Site-to-Site secure VPN tunnel using the ASA (Adaptive Security Appliances) enables an encrypted connection between private networks over a public network such as the internet.
Basic steps for VPN Configuration:
1. Define the ISAKMP Policy, For example:
- Authentication
- Hash
- Encryption
- Group
2. Establish IPsec transform set, For example:
- Esp-des
- Esp-md5-hmac
- Esp-aes
- Asp-sha-hmac
3. Configure crypto access list, For example:
- Define interesting traffics
4. Configure crypto map, For example:
- Used to verify the previously defined parameters
5. Now apply crypto map on the outside interface.
- Used to verify the outgoing interface traffic
Configuration of ASA on Site A
First defined the IKE polices on ASA Site A;
ASA-A(config)#crypto isakmp policy 10
!(10 is isakmp policy number)
ASA-A(config-isakmp)#encryption des
!(enable encryption des)
ASA-A(config-isakmp)#hash md5
!(enable algorithm md5 for hashing)
ASA-A(config-isakmp)#authentication pre-share
!(enable Pre-shared method)
ASA-A(config-isakmp)#group 2
!(enable diffie-Helman group 2)
ASA-A(config-isakmp)#exit
!(Exit from crypto isakmp mode)
Second is to create a pre-shared key (password) on ASA-Site A;
ASA-A(config)#crypto isakmp key office address 20.1.1.20
!(Here Key is "office" and 20.1.1.20 is ASA - B Address)
Third create an access list to define only interesting traffic;
ASA-A(config)#access-list 100 permit ip host 20.1.1.10 host 20.1.1.20
!(100 is access list number and 20.1.1.10 is source address and 20.1.1.20 is destination address.)
Fourth create the transform-set for encryption and hashing;
ASA-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
!(Here encryption type is des and hashing technique is md5-hmac)
ASA-A(config)#crypto map imap 10 ipsec-isakmp
!(crypto map name imap)
ASA-A(config)# crypto map imap 10 match address 100
!(apply the access list)
ASA-A(config)# crypto map imap 10 set transform-set ts2
!(apply the transform set)
ASA-A(config)# crypto map imap 10 set peer 20.1.1.20
!(Set remote peer address)
Fifth apply the crypto map to the ASA-Site A interface;
ASA-A(config)# crypto map imap interface outside
!(Apply crypto map on outside interface)
ASA-A(config)# crypto isakmp enable outside
!(To enable crypto isakmp on ASA)
Configuration of ASA on Site B
First defined the IKE polices on ASA Site B;
ASA-B(config)#crypto isakmp policy 10
!(10 is isakmp policy number)
ASA-B(config-isakmp)#encryption des
!(enable encryption des)
ASA-B(config-isakmp)#hash md5
!(enable algorithm md5 for hashing)
ASA-B(config-isakmp)#authentication pre-share
!(enable Pre-shared method)
ASA-B(config-isakmp)#group 2
!(enable diffie-Helman group 2)
ASA-B(config-isakmp)#exit
!(Exit from crypto isakmp mode)
Second create a pre-shared key (password) on ASA Site B;
ASA-B(config)#crypto isakmp key office address 20.1.1.10
!(Here Key is "office" and 20.1.1.10 is ASA - A Address)
Third create an access list to define only interesting traffic;
ASA-B(config)#access-list 100 permit ip host 20.1.1.20 host 20.1.1.10
!(100 is access list number and 20.1.1.20 is source address and 20.1.1.10 is destination address.)
Fourth create the transform-set for encryption and hashing;
ASA-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
!(Here encryption type is des and hashing technique is md5-hmac)
ASA-B(config)#crypto map imap 10 ipsec-isakmp
!(crypto map name imap)
ASA-B(config)# crypto map imap 10 match address 100
!(apply the access list)
ASA-B(config)# crypto map imap 10 set transform-set ts2
!(apply the transform set)
ASA-B(config)# crypto map imap 10 set peer 20.1.1.10
!(Set remote peer address)
Fifth apply the crypto map to the ASA Site B outside interface;
ASA-B(config)# crypto map imap interface outside
!(Apply crypto map on outside interface)
ASA-B(config)# crypto isakmp enable outside
!(To enable crypto isakmp on ASA)
Now to verify the secure tunnel, ping to other remote location;
ASA-B(config)# ping 20.1.1.10
ASA-A(config-isakmp)#encryption des
!(enable encryption des)
ASA-A(config-isakmp)#hash md5
!(enable algorithm md5 for hashing)
ASA-A(config-isakmp)#authentication pre-share
!(enable Pre-shared method)
ASA-A(config-isakmp)#group 2
!(enable diffie-Helman group 2)
ASA-A(config-isakmp)#exit
!(Exit from crypto isakmp mode)
Second is to create a pre-shared key (password) on ASA-Site A;
ASA-A(config)#crypto isakmp key office address 20.1.1.20
!(Here Key is "office" and 20.1.1.20 is ASA - B Address)
Third create an access list to define only interesting traffic;
ASA-A(config)#access-list 100 permit ip host 20.1.1.10 host 20.1.1.20
!(100 is access list number and 20.1.1.10 is source address and 20.1.1.20 is destination address.)
Fourth create the transform-set for encryption and hashing;
ASA-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
!(Here encryption type is des and hashing technique is md5-hmac)
ASA-A(config)#crypto map imap 10 ipsec-isakmp
!(crypto map name imap)
ASA-A(config)# crypto map imap 10 match address 100
!(apply the access list)
ASA-A(config)# crypto map imap 10 set transform-set ts2
!(apply the transform set)
ASA-A(config)# crypto map imap 10 set peer 20.1.1.20
!(Set remote peer address)
Fifth apply the crypto map to the ASA-Site A interface;
ASA-A(config)# crypto map imap interface outside
!(Apply crypto map on outside interface)
ASA-A(config)# crypto isakmp enable outside
!(To enable crypto isakmp on ASA)
Configuration of ASA on Site B
First defined the IKE polices on ASA Site B;
ASA-B(config)#crypto isakmp policy 10
!(10 is isakmp policy number)
ASA-B(config-isakmp)#encryption des
!(enable encryption des)
ASA-B(config-isakmp)#hash md5
!(enable algorithm md5 for hashing)
ASA-B(config-isakmp)#authentication pre-share
!(enable Pre-shared method)
ASA-B(config-isakmp)#group 2
!(enable diffie-Helman group 2)
ASA-B(config-isakmp)#exit
!(Exit from crypto isakmp mode)
Second create a pre-shared key (password) on ASA Site B;
ASA-B(config)#crypto isakmp key office address 20.1.1.10
!(Here Key is "office" and 20.1.1.10 is ASA - A Address)
Third create an access list to define only interesting traffic;
ASA-B(config)#access-list 100 permit ip host 20.1.1.20 host 20.1.1.10
!(100 is access list number and 20.1.1.20 is source address and 20.1.1.10 is destination address.)
Fourth create the transform-set for encryption and hashing;
ASA-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
!(Here encryption type is des and hashing technique is md5-hmac)
ASA-B(config)#crypto map imap 10 ipsec-isakmp
!(crypto map name imap)
ASA-B(config)# crypto map imap 10 match address 100
!(apply the access list)
ASA-B(config)# crypto map imap 10 set transform-set ts2
!(apply the transform set)
ASA-B(config)# crypto map imap 10 set peer 20.1.1.10
!(Set remote peer address)
Fifth apply the crypto map to the ASA Site B outside interface;
ASA-B(config)# crypto map imap interface outside
!(Apply crypto map on outside interface)
ASA-B(config)# crypto isakmp enable outside
!(To enable crypto isakmp on ASA)
Now to verify the secure tunnel, ping to other remote location;
ASA-B(config)# ping 20.1.1.10
0 comments:
Post a Comment