Cisco Labs – Network Security (14) – ASA as transparent firewall

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 8.3.3 ASA task definition

ASA as transparent firewall

Goal

  • Configure ASA as transparent firewall.
  • Generate a test message thru HTTP, FTP and ICMP.
  • Apply access list and recheck configuration.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-8.3.3_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig int3 10.0.0.2 netmask 255.255.255.0							;set IP address
route add default gw 10.0.0.1 dev int3								;set default gw

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Firewall settings

ciscoasa(config)# hostname ASA1
ASA1(config)# firewall transparent                          					;set up firewall in transparent mode
ASA1(config)# interface INT1
ASA1(config-if)# nameif outside              
ASA1(config-if)# no shutdown
ASA1(config)# interface INT2
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
ASA1(config)# ip address 10.0.0.253 255.255.255.0               			        ;set management IP address for Firewall device
ASA1(config)# debug icmp trace                          					;turn on debug for icmp traffic thru firewall

Check connection as you can see in Function test before applying access lists.

2)Apply access lists

ASA1(config)# access-list FWRULEIN permit icmp any any
ASA1(config)# access-list FWRULEIN permit udp any any eq 20
ASA1(config)# access-list FWRULEIN permit udp any any eq 21
ASA1(config)# access-list FWRULEIN permit tcp any any eq www 
ASA1(config)# access-list FWRULEIN permit tcp any any eq ftp 

ASA1(config)# access-group FWRULEIN in interface outside

Function test

Pictures are taken from text web browser lynx. You can get similar results from graphical web browser from Linux and Windows.

F1) Before access lists

outside -> inside

ASA1(config)# debug icmp trace									;turn on debugging for icmp
PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server - this traffic is permitted by default.
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA1-1

NS2-8.3.3_ASA_DIA1-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA1-3

F2) After access lists application

outside -> inside

PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA2-1

NS2-8.3.3_ASA_DIA2-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA2-3

Optional tasks

  • Try to configure different types of access lists denying and permitting different types of traffic.
Advertisements

Cisco Labs – Network Security (13) – Easy VPN server on ASA, SW client – physical lab

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.7.1 ASA task definition

Easy VPN server on ASA, SW client

Goal

  • Configure WebVPN server on ASA.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP.
  • Use Anyconnect client in advanced task.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.7.1_ASA_topology1_PHYSICAL

Configuration

PC1

ifconfig INT4 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT4

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Interface settings, Access lists

ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown

2) WebVPN configuration

ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20				;set IP pool for webvpn clients
ASA-GATE(config)# route inside 0.0.0.0 0.0.0.0 10.0.0.100 1					;set default route
ASA-GATE(config)# webvpn									;configure WebVPN service
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2023 10.0.0.100 telnet			;configure port forwarding for thin Java client
ASA-GATE(config-webvpn)# port-forward PORTFORWARD 2024 10.0.0.100 ftp								
ASA-GATE(config-webvpn)# enable outside								;select interface on which VebWPN will be available

ASA-GATE(config)# group-policy MYPOLICY internal						;configure WebVPN policy
ASA-GATE(config)# group-policy MYPOLICY attributes
ASA-GATE(config-group-policy)# webvpn
ASA-GATE(config-group-webvpn)# port-forward auto-start PORTFORWARD				;enable port forwarding automatically
ASA-GATE(config-group-webvpn)# default-domain value test.vsb

ASA-GATE(config)# username VPNUSER password cisco						;configure WebVPN profile 
ASA-GATE(config)# tunnel-group WEBVPNGROUP type remote-access
ASA-GATE(config)# tunnel-group WEBVPNGROUP general-attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL
ASA-GATE(config-tunnel-general)# default-group-policy MYPOLICY

Function test

F1) Turn on debugging

ASA-GATE(config)# debug crypto isakmp
ASA-GATE(config)# debug crypto engine
ASA-GATE(config)# debug crypto ipsec
ASA-GATE(config)# logging console debugging

F2) Generate test connection

Execute WEB browser and type https://192.168.0.1 to iys address bar.

Enter username and password to logon screen

See picture

NS2-6.7.1_ASA_DIA1-1

Enter web address to https session and you will see its default web page, my example shows Linux Debian web page.

NS2-6.7.1_ASA_DIA1-2

Check increasing number of SSL encrypted packets by issuing this command

ASA-GATE#sh crypto protocol statistics ssl

NS2-6.7.1_ASA_DIA1-3

And finally check VPN sessions.

ASA-GATE(config)# sh vpn-sessiondb webvpn

F5) Delete tunnel and reinitialize new one

Tunnel could be deleted by pressing logout link in your web browser.

Optional tasks

  • Configure Anyconnect client part of configuration.

Cisco Labs – Network Security (12) – Easy VPN server on ASA, SW client

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.5.9b ASA task definition

Easy VPN server on ASA, SW client

Goal

  • Configure Easy VPN server on ASA.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP, FTP and ICMP.
  • Use text VPN client or Cisco VPN client if you have GUI available on your system.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.5.9b_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig INT4 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT3

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Interface settings, Access lists

ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 10
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 10
ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 20
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 20
ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown

ASA-GATE(config)# access-list OUTSIDEIN permit ip any host 192.168.0.1
ASA-GATE(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0	;define which traffic will net be translated
ASA-GATE(config)# nat (inside) 0 access-list CRYPTED                                   		;do not translate traffic from access list CRYPTED
ASA-GATE(config)# nat (inside) 1 0 0
ASA-GATE(config)# global (outside) 1 interface
ASA-GATE(config)# access-group OUTSIDEIN in interface outside

ASA-GATE(config)# username VPNUSERNAME password cisco                             		;username and password defined for VPN connection

2)IPSEC and ISAKMP configuration

ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20                		;ip pool for hosts, connected thru RAS VPN 

ASA-GATE(config)# tunnel-group VPNGROUP type IPSec_RA                             		;create tunnel group for RAS connection
ASA-GATE(config)# tunnel-group VPNGROUP general-attributes                        		;and define its attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL                     		;merge with IP pool
ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP ipsec-attributes           		;and define second phase parameters
ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco

ASA-GATE(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac		;define IKE second phase parameters
ASA-GATE(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET
ASA-GATE(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP

3)Applying Crypto map and access list to interface

ASA-GATE(config)# crypto map CLIENTMAP interface outside

Function test

F1) Turn on debugging

ASA-GATE(config)# debug crypto isakmp
ASA-GATE(config)# debug crypto engine
ASA-GATE(config)# debug crypto ipsec
ASA-GATE(config)# logging console debugging

F2) Generate test connection

F2a) on Unix based PC

Run Terminal and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.5.9b_ASA_DIA2-1

F2b) on Windows based PC

browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.5.9b_ASA_DIA2-2

F3) Initialize tunnel

F3a) on Unix – text vpn client

PC1#vpnc											;run text vpn 
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA3-1

Picture shows ifconfig tun0 command result.

NS2-6.5.9b_ASA_DIA3-2

F3b) on Windows – GUI Cisco VPN client

PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.

Picture shows configuration window and main window on windows client.

NS2-6.5.9b_ASA_DIA3-4

Picture shows result of tunnel initialisation on ASA.

NS2-6.5.9b_ASA_DIA3-3

ASA-GATE(config)#show vpn-sessiondb remote

Picture shows result of tunnel sessions on ASA.

NS2-6.5.9b_ASA_DIA3-5

F4) generate test connection

F4a) on Unix – text web browser

PC1#lynx ftp://10.0.0.100								;connect via ftp to the server
PC1#lynx http://10.0.0.100								;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100									;ICMP test

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA4-1

F4b) on Windows – graphic web browser

Open web browser and insert following text to address bar

http://10.0.0.100									;establish http connection to the server
ftp://10.0.0.100									;establish ftp connection to the server

Picture shows result on PC.

NS2-6.5.9b_ASA_DIA4-2

Open command line and ftp, then follow result picture for command line refference

ftp									;command line to start ftp connection

Picture shows result on PC (ftp).

NS2-6.5.9b_ASA_DIA4-3

F5) Delete tunnel and reinitialize new one

ASA-GATE(config)#clear crypto isakmp sa
ASA-GATE(config)#clear crypto ipsec sa

Picture shows result on ASA.

NS2-6.5.9b_ASA_DIA5-1

F5a) on Unix based PC – text

PC1#pkill vpnc										;kill vpnc process

F5b) on Windows based PC

Open VPN client and press disconnect button.

Optional tasks

  • Try to configure different policies and VPN groups
  • ASA-GATE(config)# ip local pool VPNADDRESSPOOL2 10.0.0.21-10.0.0.30				;ip pool for hosts, connected thru RAS VPN group 2
        
    ASA-GATE(config)# tunnel-group VPNGROUP2 type IPSec_RA						;another tunnel group for optional task
    ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes
    ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL2
    ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP2 ipsec-attributes
    ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco2
    
    ASA-GATE(config)# group-policy TUNNELPOLICYADDED internal					;create internal policy
    ASA-GATE(config)# group-policy TUNNELPOLICYADDED attributes					;and define its attributes
    ASA-GATE(config-group-policy)# wins-server value 10.0.0.200					;WINS server IP address  
    ASA-GATE(config-group-policy)# dns-server value 10.0.0.201					;DNS server IP address
    ASA-GATE(config-group-policy)# default-domain value testdomain.vsb				;domain name
    
    ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes					;connect policy with tunnel group
    ASA-GATE(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED				;policy name is specified here

    To test this task connect to VPNGROUP2 and use ipconfig -all on windows. It will show also DNS server and WINS server records for tunnel interface.

    NS2-6.5.9b_ASA_DIA6-3

    In linux browse for file resolve.conf. It will show DNS server record.

    NS2-6.5.9b_ASA_DIA6-1

    NS2-6.5.9b_ASA_DIA6-2

Cisco Labs – Network Security (11) – RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul6 6.4.2 ASA task definition

RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA

Goal

  • Remote access VPN tunnel will be established on ASA 5505 using pre-shared key.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol and static routes.
  • a/ client will be set in client mode (NAT).
  • b/ client will be set in network-extension mode.
  • Do not forget that this task will work only on ASA 5505 – ASA 5510 and higher cannot work as EzVPN clients.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.4.2_ASA_topology1_VIRTLAB

Configuration

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

EzServer – EzVPN server

This configuration is same for both client modes.

1) interface settings + routes

EzServer(config)# interface INT4
EzServer(config-if)# switchport mode access
EzServer(config-if)# switchport access vlan 10
EzServer(config-if)# no shutdown
EzServer(config-if)# interface vlan 10
EzServer(config-if)# ip address 10.0.0.1 255.255.255.0
EzServer(config-if)# nameif inside
EzServer(config-if)# no shutdown

EzServer(config)# interface INT3
EzServer(config-if)# switchport mode access
EzServer(config-if)# switchport access vlan 20
EzServer(config-if)# no shutdown
EzServer(config-if)# interface vlan 20
EzServer(config-if)# ip address 172.16.0.1 255.255.255.0
EzServer(config-if)# nameif outside
EzServer(config-if)# no shutdown

EzServer(config)# route outside 172.16.1.0 255.255.255.0 172.16.0.2
EzServer(config)# access-list OUTSIDEIN permit ip any host 172.16.0.1
EzServer(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
EzServer(config)# nat (inside) 0 access-list CRYPTED						 ;this traffic will be crypted
EzServer(config)# nat (inside) 1 0 0
EzServer(config)# global (outside) 1 interface

2)EzVPN server configuration

EzServer(config)# username EZVPNUSER password cisco						;set username for EzVPN connection
EzServer(config)# isakmp enable outside								;permit isakmp communication on outside interface
EzServer(config)# isakmp identity address							;identity address
EzServer(config)# isakmp policy 10								;isakmp policy configuration
EzServer(config-isakmp-policy)# authentication pre-share					;authenticated thru pre-shared key
EzServer(config-isakmp-policy)# encryption 3des		
EzServer(config-isakmp-policy)# hash sha
EzServer(config-isakmp-policy)# group 2
EzServer(config-isakmp-policy)# lifetime 1000

EzServer(config)# group-policy TUNNELPOLICYADDED internal
EzServer(config)# group-policy TUNNELPOLICYADDED attributes
EzServer(config-group-policy)# nem enable							;enable network extension mode
EzServer(config-group-policy)# password-storage enable						;enable password storage for NEM

EzServer(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20				;set address pool for VPN clients
EzServer(config)# tunnel-group EZVPNGROUP type IPSec_RA						;define tunnel group type
EzServer(config)# tunnel-group EZVPNGROUP general-attributes					;define tunnel group attributes
EzServer(config-tunnel-general)# address-pool VPNADDRESSPOOL
EzServer(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED
EzServer(config-tunnel-general)# tunnel-group EZVPNGROUP ipsec-attributes
EzServer(config-tunnel-ipsec)# pre-shared-key EZVPNKLIC

EzServer(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac
EzServer(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET
EzServer(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP
EzServer(config)# crypto map CLIENTMAP interface outside					;apply configuration on interface

Router3 – internet

This configuration is same for both client modes.

Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

a/ Client mode configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

EzClient – EzVPN Client

1) interface settings static routes

ciscoasa(config)# hostname EzClient
EzClient(config)# domain-name test
EzClient(config)# interface INT1
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 10
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 10
EzClient(config-if)# ip address 192.168.0.1 255.255.255.0
EzClient(config-if)# nameif inside
EzClient(config-if)# no shutdown

EzClient(config)# interface INT2
EzClient(config-if)# switchport mode access
EzClient(config-if)# switchport access vlan 20
EzClient(config-if)# no shutdown
EzClient(config-if)# interface vlan 20
EzClient(config-if)# ip address 172.16.1.1 255.255.255.0
EzClient(config-if)# nameif outside
EzClient(config-if)# no shutdown

EzClient(config)# nat (inside) 1 0 0								;define nat translations
EzClient(config)# global (outside) 1 interface
EzClient(config)# route outside 10.0.0.0 255.255.255.0 172.16.1.2
EzClient(config)# route outside 172.16.0.0 255.255.255.0 172.16.1.2
EzClient(config)# access-list outsidein permit icmp any host 172.16.1.1
EzClient(config)# access-list outsidein permit ip any host 172.16.1.1
EzClient(config)# access-group outsidein in interface outside					;apply access list to interface

2) client settings

EzClient(config)# sysopt connection permit-vpn 
EzClient(config)# vpnclient server 172.16.0.1							;set EzVPN server address
EzClient(config)# vpnclient mode client
EzClient(config)# vpnclient vpngroup EZVPNGROUP password EZVPNKLIC				;set EzVPN group and key
EzClient(config)# vpnclient username EZVPNUSER password cisco					;set EzVPN password and user
EzClient(config)# vpnclient enable								;turn on EzVPN client

Now provide function test and continue or part b/.

b/ Network extension mode configuration

PC1

ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7

Router2 – EzVPN Client

Configuration does not work. Its experimental text could be found in preconfigured file.

Function test

It is same for both parts.

Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)Turn on debug

Ezserver#debug crypto ipsec								 ;second phase debugging
Ezserver#debug crypto isakmp								 ;first phase debugging
Ezserver#logging console debugging							 ;debug messages to console

F2)check IKE/IPSEC server and client configuration

EZServer#sh crypto isakmp policy							 ;show isakmp policy configuration
EZServer#sh crypro dynamic-map								 ;show dynamic map configuration
EZServer#sh crypto map									 ;crypto map configuration
EZClient#sh run

F3)initialize tunnel

PC1>ping 10.0.0.100					 				;inicialize tunnel by pinging remote host

NS2-6.4.2_ASA_DIA3-1

F4)Test initialized tunnel

Check if client has address leased from pool and if ipsec is active.

EZServer#sh ip local pool VPNADDRESSPOOL

NS2-6.4.2_ASA_DIA4-1

EZClient#sh nat

NS2-6.4.2_ASA_DIA4-2

EZClient#sh crypto isakmp sa

NS2-6.4.2_ASA_DIA4-3

Show crypto ipsec statistics.

Ezserver#sh crypto ipsec sa

NS2-6.4.2_ASA_DIA4-4

F5)delete tunnel and then repeat steps F3) to initialize tunnel again

First delete tunnel on client

EZClient(config-if)#shutdown								 ;shutdown outside interface
EZClient#clear crypto ipsec sa
EZClient#clear crypto isakmp sa
EZServer#clear crypto ipsec sa
EZServer#clear crypto isakmp sa
EZServer#clear crypto session

Optional tasks

  • Create access list on Router3 which permits only needed traffic.
  • Add one more router to topology and create another tunnel to this router.

Cisco Labs – Network Security (10) – RAS VPN using HW client (network and client modes)+ pre-shared keys on Router

NS2 – Modul6 6.4.1 IOS task definition

RAS VPN using HW client (network and client modes)+ pre-shared keys on Router

Goal

  • Remote access VPN tunnel will be established on IOS router using pre-shared key.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • a/ client will be set in client mode (NAT).
  • b/ client will be set in network-extension mode.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.4.1_IOS_topology1_VIRTLAB

Configuration

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Router2 – EzVPN server

This configuration is same for both client modes.

1) interface settings + OSPF

R19@ostrava(config)#hostname EZServer
EZServer(config)#interface INT4
EZServer(config-if)#ip address 10.0.0.1 255.255.255.0
EZServer(config-if)#no shutdown

EZServer(config)#interface INT3
EZServer(config-if)#duplex half								 ;setting for Virtlab compatibility
EZServer(config-if)#ip address 172.16.0.1 255.255.255.0         
EZServer(config-if)#no shutdown

EZServer(config)#router ospf 1
EZServer(config-router)#network 172.16.0.0 0.0.0.255 area 0
EZServer(config-router)#network 10.0.0.0 0.0.0.255 area 0

2) aaa settings

EZServer(config-router)#aaa new-model							;define aaa authentication model
EZServer(config)#aaa authentication login VPNLIST local					;define local database for authentication
EZServer(config)#aaa authorization network VPNLIST local				;define local database for authorisation
EZServer(config)#username EZVPNUSER password cisco					;define username and password

3)EzVPN server configuration

EZServer(config)#ip local pool EZVPNPOOL 10.0.0.10 10.0.0.20				;local pool for ezvpn client computers

EZServer(config)#crypto isakmp policy 10						;first phase policy definition
EZServer(config-isakmp)#encryption 3des
EZServer(config-isakmp)#authentication pre-share
EZServer(config-isakmp)#group 2

EZServer(config)#crypto isakmp keepalive 10 10						;tunnel keepalive setting

EZServer(config)#crypto isakmp client configuration group EZVPNGROUP			;client configuration group - this settings will be pushed to client
EZServer(config-isakmp-group)#key EZVPNKLIC						;this key must be configured also in client appliance
EZServer(config-isakmp-group)#pool EZVPNPOOL						;connect with named pool 
EZServer(config-isakmp-group)#save-password						;this option must be present for client auto-connect mode 

EZServer(config)#crypto ipsec transform-set EZVPNTRSET esp-3des esp-sha-hmac		;define transform set

EZServer(config)#crypto dynamic-map DYNAMIC 1						;define dynamic crypto map
EZServer(config-crypto-map)#set transform-set EZVPNTRSET				;define transform set used
EZServer(config-crypto-map)#reverse-route remote-peer 172.16.1.1			;define reverse route for traffic from peer

EZServer(config)#crypto map EZVPNMAP client authentication list VPNLIST			;connect with aaa settings
EZServer(config)#crypto map EZVPNMAP isakmp authorization list VPNLIST
EZServer(config)#crypto map EZVPNMAP 3 ipsec-isakmp dynamic DYNAMIC			;connect with synamic named crypto map 
EZServer(config)#crypto map EZVPNMAP client configuration address respond		;configure to give IP addresss to client

4) applying point 3) to interface

EZServer(config)#interface INT3
EZServer(config-if)#crypto map EZVPNMAP							;apply crypto map to an interface

Router3 – internet

This configuration is same for both client modes.

Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

a/ Client mode configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

Router2 – EzVPN Client

1) interface settings + OSPF

R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 192.168.0.1 255.255.255.0
EZClient(config-if)#no shutdown

EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half								;setting for Virtlab compatibility
EZClient(config-if)#no shutdown

EZClient(config)#router ospf 1								;set routing protocol
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0				;set routed network

2) client settings

EZClient(config-router)#crypto ipsec client ezvpn VPN					;configure named ezvpn client
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC				;server group and key definition
EZClient(config-crypto-ezvpn)#local-address INT2					;include local lan address on selected interface
EZClient(config-crypto-ezvpn)#mode client						;define client mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1						;set remote peer
EZClient(config-crypto-ezvpn)#connect manual						;set connection to manual

3) applying to interface

EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside				;apply ezvpn inside profile to inside interface

EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside				;apply ezvpn outside profile to outside interface
											;new virtual interface will be created to which all inside traffic will be NATted

Now provide function test and continue or part b/ or point 4/ – part a/.

4) configure client for auto connection mode

To let client connect automatically you MUST connect manually first time providing xauth as in function test point F3).

EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#connect auto						;client auto connection setting

b/ Network extension mode configuration

PC1

ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7

Router2 – EzVPN Client

1) interface settings + OSPF

R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 10.0.1.1 255.255.255.0					;set network-extension mode - fully routable address with LAN2
EZClient(config-if)#no shutdown

EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half								;setting for Virtlab compatibility
EZClient(config-if)#no shutdown		

EZClient(config)#router ospf 1
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0

2) client settings

EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC
EZClient(config-crypto-ezvpn)#local-address INT2
EZClient(config-crypto-ezvpn)#mode network-extension					;set network-extension mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1
EZClient(config-crypto-ezvpn)#connect auto
EZClient(config-crypto-ezvpn)#username EZVPNUSER password cisco

3) applying to interface

EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside 

EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside

Function test

It is same for both parts.

Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)Turn on debug

Ezserver#debug crypto ipsec								 ;second phase debugging
Ezserver#debug crypto isakmp								 ;first phase debugging
Ezserver#debug crypto engine								 ;whole crypto engine debugging

F2)check IKE/IPSEC server and client configuration

EZServer#sh crypto isakmp policy							 ;show isakmp policy configuration
EZServer#sh crypro dynamic-map								 ;show dynamic map configuration
EZServer#sh crypto map									 ;crypto map configuration
EZClient#sh run

F3)initialize tunnel

EZClient>crypto ipsec client ezvpn connect						 ;connect tunnel
EZClient>crypto ipsec client ezvpn xauth						 ;insert user credentials

NS2-6.4.1_IOS_DIA3-1

Server retransmits xauth requests.

NS2-6.4.1_IOS_DIA3-2

Before xauth request is provided, you can check tunnel status as shown in picture.

NS2-6.4.1_IOS_DIA3-3

Now interface is up and protocol up after providing xauth request.

NS2-6.4.1_IOS_DIA3-4

F4)Test initialized tunnel

Check if client has address leased from pool and if ipsec is active.

EZServer#sh ip local pool

NS2-6.4.1_IOS_DIA4-1

EZClient#sh crypto ipsec client ezvpn

NS2-6.4.1_IOS_DIA4-2

Use ping command to test traffic prom LAN1 to LAN2 (PC1 to PC2).

If PC2 responds, tunnel works fine. You can check functionality further by using sh crypto ? commands in router privileged mode.

PC1#ping 10.0.0.100

NS2-6.4.1_IOS_DIA5-1

And NAT statistics could be found for EzVPN client mode using following syntax:

EZClient# sh ip nat transactions

NS2-6.4.1_IOS_DIA5-2

F5)delete tunnel and then repeat steps F3) to initialize tunnel again

First delete tunnel on client

EZClient(config-if)#shutdown								 ;shutdown outside interface
EZClient#clear crypto session								 ;clear sessions
EZServer#clear crypto session
EZServer#clear crypto ipsec client ezvpn

Optional tasks

  • Create access list on Router3 which permits only needed traffic.
  • Make client in client mode connecting automatically point a/ – part 4.
  • Make client in network extension mode connecting manually point b/ – part 4.
  • Add one more router to topology and create another tunnel to this router.

Cisco Labs – Network Security (9) – Easy VPN server on Router, SW client

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.2.12a IOS task definition

Easy VPN server on Router, SW client

Goal

  • Configure VPN client and VPN concentrator on IOS router.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP, FTP and ICMP.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.2.12a_IOS_topology1_VIRTLAB

Configuration

PC1

ifconfig INT3 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT3

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

Router

1) Interface settings, Access lists, group policy

R18@ostrava(config)#hostname GATE
GATE(config)#interface INT1
GATE(config-if)#ip address 192.168.0.1 255.255.255.0
GATE(config-if)#no shutdown

GATE(config)#interface INT2
GATE(config-if)#ip address 10.0.0.1 255.255.255.0
GATE(config-if)#no shutdown

GATE(config)#access-list 101 permit ip any host 192.168.0.1					;permit traffic only to interface on which tunnel will communicate 

GATE(config)#aaa new-model									;enable local policy lookup
GATE(config)#aaa authentication login VPNAUTHEN local						;enable local user authentication
GATE(config)#aaa authorization network VPNAUTHOR local						;set aaa authorisation at login
GATE(config)#username USERNAME password cisco							;we will use this credentials to secure tunnel connection

2)IPSEC and ISAKMP configuration

GATE(config)#ip local pool VPNADDRESSPOOL 10.0.0.10 10.0.0.20					;connected client will get address from this pool
GATE(config)#crypto isakmp policy 10								;IKE first phase security parameters definition starts here
GATE(config-isakmp)#encryption 3des
GATE(config-isakmp)#hash sha
GATE(config-isakmp)#authentication pre-share
GATE(config-isakmp)#group 2

GATE(config)#crypto isakmp client configuration group VPNGROUP					;specify that we create policy for RAS
GATE(config-isakmp-group)#key VPNKLIC								;and pre-shared key for this policy
GATE(config-isakmp-group)#pool VPNADDRESSPOOL							;local pool
GATE(config-isakmp-group)#domain test								;and domain name specification  

GATE(config)#crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-md5-hmac			;specify transform set for RAS connection

GATE(config)#crypto dynamic-map DYNAMICMAP 10							;create dynamic crypto map    
GATE(config-crypto-map)#set transform-set REMOTEVPNTRSET                      
GATE(config-crypto-map)#reverse-route                                       		  	;enable reverse routing for RAS connection        

GATE(config)#crypto map CLIENTMAP client configuration address respond				;define behavior of client ip address resloving
GATE(config)#crypto map CLIENTMAP isakmp authorization list VPNAUTHOR				;group policy authorization def.
GATE(config)#crypto map CLIENTMAP client authentication list VPNAUTHEN				;group policy authentication def.
GATE(config)#crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMICMAP				;assign dynamic crypto map to static

3)Applying Crypto map and access list to interface

GATE(config)#interface INT1
GATE(config-if)#crypto map CLIENTMAP                                          			;apply static crypto map to interface  
GATE(config-if)#ip access-group 101 in                                        			;apply access list to interface

Function test

F1) Turn on debugging

GATE#debug crypto isakmp									;IKE first phase debug
GATE#debug crypto engine									;crypto engine debug
GATE#debug crypto ipsec										;IKE second phase debug
GATE#debug aaa authenticat									;group policy debugs
GATE#debug aaa authoriz

F2) Generate test connection

F2a) on Unix based PC

Run Terminal and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.2.12a_IOS_DIA2-1

F2b) on Windows based PC

browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.2.12a_IOS_DIA2-2

F3) Initialize tunnel

F3a) on Unix – text vpn client

PC1#vpnc											;run text vpn 
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco

Picture shows result on PC.

NS2-6.2.12a_IOS_DIA3-1

Picture shows ifconfig tun0 command result.

NS2-6.2.12a_IOS_DIA3-4

F3b) on Windows – GUI Cisco VPN client

PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.

Picture shows configuration window and main window on windows client.

NS2-6.2.12a_IOS_DIA3-3

Picture shows result of tunnel initialisation on Router.

NS2-6.2.12a_IOS_DIA3-2

GATE(config)#show vpn-sessiondb remote

Picture shows result of tunnel sessions on Router.

NS2-6.2.12a_IOS_DIA3-5

F4) generate test connection

F4a) on Unix – text web browser

PC1#lynx ftp://10.0.0.100								;connect via ftp to the server
PC1#lynx http://10.0.0.100								;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100									;ICMP test

Picture shows result on PC.

NS2-6.2.12a_IOS_DIA4-1

F4b) on Windows – graphic web browser

Open web browser and insert following text to address bar

http://10.0.0.100									;establish http connection to the server
ftp://10.0.0.100									;establish ftp connection to the server

Picture shows result on PC (http).

NS2-6.2.12a_IOS_DIA4-2

Open command line and ftp, then follow result picture for command line refference

ftp											;command line to start ftp connection

Picture shows result on PC (ftp).

NS2-6.2.12a_IOS_DIA4-3

F5) Delete tunnel and reinitialize new one

GATE#clear crypto session
GATE#clear crypto isakmp

Picture shows result on GATE router.

NS2-6.2.12a_IOS_DIA5-1

F5a) on Unix based PC – text

PC1#pkill vpnc										;kill vpnc process

NS2-6.2.12a_IOS_DIA5-2

F5b) on Windows based PC

Open VPN client and press disconnect button.

Optional tasks

  • Try to configure different policies and VPN groups

Cisco Labs – Network Security (8) – Site to site VPN using CA on ASA

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul5 5.3.2 ASA task definition

Site to site VPN using CA on ASA

Goal

  • Certification authority will be running on Router3 which will also pass only needed traffic.
  • Site to site VPN tunnel using Certification authority will be initialized on ASA.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-5.3.2_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

ASA, CA router

First of all certification authority and NTP server must be run.

1) NTP + Clock + hostnames + domain:

NTP server.

router#clock set 0:00:00 9 MAR 2008							;set clock and date
router(config)#hostname CA-Router3							;set hostname
CA-Router3(config)#ntp master								;set this router as NTP server
CA-Router3(config)#ip domain-name test							;set domain name

NTP clients.

ciscoasa(config)# hostname ASA1
ASA1(config)# ntp server 172.16.1.2
ASA1(config)# domain-name test
ASA21(config)# hostname ASA2
ASA2(config)# ntp server 172.16.1.2
ASA2(config)# domain-name test

2) interface settings static routes

CA-Router3(config)#interface INT5				
CA-Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
CA-Router3(conf-if)#no shutdown

CA-Router3(config)#interface INT6
CA-Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
CA-Router3(conf-if)#no shutdown

CA-Router3(config)#router ospf 1
CA-Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
CA-Router3(rout)#network 172.16.0.0 0.0.0.255 area 0
ASA1(config)# interface INT1
ASA1(config-if)# switchport mode access
ASA1(config-if)# switchport access vlan 10
ASA1(config-if)# no shutdown
ASA1(config-if)# interface vlan 10
ASA1(config-if)# ip address 192.168.0.1 255.255.255.0
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
 
ASA1(config)# interface INT2
ASA1(config-if)# switchport mode access
ASA1(config-if)# switchport access vlan 20
ASA1(config-if)# no shutdown
ASA1(config-if)# interface vlan 20
ASA1(config-if)# ip address 172.16.1.1 255.255.255.0
ASA1(config-if)# nameif outside
ASA1(config-if)# no shutdown
 
ASA1(config)# access-list outsidein permit udp any host 172.16.1.1 eq ntp				;permit NTP communication with NTP server
ASA1(config)# access-list outsidein permit icmp any host 172.16.1.1
ASA1(config)# access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0		;define traffic to be encrypted 

ASA1(config)# access-group outsidein in interface outside
ASA1(config)# nat (inside) 1 0 0									;translate all traffic to outside ip pool
ASA1(config)# global (outside) 1 interface								;PAT
ASA1(config)# nat (inside) 0 access-list CRYPTOACL							;this traffic will not be translated but passed thru tunnel
ASA1(config)# route outside 10.0.0.0 255.255.255.0 172.16.1.2						;static route instead of OSPF
ASA1(config)# route outside 172.16.0.0 255.255.255.0 172.16.1.2						;static route instead of OSPF
ASA2(config)# interface INT4
ASA2(config-if)# switchport mode access
ASA2(config-if)# switchport access vlan 10
ASA2(config-if)# no shutdown
ASA2(config-if)# interface vlan 10
ASA2(config-if)# ip address 10.0.0.1 255.255.255.0
ASA2(config-if)# nameif inside
ASA2(config-if)# no shutdown

ASA2(config)# interface INT3
ASA2(config-if)# switchport mode access
ASA2(config-if)# switchport access vlan 20
ASA2(config-if)# no shutdown
ASA2(config-if)# interface vlan 20
ASA2(config-if)# ip address 172.16.0.1 255.255.255.0
ASA2(config-if)# nameif outside
ASA2(config-if)# no shutdown

ASA2(config)# access-list outsidein permit udp any host 172.16.0.1 eq ntp
ASA2(config)# access-list outsidein permit icmp any host 172.16.0.1
ASA2(config)# access-list CRYPTOACL permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

ASA2(config)# access-group outsidein in interface outside						
ASA2(config)# nat (inside) 1 0 0
ASA2(config)# global (outside) 1 interface
ASA2(config)# nat (inside) 0 access-list CRYPTOACL
ASA2(config)# route outside 192.168.0.0 255.255.255.0 172.16.0.2
ASA2(config)# route outside 172.16.1.0 255.255.255.0 172.16.0.2

3) Access list on Router3 to enable only needed traffic:

CA-Router3(config)#access-list 101 permit ospf any any
CA-Router3(config)#access-list 101 permit icmp any 172.16.0.0 255.255.255.0
CA-Router3(config)#access-list 101 permit icmp any 172.16.1.0 255.255.255.0
CA-Router3(config)#access-list 101 permit tcp any host 172.16.1.2 eq www
CA-Router3(config)#access-list 101 permit udp any host 172.16.1.2 eq ntp
CA-Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1
CA-Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp

CA-Router3(config)#access-list 102 permit ospf any any
CA-Router3(config)#access-list 102 permit icmp any 172.16.0.0 255.255.255.0
CA-Router3(config)#access-list 102 permit icmp any 172.16.1.0 255.255.255.0
CA-Router3(config)#access-list 102 permit tcp any host 172.16.1.2 eq www
CA-Router3(config)#access-list 102 permit udp any host 172.16.1.2 eq ntp
CA-Router3(config)#access-list 102 permit esp host 172.16.0.1 host 172.16.1.1
CA-Router3(config)#access-list 102 permit udp host 172.16.0.1 host 172.16.1.1 eq isakmp

CA-Router3(config)#interface INT5
CA-Router3(conf-if)#ip access-group 101 in
CA-Router3(config)#interface INT6
CA-Router3(conf-if)#ip access-group 102 in

4) CA server + CA requests

CA-Router3(config)#crypto key generate rsa general-keys label KEYPLABEL exportable			;generate exportable RSA keys for CA. (recommended 1024 bits key)
													;If this command could not be inserted. CA is not supported by router 
CA-Router3(config)#crypto key export rsa KEYPLABEL pem url nvram: 3des KEYPHESLO			;export CA private and public key to NVRAM
													;requires to add filenames if not confirmed default name
CA-Router3(config)#ip http server									;enable http server (certificates are requested thru http)
CA-Router3(config)#crypto pki server CASERVER								;create CA instance on a router
CA-Router3(cs-server)#Issuer-name CN=Issuername C=country						;set up parameters for CA certificate
CA-Router3(cs-server)#lifetime ca-certificate 20							;lifetime in days for CA certificate
CA-Router3(cs-server)#lifetime certificate 20								;lifetime in days for client certificate
CA-Router3(cs-server)#cdp-url http://cdp-list-url-address. 						;link to web with CRL list
CA-Router3(cs-server)#grant auto									;reply and grant enrollment request automatically
CA-Router3(cs-server)#no shutdown									;turn on CA
													;you must insert password to protect CA private key after this line

Before continue with configuration turn on debugging to see certification requests – this is done in Function test section.

ASA1(config)# sysopt connection permit-vpn								;permit VPN traffic to pass firewall 

ASA1(config)# crypto key generate rsa modulus 512							;generate RSA keys for encryption purpose
ASA1(config)# crypto ca trustpoint CASERVER								;define Trustpoint and its parameters, links CA for SCEP
ASA1(config-ca-trustpoint)# enrollment url http://172.16.1.2:80						;url thru which certificates will be enrolled
ASA1(config-ca-trustpoint)# enrollment retry count 20							;number of retries of failed enrollment
ASA1(config-ca-trustpoint)# crl optional								;revocation check is optional   
ASA1(config-ca-trustpoint)# revocation-check crl none							;revocation turned off
ASA1(config-ca-trustpoint)# debug crypto ca								;debugging turned on, communication with CA will be visible
ASA1(config)# crypto ca authenticate CASERVER								;get and authenticate CA certificate - you must manually check public fingerprint
ASA1(config)# crypto ca enroll CASERVER									;receive clinet certificate thru enrollmet url. In this exercise
													;certificate will be granted automatically on CA
ASA2(config)# sysopt connection permit-vpn 

ASA2(config)# crypto key generate rsa modulus 512
ASA2(config)# crypto ca trustpoint CASERVER
ASA2(config-ca-trustpoint)# enrollment url http://172.16.1.2:80
ASA2(config-ca-trustpoint)# enrollment retry count 20
ASA2(config-ca-trustpoint)# crl optional
ASA2(config-ca-trustpoint)# revocation-check crl none
ASA2(config-ca-trustpoint)# debug crypto ca
ASA2(config)# crypto ca authenticate CASERVER
ASA2(config)# crypto ca enroll CASERVER

5a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

ASA1(config)# isakmp enable outside									;enable isakmp negotiation on outside interface
ASA1(config)# isakmp policy 10 
ASA1(config-isakmp-policy)# authentication rsa-sig 							;define authentication thru RSA keys
ASA1(config-isakmp-policy)# group 2
ASA1(config-isakmp-policy)# hash sha
ASA1(config-isakmp-policy)# encryption 3des
ASA2(config)# isakmp enable outside
ASA2(config)# isakmp policy 10 
ASA2(config-isakmp-policy)# authentication rsa-sig
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)# hash sha
ASA2(config-isakmp-policy)# encryption 3des

5b) VPN tunnel settings phase 2 IPSEC

ASA1(config)# tunnel-group 172.16.0.1 type ipsec-l2l							;define site to site VPN tunnel mode
ASA1(config)# tunnel-group 172.16.0.1 ipsec-attributes							;define its second phase attributes
ASA1(config-tunnel-ipsec)# peer-id-validate cert							;client will be identified thru its certificate
ASA1(config-tunnel-ipsec)# chain									;specify CA chain will be used to authenticate peer
ASA1(config-tunnel-ipsec)# trust-point CASERVER								;define which CA will validate certificates
ASA1(config)# crypto ipsec transform-set TRSETASA1 esp-md5-hmac es-des 
ASA1(config)# crypto map CRMAPASA1 10 match address CRYPTOACL
ASA1(config)# crypto map CRMAPASA1 10 set peer 172.16.0.1
ASA1(config)# crypto map CRMAPASA1 10 set trustpoint CASERVER						;define which CA will be used in this crypto map section
ASA1(config)# crypto map CRMAPASA1 10 set transform-set TRSETASA1
ASA1(config)# crypto map CRMAPASA1 interface outside

Apply analogical settings to other side of the tunnel.

ASA2(config)# tunnel-group 172.16.1.1 type ipsec-l2l
ASA2(config)# tunnel-group 172.16.1.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# peer-id-validate cert
ASA2(config-tunnel-ipsec)# chain
ASA2(config-tunnel-ipsec)# trust-point CASERVER
ASA2(config)# crypto ipsec transform-set TRSETASA2 esp-md5-hmac esp-des
ASA2(config)# crypto map CRMAPASA2 10 match address CRYPTOACL
ASA2(config)# crypto map CRMAPASA2 10 set peer 172.16.1.1
ASA2(config)# crypto map CRMAPASA2 10 set trustpoint CASERVER
ASA2(config)# crypto map CRMAPASA2 10 set transform-set TRSETASA2
ASA2(config)# crypto map CRMAPASA2 interface outside

Function test

F1)Turn on debug

On CA to see enrollment requests and key exchanges

CA-Router3#debug crypto pki server
CA-Router3#debug crypto pki validation
CA-Router3#debug crypto pki messages 

Pictures shows result of these commands.

NS2-5.3.2_ASA_DIA1-1

NS2-5.3.2_ASA_DIA1-2

On ASA to see tunnel status and CA client status

Router1#debug crypto pki transactions
ASA1#debug crypto ipsec
ASA1#debug crypto isakmp
ASA1#debug crypto ?											;show other debug possibilities

F2)initialize tunnel

Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.

Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

F3)Check statuses

CA

CA-Router3#sh crypto ca trustpoint status								;show CA hash keys
CA-Router3#sh crypto ca certificate NAME verbose							;show CA certificate
CA-Router3#dir NVRAM:											;sh key pair files in NVRAM

Picture shows exported key pair.

NS2-5.3.2_ASA_DIA2-1

ASA

ASA1#sh crypto ca certificates										;display CA certificate on ASA

Picture shows CA certificate.

NS2-5.3.2_ASA_DIA2-2

check IKE/IPSEC ASA configuration

ASA1#sh crypto isakmp policy										;display first part of tunnel configuration. 
RASA1#sh crypto ipsec sa										;display send/receive packet statistics

And show ipsec and isakmp statuses.

ASA1#sh crypto isakmp sa
ASA1#sh crypto ipsec sa

Picture shows first phase – IKE.

NS2-5.3.2_ASA_DIA4-1

Picture shows second phase – IPSEC.

NS2-5.3.2_ASA_DIA4-2

F5)delete tunnel

ASA1#clear crypto isakmp										;clear tunnel initialisation configuration
ASA1#clear crypto sa											;clear existing tunnels
ASA1#clear crypto session										;clear existing tunnels

Picture shows deleted tunnel.

NS2-5.3.2_ASA_DIA5-1

F6)reinitialize tunnel from other side

Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

Optional tasks

Access list and certificates:

delete client certidicates and RSA keys and request new ones

ASA1#crypto key zeroize rsa
ASA1(config)#crypto key generate rsa 
ASA1(config)# crypto ca trustpoint CASERVER								;disable trustpoint copnfiguration

and follow point 4 to reconfigure CA and get new certificates

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list to define which traffic have to be encrypted.
  • New or existing transform set must be added to new crypto map section.