Optional Commands
Deployment Scenarios
The ASA VPN solution can be deployed in many different ways. In this section, we cover two design scenarios for ease of understanding:
- Single site-to-site tunnel configuration using NAT-T
- Fully meshed topology with RRI
Note
The design scenarios discussed in this section should be used solely to reinforce learning. They should be used for reference purposes only.
Single Site-to-Site Tunnel Configuration Using NAT-T
Figure 15-4 shows a network topology of SecureMe in which it has deployed two Cisco ASAsone at the hub site in Chicago and the other at its London location. However, the London ASA is connected to the Internet using a broadband connection that is set up to perform PAT for the traffic passing through it. Because the PAT device does not allow passing the non-TCP and non-UDP traffic, the security Cisco ASA are set up for NAT-T. During the ISAKMP negotiations, the security Cisco ASA will detect that a PAT device exists between them, therefore forcing the traffic to be encapsulated into UDP port 4500. These security Cisco ASA are set up to send NAT-T keepalives every 20 seconds to keep the connection entries active.
Figure 15-4. SecureMe Network Using NAT-T
Example 15-28 shows the relevant configuration of both Cisco ASAs configured for NAT-T.
Example 15-28. Full Configuration of the Chicago and London ASAs
Chicago ASA: Chicago# show run ! outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.225 255.255.255.224 ! inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! hostname Chicago ! Encryption Access-list to encrypt the traffic from 192.168.10/24 to 192.168.30.0/24 access-list encrypt_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 ! Access-list to bypass address translation from 192.168.10/24 to 192.168.30.0/24 access-list nonat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 ! NAT entry to bypass address translation from 192.168.10/24 to 192.168.30.0/24 nat (inside) 0 access-list nonat_acl route outside 0.0.0.0 0.0.0.0 209.165.200.226 ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set myset esp-3aes-256 esp-sha-hmac ! Crypto map configuration crypto map IPSec_map 10 match address encrypt_acl crypto map IPSec_map 10 set peer 209.165.201.1 crypto map IPSec_map 10 set transform-set myset crypto map IPSec_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 ! NAT-T configuration isakmp nat-traversal 20 ! L2L tunnel-group configuration tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key cisco123 ____________________________________________________________________________ London ASA: London# show run ! outside interface configuration. The outside address is translated to 209.165.201.1 by PAT interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.10.1.1 255.255.255.0 ! inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.30.1 255.255.255.0 ! hostname London ! Encryption Access-list to encrypt the traffic from 192.168.30/24 to 192.168.10.0/24 access-list encrypt_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 ! Access-list to bypass address translation from 192.168.30/24 to 192.168.10.0/24 access-list nonat_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 ! NAT entry to bypass address translation from 192.168.30/24 to 192.168.10.0/24 nat (inside) 0 access-list nonat_acl route outside 0.0.0.0 0.0.0.0 10.10.1.2 1 ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac ! Crypto map configuration crypto map IPSec_map 1 match address encrypt_acl crypto map IPSec_map 1 set peer 209.165.200.225 crypto map IPSec_map 1 set transform-set myset crypto map IPSec_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 ! NAT-T configuration isakmp nat-traversal 20 ! L2L tunnel-group configuration tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes pre-shared-key cisco123
Fully Meshed Topology with RRI
SecureMe is planning to add a new site, Paris, into its existing network. Figure 15-5 shows the new network topology. SecureMe wants to have a fully meshed topology so that each site will have two IPSec tunnels going to the respective IPSec peers. It also wants to use RRI to distribute remote network information into the local network of Chicago using OSPF.
Figure 15-5. SecureMe Network Using RRI in a Fully Meshed VPN
Example 15-29 shows the relevant configuration of all the Cisco ASA devices set up in a fully meshed IPSec network. There are two crypto map instancesone for each peer configured on the security Cisco ASA.
Example 15-29. Full Configuration of the Chicago, London, and Paris ASAs
Chicago ASA: Chicago# show run ! outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.225 255.255.255.0 ! inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 hostname Chicago ! Encryption Access-list to encrypt the traffic from Chicago to London access-list london_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 ! Encryption Access-list to encrypt the traffic from Chicago to Paris access-list paris_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0 ! Access-list to bypass address translation from Chicago to other locations access-list nonat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list nonat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0 ! NAT entry to bypass address translation from Chicago to other locations nat (inside) 0 access-list nonat_acl ! OSPF configuration for reverse-route injection router ospf 10 network 192.168.10.0 255.255.255.0 area 0 log-adj-changes redistribute static subnets ! route outside 0.0.0.0 0.0.0.0 209.165.200.226 1 ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac ! Crypto map configuration for London crypto map IPSec_map 1 match address london_acl crypto map IPSec_map 1 set peer 209.165.201.1 crypto map IPSec_map 1 set transform-set myset ! Crypto map configuration to enable RRI for London crypto map IPSec_map 1 set reverse-route ! Crypto map configuration for Paris crypto map IPSec_map 2 match address paris_acl crypto map IPSec_map 2 set peer 209.165.202.129 crypto map IPSec_map 2 set transform-set myset ! Crypto map configuration to enable RRI for Paris crypto map IPSec_map 2 set reverse-route crypto map IPSec_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 ! L2L tunnel-group configuration for London tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key cisco123 ! L2L tunnel-group configuration for Paris tunnel-group 209.165.202.129 type ipsec-l2l tunnel-group 209.165.202.129 ipsec-attributes pre-shared-key cisco123 London ASA: London# show run ! outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.201.1 255.255.255.0 ! inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.30.1 255.255.0.0 ! hostname London ! Encryption Access-list to encrypt the traffic from London to Chicago access-list chicago_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 ! Encryption Access-list to encrypt the traffic from London to Paris access-list paris_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.40.0 255.255.255.0 ! ! Access-list to bypass address translation from London to other locations access-list nonat_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list nonat_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.40.0 255.255.255.0 ! NAT entry to bypass address translation from London to other locations nat (inside) 0 access-list nonat_acl route outside 0.0.0.0 0.0.0.0 209.165.201.2 ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac ! Crypto map configuration for Chicago crypto map IPSec_map 1 match address chicago_acl crypto map IPSec_map 1 set peer 209.165.200.225 crypto map IPSec_map 1 set transform-set myset ! L2L tunnel-group configuration for Paris crypto map IPSec_map 2 match address paris_acl crypto map IPSec_map 2 set peer 209.165.202.129 crypto map IPSec_map 2 set transform-set myset crypto map IPSec_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 ! L2L tunnel-group configuration for Chicago tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes pre-shared-key cisco123 ! L2L tunnel-group configuration for Paris tunnel-group 209.165.202.129 type ipsec-l2l tunnel-group 209.165.202.129 ipsec-attributes pre-shared-key cisco123 ____________________________________________________________________________Paris ASA: Paris# show run ! outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.202.129 255.255.255.0 ! ! inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.40.1 255.255.255.0 hostname Paris ! Encryption Access-list to encrypt the traffic from Paris to Chicago access-list chicago_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0 ! Encryption Access-list to encrypt the traffic from Paris to London access-list london_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0 ! Access-list to bypass address translation from Paris to other locations access-list nonat_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list nonat_acl extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0 ! NAT entry to bypass address translation from Paris to other locations nat (inside) 0 access-list nonat_acl route outside 0.0.0.0 0.0.0.0 209.165.202.130 1 ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac ! Crypto map configuration for Chicago crypto map IPSec_map 1 match address chicago_acl crypto map IPSec_map 1 set peer 209.165.200.225 crypto map IPSec_map 1 set transform-set myset ! Crypto map configuration for London crypto map IPSec_map 2 match address london_acl crypto map IPSec_map 2 set peer 209.165.201.1 crypto map IPSec_map 2 set transform-set myset crypto map IPSec_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 ! L2L tunnel-group configuration for Chicago tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes pre-shared-key cisco123 ! L2L tunnel-group configuration for Chicago tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key cisco123
Part I: Product Overview
Introduction to Network Security
- Introduction to Network Security
- Firewall Technologies
- Intrusion Detection and Prevention Technologies
- Network-Based Attacks
- Virtual Private Networks
- Summary
Product History
- Product History
- Cisco Firewall Products
- Cisco IDS Products
- Cisco VPN Products
- Cisco ASA All-in-One Solution
- Summary
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
- Initial Setup and System Maintenance
- Accessing the Cisco ASA Appliances
- Managing Licenses
- Initial Setup
- IP Version 6
- Setting Up the System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Network Access Control
- Network Access Control
- Packet Filtering
- Advanced ACL Features
- Content and URL Filtering
- Deployment Scenarios Using ACLs
- Monitoring Network Access Control
- Understanding Address Translation
- DNS Doctoring
- Monitoring Address Translations
- Summary
IP Routing
Authentication, Authorization, and Accounting (AAA)
- Authentication, Authorization, and Accounting (AAA)
- AAA Protocols and Services Supported by Cisco ASA
- Defining an Authentication Server
- Configuring Authentication of Administrative Sessions
- Authenticating Firewall Sessions (Cut-Through Proxy Feature)
- Configuring Authorization
- Configuring Accounting
- Deployment Scenarios
- Troubleshooting AAA
- Summary
Application Inspection
- Application Inspection
- Enabling Application Inspection Using the Modular Policy Framework
- Selective Inspection
- Computer Telephony Interface Quick Buffer Encoding Inspection
- Domain Name System
- Extended Simple Mail Transfer Protocol
- File Transfer Protocol
- General Packet Radio Service Tunneling Protocol
- H.323
- HTTP
- ICMP
- ILS
- MGCP
- NetBIOS
- PPTP
- Sun RPC
- RSH
- RTSP
- SIP
- Skinny
- SNMP
- SQL*Net
- TFTP
- XDMCP
- Deployment Scenarios
- Summary
Security Contexts
- Security Contexts
- Architectural Overview
- Configuration of Security Contexts
- Deployment Scenarios
- Monitoring and Troubleshooting the Security Contexts
- Summary
Transparent Firewalls
- Transparent Firewalls
- Architectural Overview
- Transparent Firewalls and VPNs
- Configuration of Transparent Firewall
- Deployment Scenarios
- Monitoring and Troubleshooting the Transparent Firewall
- Summary
Failover and Redundancy
- Failover and Redundancy
- Architectural Overview
- Failover Configuration
- Deployment Scenarios
- Monitoring and Troubleshooting Failovers
- Summary
Quality of Service
- Quality of Service
- Architectural Overview
- Configuring Quality of Service
- QoS Deployment Scenarios
- Monitoring QoS
- Summary
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
- Intrusion Prevention System Integration
- Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)
- Directing Traffic to the AIP-SSM
- AIP-SSM Module Software Recovery
- Additional IPS Features
- Summary
Configuring and Troubleshooting Cisco IPS Software via CLI
- Configuring and Troubleshooting Cisco IPS Software via CLI
- Cisco IPS Software Architecture
- Introduction to the CIPS 5.x Command-Line Interface
- User Administration
- AIP-SSM Maintenance
- Advanced Features and Configuration
- Summary
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
- Site-to-Site IPSec VPNs
- Preconfiguration Checklist
- Configuration Steps
- Advanced Features
- Optional Commands
- Deployment Scenarios
- Monitoring and Troubleshooting Site-to-Site IPSec VPNs
- Summary
Remote Access VPN
- Remote Access VPN
- Cisco IPSec Remote Access VPN Solution
- Advanced Cisco IPSec VPN Features
- Deployment Scenarios of Cisco IPSec VPN
- Monitoring and Troubleshooting Cisco Remote Access VPN
- Cisco WebVPN Solution
- Advanced WebVPN Features
- Deployment Scenarios of WebVPN
- Monitoring and Troubleshooting WebVPN
- Summary
Public Key Infrastructure (PKI)
- Public Key Infrastructure (PKI)
- Introduction to PKI
- Enrolling the Cisco ASA to a CA Using SCEP
- Manual (Cut-and-Paste) Enrollment
- Configuring CRL Options
- Configuring IPSec Site-to-Site Tunnels Using Certificates
- Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates
- Troubleshooting PKI
- Summary
Part V: Adaptive Security Device Manager
Introduction to ASDM
- Introduction to ASDM
- Setting Up ASDM
- Initial Setup
- Functional Screens
- Interface Management
- System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Firewall Management Using ASDM
- Firewall Management Using ASDM
- Access Control Lists
- Address Translation
- Routing Protocols
- AAA
- Application Inspection
- Security Contexts
- Transparent Firewalls
- Failover
- QoS
- Summary
IPS Management Using ASDM
- IPS Management Using ASDM
- Accessing the IPS Device Management Console from ASDM
- Configuring Basic AIP-SSM Settings
- Advanced IPS Configuration and Monitoring Using ASDM
- Summary
VPN Management Using ASDM
- VPN Management Using ASDM
- Site-to-Site VPN Setup Using Preshared Keys
- Site-to-Site VPN Setup Using PKI
- Cisco Remote-Access IPSec VPN Setup
- WebVPN
- VPN Monitoring
- Summary
Case Studies
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
EAN: 2147483647
Year: 2006
Pages: 231
Pages: 231
Authors: Omar Santos, Jazib Frahim
