Cisco Labs – Network Security (11) – RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul6 6.4.2 ASA task definition

RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA

Goal

  • Remote access VPN tunnel will be established on ASA 5505 using pre-shared key.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol and static routes.
  • a/ client will be set in client mode (NAT).
  • b/ client will be set in network-extension mode.
  • Do not forget that this task will work only on ASA 5505 – ASA 5510 and higher cannot work as EzVPN clients.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.4.2_ASA_topology1_VIRTLAB

Configuration

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

EzServer – EzVPN server

This configuration is same for both client modes.

1) interface settings + routes

EzServer(config)# interface INT4
EzServer(config-if)# switchport mode access
EzServer(config-if)# switchport access vlan 10
EzServer(config-if)# no shutdown
EzServer(config-if)# interface vlan 10
EzServer(config-if)# ip address 10.0.0.1 255.255.255.0
EzServer(config-if)# nameif inside
EzServer(config-if)# no shutdown

EzServer(config)# interface INT3
EzServer(config-if)# switchport mode access
EzServer(config-if)# switchport access vlan 20
EzServer(config-if)# no shutdown
EzServer(config-if)# interface vlan 20
EzServer(config-if)# ip address 172.16.0.1 255.255.255.0
EzServer(config-if)# nameif outside
EzServer(config-if)# no shutdown

EzServer(config)# route outside 172.16.1.0 255.255.255.0 172.16.0.2
EzServer(config)# access-list OUTSIDEIN permit ip any host 172.16.0.1
EzServer(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
EzServer(config)# nat (inside) 0 access-list CRYPTED						 ;this traffic will be crypted
EzServer(config)# nat (inside) 1 0 0
EzServer(config)# global (outside) 1 interface

2)EzVPN server configuration

EzServer(config)# username EZVPNUSER password cisco						;set username for EzVPN connection
EzServer(config)# isakmp enable outside								;permit isakmp communication on outside interface
EzServer(config)# isakmp identity address							;identity address
EzServer(config)# isakmp policy 10								;isakmp policy configuration
EzServer(config-isakmp-policy)# authentication pre-share					;authenticated thru pre-shared key
EzServer(config-isakmp-policy)# encryption 3des		
EzServer(config-isakmp-policy)# hash sha
EzServer(config-isakmp-policy)# group 2
EzServer(config-isakmp-policy)# lifetime 1000

EzServer(config)# group-policy TUNNELPOLICYADDED internal
EzServer(config)# group-policy TUNNELPOLICYADDED attributes
EzServer(config-group-policy)# nem enable							;enable network extension mode
EzServer(config-group-policy)# password-storage enable						;enable password storage for NEM

EzServer(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20				;set address pool for VPN clients
EzServer(config)# tunnel-group EZVPNGROUP type IPSec_RA						;define tunnel group type
EzServer(config)# tunnel-group EZVPNGROUP general-attributes					;define tunnel group attributes
EzServer(config-tunnel-general)# address-pool VPNADDRESSPOOL
EzServer(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED
EzServer(config-tunnel-general)# tunnel-group EZVPNGROUP ipsec-attributes
EzServer(config-tunnel-ipsec)# pre-shared-key EZVPNKLIC

EzServer(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac
EzServer(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET
EzServer(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP
EzServer(config)# crypto map CLIENTMAP interface outside					;apply configuration on interface

Router3 – internet

This configuration is same for both client modes.

Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

a/ Client mode configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

EzClient – EzVPN Client

1) interface settings static routes

ciscoasa(config)# hostname EzClient
EzClient(config)# domain-name test
EzClient(config)# interface INT1
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 10
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 10
EzClient(config-if)# ip address 192.168.0.1 255.255.255.0
EzClient(config-if)# nameif inside
EzClient(config-if)# no shutdown

EzClient(config)# interface INT2
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 20
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 20
EzClient(config-if)# ip address 172.16.1.1 255.255.255.0
EzClient(config-if)# nameif outside
EzClient(config-if)# no shutdown

EzClient(config)# nat (inside) 1 0 0								;define nat translations
EzClient(config)# global (outside) 1 interface
EzClient(config)# route outside 10.0.0.0 255.255.255.0 172.16.1.2
EzClient(config)# route outside 172.16.0.0 255.255.255.0 172.16.1.2
EzClient(config)# access-list outsidein permit icmp any host 172.16.1.1
EzClient(config)# access-list outsidein permit ip any host 172.16.1.1
EzClient(config)# access-group outsidein in interface outside					;apply access list to interface

2) client settings

EzClient(config)# sysopt connection permit-vpn 
EzClient(config)# vpnclient server 172.16.0.1							;set EzVPN server address
EzClient(config)# vpnclient mode client
EzClient(config)# vpnclient vpngroup EZVPNGROUP password EZVPNKLIC				;set EzVPN group and key
EzClient(config)# vpnclient username EZVPNUSER password cisco					;set EzVPN password and user
EzClient(config)# vpnclient enable								;turn on EzVPN client

Now provide function test and continue or part b/.

b/ Network extension mode configuration

PC1

ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7

Router2 – EzVPN Client

Configuration does not work. Its experimental text could be found in preconfigured file.

Function test

It is same for both parts.

Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)Turn on debug

Ezserver#debug crypto ipsec								 ;second phase debugging
Ezserver#debug crypto isakmp								 ;first phase debugging
Ezserver#logging console debugging							 ;debug messages to console

F2)check IKE/IPSEC server and client configuration

EZServer#sh crypto isakmp policy							 ;show isakmp policy configuration
EZServer#sh crypro dynamic-map								 ;show dynamic map configuration
EZServer#sh crypto map									 ;crypto map configuration
EZClient#sh run

F3)initialize tunnel

PC1>ping 10.0.0.100					 				;inicialize tunnel by pinging remote host

NS2-6.4.2_ASA_DIA3-1

F4)Test initialized tunnel

Check if client has address leased from pool and if ipsec is active.

EZServer#sh ip local pool VPNADDRESSPOOL

NS2-6.4.2_ASA_DIA4-1

EZClient#sh nat

NS2-6.4.2_ASA_DIA4-2

EZClient#sh crypto isakmp sa

NS2-6.4.2_ASA_DIA4-3

Show crypto ipsec statistics.

Ezserver#sh crypto ipsec sa

NS2-6.4.2_ASA_DIA4-4

F5)delete tunnel and then repeat steps F3) to initialize tunnel again

First delete tunnel on client

EZClient(config-if)#shutdown								 ;shutdown outside interface
EZClient#clear crypto ipsec sa
EZClient#clear crypto isakmp sa
EZServer#clear crypto ipsec sa
EZServer#clear crypto isakmp sa
EZServer#clear crypto session

Optional tasks

  • Create access list on Router3 which permits only needed traffic.
  • Add one more router to topology and create another tunnel to this router.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s