Cisco Labs – Network Security (12) – Easy VPN server on ASA, SW client


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.5.9b ASA task definition

Easy VPN server on ASA, SW client

Goal

  • Configure Easy VPN server on ASA.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP, FTP and ICMP.
  • Use text VPN client or Cisco VPN client if you have GUI available on your system.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.5.9b_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig INT4 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT3

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Interface settings, Access lists

ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 10
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 10
ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 20
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 20
ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# access-list OUTSIDEIN permit ip any host 192.168.0.1
ASA-GATE(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0	;define which traffic will net be translated
ASA-GATE(config)# nat (inside) 0 access-list CRYPTED                                   		;do not translate traffic from access list CRYPTED
ASA-GATE(config)# nat (inside) 1 0 0
ASA-GATE(config)# global (outside) 1 interface
ASA-GATE(config)# access-group OUTSIDEIN in interface outside

ASA-GATE(config)# username VPNUSERNAME password cisco                             		;username and password defined for VPN connection

2)IPSEC and ISAKMP configuration

ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20                		;ip pool for hosts, connected thru RAS VPN 

ASA-GATE(config)# tunnel-group VPNGROUP type IPSec_RA                             		;create tunnel group for RAS connection
ASA-GATE(config)# tunnel-group VPNGROUP general-attributes                        		;and define its attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL                     		;merge with IP pool
ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP ipsec-attributes           		;and define second phase parameters
ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco

ASA-GATE(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac		;define IKE second phase parameters
ASA-GATE(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET
ASA-GATE(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP

3)Applying Crypto map and access list to interface

ASA-GATE(config)# crypto map CLIENTMAP interface outside

Function test

F1) Turn on debugging

ASA-GATE(config)# debug crypto isakmp
ASA-GATE(config)# debug crypto engine
ASA-GATE(config)# debug crypto ipsec
ASA-GATE(config)# logging console debugging

F2) Generate test connection

F2a) on Unix based PC

Run Terminal and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.5.9b_ASA_DIA2-1

F2b) on Windows based PC

browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.5.9b_ASA_DIA2-2

F3) Initialize tunnel

F3a) on Unix – text vpn client

PC1#vpnc											;run text vpn 
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA3-1

Picture shows ifconfig tun0 command result.

NS2-6.5.9b_ASA_DIA3-2

F3b) on Windows – GUI Cisco VPN client

PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.

Picture shows configuration window and main window on windows client.

NS2-6.5.9b_ASA_DIA3-4

Picture shows result of tunnel initialisation on ASA.

NS2-6.5.9b_ASA_DIA3-3

ASA-GATE(config)#show vpn-sessiondb remote

Picture shows result of tunnel sessions on ASA.

NS2-6.5.9b_ASA_DIA3-5

F4) generate test connection

F4a) on Unix – text web browser

PC1#lynx ftp://10.0.0.100								;connect via ftp to the server
PC1#lynx http://10.0.0.100								;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100									;ICMP test

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA4-1

F4b) on Windows – graphic web browser

Open web browser and insert following text to address bar

http://10.0.0.100									;establish http connection to the server
ftp://10.0.0.100									;establish ftp connection to the server

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA4-2

Open command line and ftp, then follow result picture for command line refference

ftp									;command line to start ftp connection

Picture shows result on PC (ftp).

NS2-6.5.9b_ASA_DIA4-3

F5) Delete tunnel and reinitialize new one

ASA-GATE(config)#clear crypto isakmp sa
ASA-GATE(config)#clear crypto ipsec sa

Picture shows result on ASA.

NS2-6.5.9b_ASA_DIA5-1

F5a) on Unix based PC – text

PC1#pkill vpnc										;kill vpnc process

F5b) on Windows based PC

Open VPN client and press disconnect button.

Optional tasks

  • Try to configure different policies and VPN groups
  • ASA-GATE(config)# ip local pool VPNADDRESSPOOL2 10.0.0.21-10.0.0.30				;ip pool for hosts, connected thru RAS VPN group 2
        
    ASA-GATE(config)# tunnel-group VPNGROUP2 type IPSec_RA						;another tunnel group for optional task
    ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes
    ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL2
    ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP2 ipsec-attributes
    ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco2
    
    ASA-GATE(config)# group-policy TUNNELPOLICYADDED internal					;create internal policy
    ASA-GATE(config)# group-policy TUNNELPOLICYADDED attributes					;and define its attributes
    ASA-GATE(config-group-policy)# wins-server value 10.0.0.200					;WINS server IP address  
    ASA-GATE(config-group-policy)# dns-server value 10.0.0.201					;DNS server IP address
    ASA-GATE(config-group-policy)# default-domain value testdomain.vsb				;domain name
    
    ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes					;connect policy with tunnel group
    ASA-GATE(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED				;policy name is specified here

    To test this task connect to VPNGROUP2 and use ipconfig -all on windows. It will show also DNS server and WINS server records for tunnel interface.

    NS2-6.5.9b_ASA_DIA6-3

    In linux browse for file resolve.conf. It will show DNS server record.

    NS2-6.5.9b_ASA_DIA6-1

    NS2-6.5.9b_ASA_DIA6-2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s