Cisco Labs – Network Security (8) – Site to site VPN using CA on ASA


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul5 5.3.2 ASA task definition

Site to site VPN using CA on ASA

Goal

  • Certification authority will be running on Router3 which will also pass only needed traffic.
  • Site to site VPN tunnel using Certification authority will be initialized on ASA.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-5.3.2_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

ASA, CA router

First of all certification authority and NTP server must be run.

1) NTP + Clock + hostnames + domain:

NTP server.

router#clock set 0:00:00 9 MAR 2008							;set clock and date
router(config)#hostname CA-Router3							;set hostname
CA-Router3(config)#ntp master								;set this router as NTP server
CA-Router3(config)#ip domain-name test							;set domain name

NTP clients.

ciscoasa(config)# hostname ASA1
ASA1(config)# ntp server 172.16.1.2
ASA1(config)# domain-name test
ASA21(config)# hostname ASA2
ASA2(config)# ntp server 172.16.1.2
ASA2(config)# domain-name test

2) interface settings static routes

CA-Router3(config)#interface INT5				
CA-Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
CA-Router3(conf-if)#no shutdown

CA-Router3(config)#interface INT6
CA-Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
CA-Router3(conf-if)#no shutdown

CA-Router3(config)#router ospf 1
CA-Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
CA-Router3(rout)#network 172.16.0.0 0.0.0.255 area 0
ASA1(config)# interface INT1
ASA1(config-if)# switchport mode access
ASA1(config-if)# switchport access vlan 10
ASA1(config-if)# no shutdown
ASA1(config-if)# interface vlan 10
ASA1(config-if)# ip address 192.168.0.1 255.255.255.0
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
 
ASA1(config)# interface INT2
ASA1(config-if)# switchport mode access
ASA1(config-if)# switchport access vlan 20
ASA1(config-if)# no shutdown
ASA1(config-if)# interface vlan 20
ASA1(config-if)# ip address 172.16.1.1 255.255.255.0
ASA1(config-if)# nameif outside
ASA1(config-if)# no shutdown
 
ASA1(config)# access-list outsidein permit udp any host 172.16.1.1 eq ntp				;permit NTP communication with NTP server
ASA1(config)# access-list outsidein permit icmp any host 172.16.1.1
ASA1(config)# access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0		;define traffic to be encrypted 

ASA1(config)# access-group outsidein in interface outside
ASA1(config)# nat (inside) 1 0 0									;translate all traffic to outside ip pool
ASA1(config)# global (outside) 1 interface								;PAT
ASA1(config)# nat (inside) 0 access-list CRYPTOACL							;this traffic will not be translated but passed thru tunnel
ASA1(config)# route outside 10.0.0.0 255.255.255.0 172.16.1.2						;static route instead of OSPF
ASA1(config)# route outside 172.16.0.0 255.255.255.0 172.16.1.2						;static route instead of OSPF
ASA2(config)# interface INT4
ASA2(config-if)# switchport mode access
ASA2(config-if)# switchport access vlan 10
ASA2(config-if)# no shutdown
ASA2(config-if)# interface vlan 10
ASA2(config-if)# ip address 10.0.0.1 255.255.255.0
ASA2(config-if)# nameif inside
ASA2(config-if)# no shutdown

ASA2(config)# interface INT3
ASA2(config-if)# switchport mode access
ASA2(config-if)# switchport access vlan 20
ASA2(config-if)# no shutdown
ASA2(config-if)# interface vlan 20
ASA2(config-if)# ip address 172.16.0.1 255.255.255.0
ASA2(config-if)# nameif outside
ASA2(config-if)# no shutdown

ASA2(config)# access-list outsidein permit udp any host 172.16.0.1 eq ntp
ASA2(config)# access-list outsidein permit icmp any host 172.16.0.1
ASA2(config)# access-list CRYPTOACL permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

ASA2(config)# access-group outsidein in interface outside						
ASA2(config)# nat (inside) 1 0 0
ASA2(config)# global (outside) 1 interface
ASA2(config)# nat (inside) 0 access-list CRYPTOACL
ASA2(config)# route outside 192.168.0.0 255.255.255.0 172.16.0.2
ASA2(config)# route outside 172.16.1.0 255.255.255.0 172.16.0.2

3) Access list on Router3 to enable only needed traffic:

CA-Router3(config)#access-list 101 permit ospf any any
CA-Router3(config)#access-list 101 permit icmp any 172.16.0.0 255.255.255.0
CA-Router3(config)#access-list 101 permit icmp any 172.16.1.0 255.255.255.0
CA-Router3(config)#access-list 101 permit tcp any host 172.16.1.2 eq www
CA-Router3(config)#access-list 101 permit udp any host 172.16.1.2 eq ntp
CA-Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1
CA-Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp

CA-Router3(config)#access-list 102 permit ospf any any
CA-Router3(config)#access-list 102 permit icmp any 172.16.0.0 255.255.255.0
CA-Router3(config)#access-list 102 permit icmp any 172.16.1.0 255.255.255.0
CA-Router3(config)#access-list 102 permit tcp any host 172.16.1.2 eq www
CA-Router3(config)#access-list 102 permit udp any host 172.16.1.2 eq ntp
CA-Router3(config)#access-list 102 permit esp host 172.16.0.1 host 172.16.1.1
CA-Router3(config)#access-list 102 permit udp host 172.16.0.1 host 172.16.1.1 eq isakmp

CA-Router3(config)#interface INT5
CA-Router3(conf-if)#ip access-group 101 in
CA-Router3(config)#interface INT6
CA-Router3(conf-if)#ip access-group 102 in

4) CA server + CA requests

CA-Router3(config)#crypto key generate rsa general-keys label KEYPLABEL exportable			;generate exportable RSA keys for CA. (recommended 1024 bits key)
													;If this command could not be inserted. CA is not supported by router 
CA-Router3(config)#crypto key export rsa KEYPLABEL pem url nvram: 3des KEYPHESLO			;export CA private and public key to NVRAM
													;requires to add filenames if not confirmed default name
CA-Router3(config)#ip http server									;enable http server (certificates are requested thru http)
CA-Router3(config)#crypto pki server CASERVER								;create CA instance on a router
CA-Router3(cs-server)#Issuer-name CN=Issuername C=country						;set up parameters for CA certificate
CA-Router3(cs-server)#lifetime ca-certificate 20							;lifetime in days for CA certificate
CA-Router3(cs-server)#lifetime certificate 20								;lifetime in days for client certificate
CA-Router3(cs-server)#cdp-url http://cdp-list-url-address. 						;link to web with CRL list
CA-Router3(cs-server)#grant auto									;reply and grant enrollment request automatically
CA-Router3(cs-server)#no shutdown									;turn on CA
													;you must insert password to protect CA private key after this line

Before continue with configuration turn on debugging to see certification requests – this is done in Function test section.

ASA1(config)# sysopt connection permit-vpn								;permit VPN traffic to pass firewall 

ASA1(config)# crypto key generate rsa modulus 512							;generate RSA keys for encryption purpose
ASA1(config)# crypto ca trustpoint CASERVER								;define Trustpoint and its parameters, links CA for SCEP
ASA1(config-ca-trustpoint)# enrollment url http://172.16.1.2:80						;url thru which certificates will be enrolled
ASA1(config-ca-trustpoint)# enrollment retry count 20							;number of retries of failed enrollment
ASA1(config-ca-trustpoint)# crl optional								;revocation check is optional   
ASA1(config-ca-trustpoint)# revocation-check crl none							;revocation turned off
ASA1(config-ca-trustpoint)# debug crypto ca								;debugging turned on, communication with CA will be visible
ASA1(config)# crypto ca authenticate CASERVER								;get and authenticate CA certificate - you must manually check public fingerprint
ASA1(config)# crypto ca enroll CASERVER									;receive clinet certificate thru enrollmet url. In this exercise
													;certificate will be granted automatically on CA
ASA2(config)# sysopt connection permit-vpn 

ASA2(config)# crypto key generate rsa modulus 512
ASA2(config)# crypto ca trustpoint CASERVER
ASA2(config-ca-trustpoint)# enrollment url http://172.16.1.2:80
ASA2(config-ca-trustpoint)# enrollment retry count 20
ASA2(config-ca-trustpoint)# crl optional
ASA2(config-ca-trustpoint)# revocation-check crl none
ASA2(config-ca-trustpoint)# debug crypto ca
ASA2(config)# crypto ca authenticate CASERVER
ASA2(config)# crypto ca enroll CASERVER

5a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

ASA1(config)# isakmp enable outside									;enable isakmp negotiation on outside interface
ASA1(config)# isakmp policy 10 
ASA1(config-isakmp-policy)# authentication rsa-sig 							;define authentication thru RSA keys
ASA1(config-isakmp-policy)# group 2
ASA1(config-isakmp-policy)# hash sha
ASA1(config-isakmp-policy)# encryption 3des
ASA2(config)# isakmp enable outside
ASA2(config)# isakmp policy 10 
ASA2(config-isakmp-policy)# authentication rsa-sig
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)# hash sha
ASA2(config-isakmp-policy)# encryption 3des

5b) VPN tunnel settings phase 2 IPSEC

ASA1(config)# tunnel-group 172.16.0.1 type ipsec-l2l							;define site to site VPN tunnel mode
ASA1(config)# tunnel-group 172.16.0.1 ipsec-attributes							;define its second phase attributes
ASA1(config-tunnel-ipsec)# peer-id-validate cert							;client will be identified thru its certificate
ASA1(config-tunnel-ipsec)# chain									;specify CA chain will be used to authenticate peer
ASA1(config-tunnel-ipsec)# trust-point CASERVER								;define which CA will validate certificates
ASA1(config)# crypto ipsec transform-set TRSETASA1 esp-md5-hmac es-des 
ASA1(config)# crypto map CRMAPASA1 10 match address CRYPTOACL
ASA1(config)# crypto map CRMAPASA1 10 set peer 172.16.0.1
ASA1(config)# crypto map CRMAPASA1 10 set trustpoint CASERVER						;define which CA will be used in this crypto map section
ASA1(config)# crypto map CRMAPASA1 10 set transform-set TRSETASA1
ASA1(config)# crypto map CRMAPASA1 interface outside

Apply analogical settings to other side of the tunnel.

ASA2(config)# tunnel-group 172.16.1.1 type ipsec-l2l
ASA2(config)# tunnel-group 172.16.1.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# peer-id-validate cert
ASA2(config-tunnel-ipsec)# chain
ASA2(config-tunnel-ipsec)# trust-point CASERVER
ASA2(config)# crypto ipsec transform-set TRSETASA2 esp-md5-hmac esp-des
ASA2(config)# crypto map CRMAPASA2 10 match address CRYPTOACL
ASA2(config)# crypto map CRMAPASA2 10 set peer 172.16.1.1
ASA2(config)# crypto map CRMAPASA2 10 set trustpoint CASERVER
ASA2(config)# crypto map CRMAPASA2 10 set transform-set TRSETASA2
ASA2(config)# crypto map CRMAPASA2 interface outside

Function test

F1)Turn on debug

On CA to see enrollment requests and key exchanges

CA-Router3#debug crypto pki server
CA-Router3#debug crypto pki validation
CA-Router3#debug crypto pki messages 

Pictures shows result of these commands.

NS2-5.3.2_ASA_DIA1-1

NS2-5.3.2_ASA_DIA1-2

On ASA to see tunnel status and CA client status

Router1#debug crypto pki transactions
ASA1#debug crypto ipsec
ASA1#debug crypto isakmp
ASA1#debug crypto ?											;show other debug possibilities

F2)initialize tunnel

Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.

Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

F3)Check statuses

CA

CA-Router3#sh crypto ca trustpoint status								;show CA hash keys
CA-Router3#sh crypto ca certificate NAME verbose							;show CA certificate
CA-Router3#dir NVRAM:											;sh key pair files in NVRAM

Picture shows exported key pair.

NS2-5.3.2_ASA_DIA2-1

ASA

ASA1#sh crypto ca certificates										;display CA certificate on ASA

Picture shows CA certificate.

NS2-5.3.2_ASA_DIA2-2

check IKE/IPSEC ASA configuration

ASA1#sh crypto isakmp policy										;display first part of tunnel configuration. 
RASA1#sh crypto ipsec sa										;display send/receive packet statistics

And show ipsec and isakmp statuses.

ASA1#sh crypto isakmp sa
ASA1#sh crypto ipsec sa

Picture shows first phase – IKE.

NS2-5.3.2_ASA_DIA4-1

Picture shows second phase – IPSEC.

NS2-5.3.2_ASA_DIA4-2

F5)delete tunnel

ASA1#clear crypto isakmp										;clear tunnel initialisation configuration
ASA1#clear crypto sa											;clear existing tunnels
ASA1#clear crypto session										;clear existing tunnels

Picture shows deleted tunnel.

NS2-5.3.2_ASA_DIA5-1

F6)reinitialize tunnel from other side

Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

Optional tasks

Access list and certificates:

delete client certidicates and RSA keys and request new ones

ASA1#crypto key zeroize rsa
ASA1(config)#crypto key generate rsa 
ASA1(config)# crypto ca trustpoint CASERVER								;disable trustpoint copnfiguration

and follow point 4 to reconfigure CA and get new certificates

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list to define which traffic have to be encrypted.
  • New or existing transform set must be added to new crypto map section.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s