Search This Blog

Tuesday, 31 January 2012

IPSEC Tunnel, NAT and Cisco ASA 8.4

Back on my Cisco ASA I now needed to work out how to build an IPSEC tunnel to a customer and then make sure that the traffic to that subnet is not subject to the Dynamic PAT I have for my inside network.

Setting up a Site to Site IPSEC VPN with the ASA is different to using a IOS router for example, the concepts remain the same but the order and way you do it are different.

First I will define two network objects for my network and my remote network.

object network Remote

object network CSCM

Next comes a series of crypto commands for the IPSEC tunnel

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

There are several other transform sets that can be created but for brevity I have only included the ones that I am using.

access-list acl-crypto-remote extended permit ip object Remote

This is an ACL to match the traffic from my network to the remote network.

crypto map crypto-map-remote 1 match address acl-crypto-remote

This will match the interesting traffic from my network to the remote network and assign this to the crypto map.

crypto map crypto-map-remote 1 set peer 195.xx.xx.xx

Set the peer address for the remote network WAN IP.

crypto map crypto-map-remote set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

This enables the crypto map to use the transform sets we defined earlier.

crypto map crypto-map-remote interface Internet

Similar to IOS here we are adding the crypto map to the Internet interface so matching traffic is encapsulated.

crypto ikev1 enable Internet
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

This sets the IKE Policy for the tunnel on the Internet Interface with the correct Phase 1 settings for our remote site.

group-policy GroupPolicy_195.xx.xx.xx internal
group-policy GroupPolicy_195.xx.xx.xx attributes
 vpn-tunnel-protocol ikev1

Here we setup a Group Policy for VPN settings, this specifies that the type is internal and that the tunnel type is a IKE version 1 tunnel.

tunnel-group 195.xx.xx.xx type ipsec-l2l
tunnel-group 195.xx.xx.xx general-attributes
 default-group-policy GroupPolicy_195.xx.xx.xx
tunnel-group 195.xx.xx.xx ipsec-attributes
 ikev1 pre-shared-key ******

Finally we assign this as an IPSEC Site to Site Tunnel  or ipsec-l2l, then we assign the Group Policy we created to this tunnel and the pre shared key we are using.

Trouble shooting this can be tricky and so I recommend the following commands to help

show crypto ipsec sa
show  crypto ikev1 sa
show logging

You can get a really good log view with the ASDM for this type of configuration, it beats the SSH or console view in my opinion.

No comments:

Post a Comment