Optional Commands

Table of contents:

Deployment Scenarios

The ASA VPN solution can be deployed in many different ways. In this section, we cover two design scenarios for ease of understanding:

  • Single site-to-site tunnel configuration using NAT-T
  • Fully meshed topology with RRI

Note

The design scenarios discussed in this section should be used solely to reinforce learning. They should be used for reference purposes only.

 

Single Site-to-Site Tunnel Configuration Using NAT-T

Figure 15-4 shows a network topology of SecureMe in which it has deployed two Cisco ASAsone at the hub site in Chicago and the other at its London location. However, the London ASA is connected to the Internet using a broadband connection that is set up to perform PAT for the traffic passing through it. Because the PAT device does not allow passing the non-TCP and non-UDP traffic, the security Cisco ASA are set up for NAT-T. During the ISAKMP negotiations, the security Cisco ASA will detect that a PAT device exists between them, therefore forcing the traffic to be encapsulated into UDP port 4500. These security Cisco ASA are set up to send NAT-T keepalives every 20 seconds to keep the connection entries active.

Figure 15-4. SecureMe Network Using NAT-T

Example 15-28 shows the relevant configuration of both Cisco ASAs configured for NAT-T.

Example 15-28. Full Configuration of the Chicago and London ASAs

 Chicago ASA:

Chicago# show run

! outside interface configuration

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

! inside interface configuration

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

hostname Chicago

! Encryption Access-list to encrypt the traffic from 192.168.10/24 to 192.168.30.0/24

access-list encrypt_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0

 255.255.255.0

! Access-list to bypass address translation from 192.168.10/24 to 192.168.30.0/24

access-list nonat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0

 255.255.255.0

! NAT entry to bypass address translation from 192.168.10/24 to 192.168.30.0/24

nat (inside) 0 access-list nonat_acl

route outside 0.0.0.0 0.0.0.0 209.165.200.226

! sysopt to bypass traffic filters

sysopt connection permit-ipsec

! Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set myset esp-3aes-256 esp-sha-hmac

! Crypto map configuration

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 209.165.201.1

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

! isakmp configuration

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

! NAT-T configuration

isakmp nat-traversal 20

! L2L tunnel-group configuration

tunnel-group 209.165.201.1 type ipsec-l2l

tunnel-group 209.165.201.1 ipsec-attributes

 pre-shared-key cisco123

____________________________________________________________________________

 London ASA:

London# show run

! outside interface configuration. The outside address is translated to

 209.165.201.1 by PAT

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 10.10.1.1 255.255.255.0

! inside interface configuration

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.30.1 255.255.255.0

!

hostname London

! Encryption Access-list to encrypt the traffic from 192.168.30/24 to 192.168.10.0/24

access-list encrypt_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0

 255.255.255.0

! Access-list to bypass address translation from 192.168.30/24 to 192.168.10.0/24

access-list nonat_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0

 255.255.255.0

! NAT entry to bypass address translation from 192.168.30/24 to 192.168.10.0/24

nat (inside) 0 access-list nonat_acl

route outside 0.0.0.0 0.0.0.0 10.10.1.2 1

! sysopt to bypass traffic filters

sysopt connection permit-ipsec

! Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

! Crypto map configuration

crypto map IPSec_map 1 match address encrypt_acl

crypto map IPSec_map 1 set peer 209.165.200.225

crypto map IPSec_map 1 set transform-set myset

crypto map IPSec_map interface outside

! isakmp configuration

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

! NAT-T configuration

isakmp nat-traversal 20

! L2L tunnel-group configuration

tunnel-group 209.165.200.225 type ipsec-l2l

tunnel-group 209.165.200.225 ipsec-attributes

 pre-shared-key cisco123

 

Fully Meshed Topology with RRI

SecureMe is planning to add a new site, Paris, into its existing network. Figure 15-5 shows the new network topology. SecureMe wants to have a fully meshed topology so that each site will have two IPSec tunnels going to the respective IPSec peers. It also wants to use RRI to distribute remote network information into the local network of Chicago using OSPF.

Figure 15-5. SecureMe Network Using RRI in a Fully Meshed VPN

Example 15-29 shows the relevant configuration of all the Cisco ASA devices set up in a fully meshed IPSec network. There are two crypto map instancesone for each peer configured on the security Cisco ASA.

Example 15-29. Full Configuration of the Chicago, London, and Paris ASAs

 Chicago ASA:

Chicago# show run

! outside interface configuration

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.0

! inside interface configuration

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

hostname Chicago

! Encryption Access-list to encrypt the traffic from Chicago to London

access-list london_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0

 255.255.255.0

! Encryption Access-list to encrypt the traffic from Chicago to Paris

access-list paris_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0

 255.255.255.0

! Access-list to bypass address translation from Chicago to other locations

access-list nonat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0

 255.255.255.0

access-list nonat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0

 255.255.255.0

! NAT entry to bypass address translation from Chicago to other locations

nat (inside) 0 access-list nonat_acl

! OSPF configuration for reverse-route injection

router ospf 10

 network 192.168.10.0 255.255.255.0 area 0

 log-adj-changes

 redistribute static subnets

!

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

! sysopt to bypass traffic filters

sysopt connection permit-ipsec

! Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

! Crypto map configuration for London

crypto map IPSec_map 1 match address london_acl

crypto map IPSec_map 1 set peer 209.165.201.1

crypto map IPSec_map 1 set transform-set myset

! Crypto map configuration to enable RRI for London

crypto map IPSec_map 1 set reverse-route

! Crypto map configuration for Paris

crypto map IPSec_map 2 match address paris_acl

crypto map IPSec_map 2 set peer 209.165.202.129

crypto map IPSec_map 2 set transform-set myset

! Crypto map configuration to enable RRI for Paris

crypto map IPSec_map 2 set reverse-route

crypto map IPSec_map interface outside

! isakmp configuration

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

! L2L tunnel-group configuration for London

tunnel-group 209.165.201.1 type ipsec-l2l

tunnel-group 209.165.201.1 ipsec-attributes

 pre-shared-key cisco123

! L2L tunnel-group configuration for Paris

tunnel-group 209.165.202.129 type ipsec-l2l

tunnel-group 209.165.202.129 ipsec-attributes

 pre-shared-key cisco123

 London ASA:

London# show run

! outside interface configuration

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.201.1 255.255.255.0

! inside interface configuration

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.30.1 255.255.0.0

!

hostname London

! Encryption Access-list to encrypt the traffic from London to Chicago

access-list chicago_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0

 255.255.255.0

! Encryption Access-list to encrypt the traffic from London to Paris

access-list paris_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.40.0

 255.255.255.0

!

! Access-list to bypass address translation from London to other locations

access-list nonat_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0

 255.255.255.0

access-list nonat_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.40.0

 255.255.255.0

! NAT entry to bypass address translation from London to other locations

nat (inside) 0 access-list nonat_acl

route outside 0.0.0.0 0.0.0.0 209.165.201.2

! sysopt to bypass traffic filters

sysopt connection permit-ipsec

! Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

! Crypto map configuration for Chicago

crypto map IPSec_map 1 match address chicago_acl

crypto map IPSec_map 1 set peer 209.165.200.225

crypto map IPSec_map 1 set transform-set myset

! L2L tunnel-group configuration for Paris

crypto map IPSec_map 2 match address paris_acl

crypto map IPSec_map 2 set peer 209.165.202.129

crypto map IPSec_map 2 set transform-set myset

crypto map IPSec_map interface outside

! isakmp configuration

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

! L2L tunnel-group configuration for Chicago

tunnel-group 209.165.200.225 type ipsec-l2l

tunnel-group 209.165.200.225 ipsec-attributes

 pre-shared-key cisco123

! L2L tunnel-group configuration for Paris

tunnel-group 209.165.202.129 type ipsec-l2l

tunnel-group 209.165.202.129 ipsec-attributes

 pre-shared-key cisco123

____________________________________________________________________________ 

 Paris ASA:

Paris# show run

! outside interface configuration

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.202.129 255.255.255.0

!

! inside interface configuration

interface GigabitEthernet0/1

 nameif inside

 security-level 100

ip address 192.168.40.1 255.255.255.0

hostname Paris

! Encryption Access-list to encrypt the traffic from Paris to Chicago

access-list chicago_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.10.0

 255.255.255.0

! Encryption Access-list to encrypt the traffic from Paris to London

access-list london_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0

 255.255.255.0

! Access-list to bypass address translation from Paris to other locations

access-list nonat_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.10.0

 255.255.255.0

access-list nonat_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0

 255.255.255.0

! NAT entry to bypass address translation from Paris to other locations

nat (inside) 0 access-list nonat_acl

route outside 0.0.0.0 0.0.0.0 209.165.202.130 1

! sysopt to bypass traffic filters

sysopt connection permit-ipsec

! Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

! Crypto map configuration for Chicago

crypto map IPSec_map 1 match address chicago_acl

crypto map IPSec_map 1 set peer 209.165.200.225

crypto map IPSec_map 1 set transform-set myset

! Crypto map configuration for London

crypto map IPSec_map 2 match address london_acl

crypto map IPSec_map 2 set peer 209.165.201.1

crypto map IPSec_map 2 set transform-set myset

crypto map IPSec_map interface outside

! isakmp configuration

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

! L2L tunnel-group configuration for Chicago

tunnel-group 209.165.200.225 type ipsec-l2l

tunnel-group 209.165.200.225 ipsec-attributes

 pre-shared-key cisco123

! L2L tunnel-group configuration for Chicago

tunnel-group 209.165.201.1 type ipsec-l2l

tunnel-group 209.165.201.1 ipsec-attributes

 pre-shared-key cisco123


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net