debug crypto ipsec debug crypto engine
From SITE A, Test PC we generate useful traffic:
C:\> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.9.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.9.1
C:\> C:\> ping 192.168.50.23
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 8/30
Pinging 192.168.50.23 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Reply from 192.168.50.23: bytes=32 time=6ms TTL=254
Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6ms
C:\> C:\> ping 192.168.50.23
Pinging 192.168.50.23 with 32 bytes of data: Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254
Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 5ms, Average = 5ms
C:\>
On Site B we test connectivity from the Test PC behind the
2621:
C:\> ipconfig
Windows IP Configuration Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.50.23 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.50.1
C:\> ping 192.168.9.50
Pinging 192.168.9.50 with 32 bytes of data:
Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31
Ping statistics for 192.168.9.50: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6ms C:\>
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 9/30
Troubleshooting SITE A, Cisco ASA5505:
Capture before and immediately after issuing the ping commands:
TechCity-ASA5505# sh crypto isakmp sa
There are no isakmp sas
TechCity-ASA5505# sh crypto isakmp sa
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE TechCity-ASA5505# TechCity-ASA5505# sh crypto ipsec sa interface: outside Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 6, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206
path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes
replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes replay detection support: Y
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 10/30
TechCity-ASA5505# sh crypto protocol statistics ipsec [IPsec statistics] Encrypt packet requests: 6 Encapsulate packet requests: 6 Decrypt packet requests: 5 Decapsulate packet requests: 5 HMAC calculation requests: 11 SA creation requests: 2 SA rekey requests: 0 SA deletion requests: 0
Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 TechCity-ASA5505# TechCity-ASA5505# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACL_INBOUND; 4 elements access-list ACL_INBOUND line 1 extended permit icmp any any unreachable(hitcnt=0) 0x8a00bb1d
access-list ACL_INBOUND line 2 extended permit icmp any any echo-reply(hitcnt=2) 0xbd068d3d access-list ACL_INBOUND line 3 extended permit icmp any any time-exceeded (hitcnt=0) 0x1487340b access-list ACL_INBOUND line 4 extended permit icmp any any source-quench(hitcnt=0) 0xe202f87b access-list ACL_ENCRYPTION; 1 elements access-list ACL_ENCRYPTION line 1 remark --- Link to Cisco 2621TechCity_Lab_C2621 --- access-list ACL_ENCRYPTION line 2 extended permit ip 192.168.9.0255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=5) 0x0b6bc5e7 access-list ACL_NONAT; 1 elements access-list ACL_NONAT line 1 remark --- NO NAT ACL ---
access-list ACL_NONAT line 2 extended permit ip 192.168.9.0 255.255.255.0192.168.50.0 255.255.255.0 (hitcnt=0) 0x5c3c3d90 TechCity-ASA5505# TechCity-ASA5505# sh ipsec sa peer 172.77.200.206
peer address: 172.77.200.206 Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51 #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 51, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206
path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 11/30
in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274995/28137) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274995/28137) IV size: 8 bytes replay detection support: Y
TechCity-ASA5505# sh isakmp sa
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE TechCity-ASA5505# TechCity-ASA5505# debug crypto isakmp TechCity-ASA5505# conf t TechCity-ASA5505(config)# logging console debug TechCity-ASA5505(config)# May 05 2011 13:43:36 172.100.99.65 : %ASA-5-111008:User 'enable_15' executed the 'logging console debug' command.
May 05 2011 13:43:37 172.100.99.65 : %ASA-7-710005: UDP request discarded from 192.168.9.22/59483 to inside:255.255.255.255/34447
May 05 2011 13:43:39 172.100.99.65 : %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-hostoutside:192.168.50.23 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609002: Teardown local-hostoutside:192.168.50.23 duration 0:00:00
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715077: Pitcher: received a keyacquire message, spi 0x0
May 05 2011 13:43:40 172.100.99.65 : %ASA-5-713041: IP = 172.77.200.206, IKEInitiator: New Phase 1, Intf inside, IKE Peer 172.77.200.206 local Proxy
Address 192.168.9.0, remote Proxy Address 192.168.50.0, Crypto map (labmap) May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206,constructing ISAKMP SA payload
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206,constructing Fragmentation VID + extended capabilities payload
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206,
IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host NPIdentity Ifc:172.100.99.65
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-hostoutside:172.77.200.206
May 05 2011 13:43:40 172.100.99.65 : %ASA-6-302015: Built outbound UDPconnection 175 for outside:172.77.200.206/500 (172.77.200.206/500) to NPIdentity Ifc:172.100.99.65/500 (172.100.99.65/500)
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 12/30
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206,IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0)total length : 84
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing SA payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206,Oakley proposal is acceptable
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206,constructing ke payload
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206,constructing nonce payload
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206,constructing Cisco Unity VID payload
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206,constructing xauth V6 VID payload
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send IOS VID
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206,Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0,capabilities: 20000001)
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206,constructing VID payload
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send Altiga/Cisco VPN3000/Cisco ASA GW VID May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206,IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE(10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) totallength : 256
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206,IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE(10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) totallength : 256
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206,
processing ke payload
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing ISA_KE payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing nonce payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206,Received Cisco Unity client VID
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206,Received DPD VID
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206,
processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206,Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206,Received xauth V6 VID
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206,Connection landed on tunnel_group 172.77.200.206
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 13/30
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206,IP = 172.77.200.206, Generating keys for Initiator...
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing ID payload
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing hash payload
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206,IP = 172.77.200.206, Computing hash for ISAKMP
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715034: IP = 172.77.200.206,Constructing IOS keep alive payload: proposal=32767/32767 sec.
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing dpd vid payload
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206,IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8)+ IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
May 05 2011 13:43:42 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206,IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8)+ NONE (0) total length : 60
May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206,IP = 172.77.200.206, processing ID payload
May 05 2011 13:43:42 172.100.99.65 : %ASA-7-714011: Group = 172.77.200.206,IP = 172.77.200.206, ID_IPV4_ADDR ID received 172.77.200.206
May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206,IP = 172.77.200.206, processing hash payload
May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206,IP = 172.77.200.206, Computing hash for ISAKMP
May 05 2011 13:43:42 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206,Connection landed on tunnel_group 172.77.200.206
May 05 2011 13:43:43 172.100.99.65 : %ASA-4-713903: Group = 172.77.200.206,IP = 172.77.200.206, Freeing previously allocated memory for authorization-dn-attributes
May 05 2011 13:43:43 172.100.99.65 : %ASA-6-113009: AAA retrieved defaultgroup policy (DfltGrpPolicy) for user = 172.77.200.206
May 05 2011 13:43:43 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206,IP = 172.77.200.206, Oakley begin quick mode May 05 2011 13:43:43 172.100.99.65 : %ASA-7-714002: Group = 172.77.200.206,IP = 172.77.200.206, IKE Initiator starting QM: msg id = d2a3e6cb
May 05 2011 13:43:43 172.100.99.65 : %ASA-3-713119: Group = 172.77.200.206,IP = 172.77.200.206, PHASE 1 COMPLETED
May 05 2011 13:43:43 172.100.99.65 : %ASA-7-713121: IP = 172.77.200.206,Keep-alive type for this connection: DPD
May 05 2011 13:43:43 172.100.99.65 : %ASA-7-715080: Group = 172.77.200.206,IP = 172.77.200.206, Starting P1 rekey timer: 82080 seconds.
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715006: Group = 172.77.200.206,IP = 172.77.200.206, IKE got SPI from key engine: SPI = 0x4cc39f88
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206,IP = 172.77.200.206, oakley constucting quick mode
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing blank hash payload
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing IPSec SA payload
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing IPSec nonce payload
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing pfs ke payload
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715001: Group = 172.77.200.206,IP = 172.77.200.206, constructing proxy ID
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 14/30
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206,IP = 172.77.200.206, Transmitting Proxy Id: Local subnet: 192.168.9.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 192.168.50.0 Mask 255.255.255.0 Protocol 0 Port 0
May 05 2011 13:43:45 172.100.99.65 : %ASA-7-714007: Group = 172.77.200.206,IP = 172.77.200.206, IKE Initiator sending Initial Contact
May 05 2011 13:43:45 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206,IP = 172.77.200.206, constructing qm hash payload
May 05 2011 13:43:45 172.100.99.65 : %ASA-7-714004: Group = 172.77.200.206,IP = 172.77.200.206, IKE Initiator sending 1st QM pkt: msg id = d2a3e6cb
May 05 2011 13:43:45 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206,IKE_DECODE SENDING Message (msgid=d2a3e6cb) with payloads : HDR + HASH (8) +SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) totallength : 328
TechCity-ASA5505(config)# no logging console debug TechCity-ASA5505(config)# exit TechCity-ASA5505# undebug all
Troubleshooting SITE B, Cisco 2621:
TechCity_Lab_C2621# sh crypto isakmp sa dst src state conn-id slot
TechCity_Lab_C2621# debug crypto isakmp Crypto ISAKMP debugging is on TechCity_Lab_C2621# 00:06:00: ISAKMP (0:0): received packet from 172.100.99.65 dport 500 sport500 Global (N) NEW SA 00:06:00: ISAKMP: Created a peer struct for 172.100.99.65, peer port 500
00:06:00: ISAKMP: Locking peer struct 0x830314A4, IKE refcount 1 forResponding to new initiation 00:06:00: ISAKMP: local port 500, remote port 500 00:06:00: ISAKMP: insert sa successfully sa = 82FE5814 00:06:00: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:00: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM1 00:06:00: ISAKMP (0:1): processing SA payload. message ID = 0 00:06:00: ISAKMP (0:1): processing vendor id payload 00:06:00: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch 00:06:00: ISAKMP: Looking for a matching key for 172.100.99.65 in default :success 00:06:00: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.65 00:06:00: ISAKMP (0:1) local preshared key found
00:06:00: ISAKMP : Scanning profiles for xauth ... 00:06:00: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy 00:06:00: ISAKMP: default group 2 00:06:00: ISAKMP: encryption 3DES-CBC 00:06:00: ISAKMP: hash MD5 00:06:00: ISAKMP: auth pre-share 00:06:00: ISAKMP: life type in seconds 00:06:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 00:06:00: ISAKMP (0:1): atts are acceptable. Next payload is 0
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 15/30
00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port500 (R) MM_SA_SETUP 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM2 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport500 Global (R) MM_SA_SETUP 00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_R_MM3 00:06:01: ISAKMP (0:1): processing KE payload. message ID = 0 00:06:01: ISAKMP (0:1): processing NONCE payload. message ID = 0 00:06:01: ISAKMP: Looking for a matching key for 172.100.99.65 in default :success 00:06:01: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.65 00:06:01: ISAKMP (0:1): SKEYID state generated 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID is Unity
00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 211 mismatch 00:06:01: ISAKMP (0:1): vendor ID is XAUTH 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): speaking to another IOS box! 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM3 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port500 (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM4
00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport500 Global (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM4 New State = IKE_R_MM5 00:06:01: ISAKMP (0:1): processing ID payload. message ID = 0 00:06:01: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 172.100.99.65
protocol : 17 port : 500 length : 12 00:06:01: ISAKMP (0:1): peer matches *none* of the profiles 00:06:01: ISAKMP (0:1): processing HASH payload. message ID = 0
00:06:01: ISAKMP:received payload type 17 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID is DPD 00:06:01: ISAKMP (0:1): SA authentication status: authenticated 00:06:01: ISAKMP (0:1): SA has been authenticated with 172.100.99.65 00:06:01: ISAKMP (0:1): peer matches *none* of the profiles 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM5 00:06:01: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 16/30
00:06:01: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 172.77.200.206
protocol : 17 port : 500 length : 12 00:06:01: ISAKMP (1): Total payload length: 12 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port500 (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =IKE_P1_COMPLETE 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport500 Global (R) QM_IDLE 00:06:01: ISAKMP: set new node -1712801892 to QM_IDLE 00:06:01: ISAKMP (0:1): processing HASH payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing SA payload. message ID = -1712801892
00:06:01: ISAKMP (0:1): Checking IPSec proposal 1 00:06:01: ISAKMP: transform 1, ESP_3DES 00:06:01: ISAKMP: attributes in transform: 00:06:01: ISAKMP: SA life type in seconds 00:06:01: ISAKMP: SA life duration (basic) of 28800 00:06:01: ISAKMP: SA life type in kilobytes 00:06:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 00:06:01: ISAKMP: encaps is 1 (Tunnel) 00:06:01: ISAKMP: authenticator is HMAC-MD5 00:06:01: ISAKMP: group is 2 00:06:01: ISAKMP (0:1): atts are acceptable. 00:06:01: ISAKMP (0:1): processing NONCE payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing KE payload. message ID = -1712801892
00:06:01: ISAKMP (0:1): processing ID payload. message ID = -1712801892
00:06:01: ISAKMP (0:1): processing ID payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0,
message ID = -1712801892, sa = 82FE5814 00:06:01: ISAKMP (0:1): SA authentication status: authenticated 00:06:01: ISAKMP (0:1): Process initial contact, bring down existing phase 1and 2 SA's with local 172.77.200.206 remote 172.100.99.65 remote port 500 00:06:01: ISAKMP (0:1): asking for 1 spis from ipsec 00:06:01: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER,IKE_QM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_QM_READY New State =IKE_QM_SPI_STARVE 00:06:01: ISAKMP: received ke message (2/1) 00:06:02: ISAKMP: Locking peer struct 0x830314A4, IPSEC refcount 1 for for
stuff_ke 00:06:02: ISAKMP (0:1): Creating IPSec SAs 00:06:02: inbound SA from 172.100.99.65 to 172.77.200.206 (f/i) 0/ 0(proxy 192.168.9.0 to 192.168.50.0) 00:06:02: has spi 0x2899FC7D and conn_id 2000 and flags 23 00:06:02: lifetime of 28800 seconds 00:06:02: lifetime of 4608000 kilobytes 00:06:02: has client flags 0x0 00:06:02: outbound SA from 172.77.200.206 to 172.100.99.65 (f/i)0/ 0 (proxy 192.168.50.0 to 192.168.9.0 )
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 17/30
00:06:02: has spi -1758734664 and conn_id 2001 and flags 2B 00:06:02: lifetime of 28800 seconds 00:06:02: lifetime of 4608000 kilobytes 00:06:02: has client flags 0x0 00:06:02: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port500 (R) QM_IDLE 00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_IPSEC,IKE_SPI_REPLY 00:06:02: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State =IKE_QM_R_QM2 00:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport500 Global (R) QM_IDLE 00:06:02: ISAKMP: set new node -894521910 to QM_IDLE 00:06:02: ISAKMP (0:1): processing HASH payload. message ID = -894521910 00:06:02: ISAKMP (0:1): processing NOTIFY unknown protocol 1 spi 0, messageID = -894521910, sa = 82FE5814 00:06:02: ISAKMP (0:1): deleting node -894521910 error FALSE reason"informational (in) state 1" 00:06:02: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 00:06:02: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE 00:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport500 Global (R) QM_IDLE 00:06:02: ISAKMP (0:1): deleting node -1712801892 error FALSE reason "quick
mode done (await)" 00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER,IKE_QM_EXCH 00:06:02: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State =IKE_QM_PHASE2_COMPLETE TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto isakmp sa dst src state conn-id slot 172.77.200.206 172.100.99.65 QM_IDLE 1 0
TechCity_Lab_C2621# TechCity_Lab_C2621# undebug all
All possible debugging has been turned off TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto ipsec sa
interface: FastEthernet0/1 Crypto map tag: labmap, local addr. 172.77.200.206
protected vrf: local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) current_peer: 172.100.99.65:500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5 #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.77.200.206, remote crypto endpt.: 172.100.99.65
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 972BD6B8 inbound esp sas:
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 18/30
spi: 0x2899FC7D(681180285) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28629) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x972BD6B8(2536232632) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28627) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: TechCity_Lab_C2621#
TechCity_Lab_C2621# sh crypto engine connections active
ID Interface IP-Address State Algorithm EncryptDecrypt 1 FastEthernet0/1 172.77.200.206 set HMAC_MD5+3DES_56_C0 0 2000 FastEthernet0/1 172.77.200.206 set HMAC_MD5+3DES_56_C0 6 2001 FastEthernet0/1 172.77.200.206 set HMAC_MD5+3DES_56_C5 0
TechCity_Lab_C2621# sh access-lists Extended IP access list 100
10 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (5 matches)
20 permit ip 192.168.50.0 0.0.0.255 any Extended IP access list 101 10 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (11 matches) TechCity_Lab_C2621#
Verify the ³Middle´ WAN router
Note only the packets related to public IP addresses (the VPN peers) are ³seen´:
TechCity_Lab_C2611WAN# sh ip accounting Source Destination Packets Bytes 172.100.99.65 172.77.200.206 236 32788 172.77.200.206 172.100.99.65 227 29996
Accounting data age is 01:19
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 19/30
Site to Site VPN between Cisco ASA and Router
Wednesday, May 25th, 2011 at 5:33 pm
In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASAFirewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN
since the fundamental concepts are the same. Let¶s start our LAB example and we¶ll see how it¶sdone.
Consider the following diagram. The first site (Remote1) is equipped with a Cisco ASA firewall(any model) and the second site (Remote2) is equipped with a Cisco Router. Remember that a
Cisco ASA firewall is by default capable to support IPSEC VPN but a Cisco Router must havethe proper IOS software type in order to support encrypted VPN tunnels.
Equipment Used in this LAB:
y ASA 5510 Cisco Adaptive Security Appliance Software Version 8.0(3)
y Cisco Router 2801 C2801-ADVIPSERVICESK9-M Version 12.4(9)T4
Scenario:
LAN of Remote1 must be connected to LAN of Remote2 via VPN Tunnel. The most usualscenario is that the WAN cloud is the Internet, so secure connectivity shall be provided between
the two LAN networks over the Internet.
First of all we shall make sure that the outside interfaces of ASA and router must be reachableover the WAN. Now let¶s start IPSEC VPN configuration.
Cisco ASA Configuration
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 20/30
First I started ASA configuration.
I¶ve created an Access list, which will match the interesting traffic which is the traffic to beencrypted. If source is 192.168.3.0/24 and destination is 192.168.4.0/24, then traffic will be
matched by the access list as ³interesting traffic´ and will be encrypted and pass through the
tunnel.
ASA(config)# access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0
255.255.255.0
!IKE PHASE #1
! I¶ve cr eated a phase1 policy. This policy provides secur ed process of exchanging K e y s. ASA(config)# crypto isakmp policy 1
! For aut hentication I used Pr e-shar ed . This met hod is mo st fr equentl y used t oda y.
ASA(config)# authentication pre-share
!For encryption I used 3des. ASA(config)# encryption 3des
! H ashing md5.ASA(config)# hash md5
! I used second g rou p of di ff ie-hellman. Grou p1 is used by de f ault . The mo st secur ed is Grou p5.
ASA(config)# group 2
! con f igur e crypt o k e y. The k e y s must mat ch t o each ot her between peer s. Ot her wise Phase1 will
not be com pleted . ASA(config)# crypto isakmp secretsharedkey address 192.168.2.2
NOTE: Crypto key is hidden in ASA configuration. If we look at configuration, it will be shown
in following way.tunnel-group 192.168.2.2 ipsec-attributes
pre-shared-key *
! Activate policy on Outside interf ace.
ASA(config)# crypto isakmp enable outside
! IKE PHASE #2- VPN T unnel is established dur ing t his phase and t he t r a ff ic between VPN P eer s is encrypted accor ding t o t he secur it y par ameter s of t his phase.
! I cr eated Tr ans for m-set, by which t he t r a ff ic will be encrypted and hashed between VPN peer s.
ASA(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac
! Appl y t he access list cr eated ear lier for mat ching t he inter esting t r a ff ic. ASA(config)# crypto map vpn 10 match address vpn
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 21/30
! I indicated add r ess of Remote2 peer public outside interf ace. ASA(config)# crypto map vpn 10 set peer 192.168.2.2
! Appl y also t he t r ans for m-set .
ASA(config)# crypto map vpn 10 set transform-set ts
! Attach t he al r ead y cr eated Crypt o-ma p and VPN t o outside interf ace. ASA(config)# crypto map vpn interface outside
ASA configuration is completed here (regarding the VPN config of course). Now let¶s startRouter Configuration below.
Cisco Router Configuration
ISAKMP Phase 1
! E nter crypt o-isak m p policy con f igur ation mode for con f igur ing crypt o isak m p policy. Router(config)# crypto isakmp policy 10
! T ur n on 3des as an encryption t ype.
Router(config)# encr 3des
! I indicated MD5 as a hashing t ype. Router(config)# hash md5
! I indicated pr e-shar e aut hentication. Router(config)# authentication pre-share
! I used second g rou p of di ff ie-hellman. g rou p1 is used by de f ault .
Router(config)# group 2
! I de f ined peer k e y same as ASA site.
Router(config)# crypto isakmp secretsharedkey address 192.168.1.2
It¶s not necessary to match policy numbers. The most important is to match corresponding parameters of policy. Otherwise negotiation of Phase1 will not be successful.
! Access list for mat ching inter esting t r a ff ic.
Router(config)# ip access-list extended vpnRouter(config)# permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
ISAKMP PHASE 2
!! Cr eate IPSEC t r ans for m-set, by which t he mechanism of hashing and encryption is deter mined,
by which t he t r a ff ic will be hashed/encrypted in VPN tunnel later. Router(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 22/30
! E nter int o crypt o-ma p con f igur ation mode. Router(config)# crypto map vpn 10 ipsec-isakmp
! I ndicate IP add r ess of peer.
Router(config)# set peer 192.168.1.2
! I ndicate IP sec t r ans for m-set cr eated above. Router(config)# set transform-set ts
! Appl y access list cr eated above. Router(config)# match address vpn
! Appl y crypt o-ma p t o interf ace.
Router(config)# interface FastEthernet0/0
Router(config)# crypto map vpn
With this, VPN configuration is completed so let¶s start verification.
! I n t he out put bel ow it is shown t hat ISAKMP PHASE1 is active, which means t hat neg otiation of PHASE1 is com pleted success f ull y.
ASA# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1 IKE Peer: 192.168.2.2Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Router# show crypto isakmp sa dst src state conn-id slot
192.168.1.2 192.168.2.2 MM_ACTIVE 1 0
! Checking ISAKMP PHASE2. Here we see that IPSec is working and the interesting trafficflows in VPN Tunnel.
ASA# show crypto ipsec sa interface: outside
Crypto map tag: vpn, seq num: 10, local addr: 192.168.1.2
access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)current_peer: 192.168.2.2
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 23/30
# pkts encaps: 344, # pkts encrypt: 344, # pkts digest: 344# pkts decaps: 344, # pkts decrypt: 344, # pkts verify: 344
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 344, # pkts comp failed: 0, # pkts decomp failed: 0
# pre-frag successes: 0, # pre-frag failures: 0, #framents created: 0#PMTUs sent: 0,
#PMTUs rcvd: 0,
#decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Router# show crypto ipsec sa
interface: FastEthernet0/0Crypto map tag: vpn, local addr 192.168.2.2
protected vrf: (none)local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500PERMIT, flags={origin_is_acl,}
# pkts encaps: 344, # pkts encrypt: 344, # pkts digest: 344
# pkts decaps: 344, # pkts decrypt: 344, # pkts verify: 344 # pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0# pkts not decompressed: 0, # pkts decompress failed: 0
#send errors 0, #recv errors 0
VPN Tunnel is established and works.
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 24/30
ASA Site-to-Site IPsec VPN
Today, I would like to write about the simplest configuration of ASA for Site-to-Site IPsec VPN.
I'm going to post configuration example along with comments about every particular command.
!--- Configure the outside interface.
!interface Ethernet0/1nameif outsidesecurity-level 0ip address 172.16.1.1 255.255.255.0!--- Configure the inside interface.
!interface Ethernet0/2nameif insidesecurity-level 100ip address 10.10.10.1 255.255.255.0!-- Output suppressed
!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit ip any anyaccess-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.010.20.10.0 255.255.255.0!--- This access list (inside_nat0_outbound) is used !--- with the nat zero command. This prevents traffic which!--- matches the access list from undergoing network address translation(NAT).!--- The traffic specified by this ACL is traffic that is to be encrypted and !--- sent across the VPN tunnel. This ACL is intentionally !--- the same as (outside_1_cryptomap).!--- Two separate access lists should always be used in this configuration. access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0
10.20.10.0 255.255.255.0 !--- This access list (outside_cryptomap) is used
!--- with the crypto map outside_map !--- to determine which traffic should be encrypted and sent!--- across the tunnel.!--- This ACL is intentionally the same as (inside_nat0_outbound).!--- Two separate access lists should always be used in this
configuration.pager lines 24
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 25/30
mtu inside 1500mtu outside 1500no failoverasdm image disk0:/asdm-613.binasdm history enablearp timeout 14400global (outside) 1 interface nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound !--- NAT 0 prevents NAT for networks specified in!--- the ACL inside_nat0_outbound . access-group 100 in interface outsideroute outside 0.0.0.0 0.0.0.0 172.16.1.2 1 timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolutehttp server enablehttp 0.0.0.0 0.0.0.0 dmz
no snmp-server locationno snmp-server contact!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here. crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac !--- Define the transform set for Phase 2. crypto map outside_map 1 match address outside_1_cryptomap !--- Define which traffic should be sent to the IPsec peer. crypto map outside_map 1 set peer 172.17.1.1 !--- Sets the IPsec peer crypto map outside_map 1 set transform-set ESP-DES-SHA !--- Sets the IPsec transform set "ESP-AES-256-SHA"!--- to be used with the crypto map entry "outside_map".
crypto map outside_map interface outside
!--- Specifies the interface to be used with!--- the settings defined in this configuration.!--- PHASE 1 CONFIGURATION ---!!--- This configuration uses isakmp policy 10.
!--- The configuration commands here define the Phase!--- 1 policy parameters that are used. crypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption deshash shagroup 1lifetime 86400
telnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-list!tunnel-group 172.17.1.1 type ipsec-l2l !--- In order to create and manage the database of connection-specific!--- records for ipsec-l2l²IPsec (LAN-to-LAN) tunnels, use the command !--- tunnel-group in global configuration mode.
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 26/30
!--- For L2L connections the name of the tunnel group MUST be the IP !--- address of the IPsec peer. tunnel-group 172.17.1.1 ipsec-attributes pre-shared-key * !--- Enter the pre-shared-key in order to configure the!--- authentication method.
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 27/30
Site to site VPN tunnel between ASA and Router
May 2nd, 2010
Using the above network diagram, the scripts below can be applied to both ASA¶s to build a siteto site VPN tunnel. The firewall on the left is a Cisco ASA and device on the right is a Cisco
Router. The router needs to have an IOS that supports VPN¶s. You can test this by typing µcrypto?¶ and see if it has the commands available to make the tunnel.
After applying the config below the device at 192.168.11.2 should be able to access 172.16.22.2
and vice versa.
BLUE ASA
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! The policy number is arbitrary. The parameters inside the policy
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 28/30
! Enable ISAKMP on the outside interface
crypto isakmp enable OUTSIDE
! Define the pre-shared-key
tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y
!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! Create a crypto map entry that defines the tunnel
crypto map MAP-OUTSIDE 20 set peer 22.22.22.22
! ACL must be exactly the opposite of the other sides ACL
crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN
! Transform set must match other side identically
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
! Apply crypto map to an interface
crypto map MAP-OUTSIDE interface OUTSIDE
!^^^^^^^Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1
! Make sure that the VPN traffic is NOT NATd
access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0
255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 29/30
RED ROUTER WITH CRYPTO SUPPORT
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! Note: The default isakmp settings on a router are Encr:DES Hash:SHA DH:Group 1
! If these settings are used, they will not show under µshow run¶
crypto isakmp policy 5
encr aes
hash sha
authentication pre-share
group 2
crypto isakmp key sekretk3y address 11.11.11.11
!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
ip access-list extended ACL-VPN
permit ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer 11.11.11.11
set transform-set AES-SHA
match address ACL-VPN
interface Fa0/0
crypto map VPN-TUNNEL
ip nat outside
interface Vlan2
5/12/2018 Site2siteVPN - slidepdf.com
http://slidepdf.com/reader/full/site2sitevpn 30/30
ip nat inside
!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
ip route 192.168.11.0 255.255.255.0 22.22.22.1
! Make sure that the VPN traffic is NOT NAT¶d
ip access-list extended ACL-NAT
deny ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip any any
ip nat inside source list ACL-NAT interface Fa0/0 overload