Security: Site-to-site vpn with ASA5505 and 2651XM

Verify connectivity before setting up vpn

2651-3#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

ciscoasa(config)# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA configuration step by step

Step 1: Classify the traffic which you want to protect under ipsec tunnel

ciscoasa(config)# access-list 100 permit ip any any

Step 2: Defining phase 1 (isakmp) policy.

ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 5
ciscoasa(config-isakmp-policy)# encry aes
ciscoasa(config-isakmp-policy)# lifetime 86400
ciscoasa(config-isakmp-policy)# exit

Step 3: Decide the preshare key to be used.

ciscoasa(config)# tunnel-group 192.168.1.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 192.168.1.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco
ciscoasa(config-tunnel-ipsec)# exit

Step 4:Defining transform set for ipsec tunnel.

ciscoasa(config)# crypto ipsec transform-set myset esp-sha-hmac esp-aes

Step 5:Define crypto map for ipsec tunnel.

ciscoasa(config)# crypto map mymap 1 match address 100
ciscoasa(config)# crypto map mymap 1 set peer 192.168.1.1
ciscoasa(config)# crypto map mymap 1 set transform-set myset

Step 6:Applying crypto map on interface.

ciscoasa(config)# crypto map mymap interface inside

Step 7:Remember to enable isakmp on desired interface.

ciscoasa(config)# isakmp enable inside

Router vpn configuration step by step

Step 1:Determine the traffic that needs to be protected.

2651-3(config)#access-list 100 permit ip any any

Step 2:Define the isakmp policy.

2651-3(config)#crypto isakmp policy 1
2651-3(config-isakmp)#hash sha
2651-3(config-isakmp)#group 5
2651-3(config-isakmp)#encryption aes 128
2651-3(config-isakmp)#lifetime 86400
2651-3(config-isakmp)#authentication pre-share
2651-3(config-isakmp)#exit

Step 3:Define pre-share key for isakmp tunnel negotiation.

2651-3(config)#crypto isakmp key 0 cisco address 192.168.1.2 255.255.255.252

Step 4:Define the transform set.

2651-3(config)#crypto ipsec transform-set myset esp-sha-hmac esp-aes 128
2651-3(cfg-crypto-trans)#exit

Step 5:Defining crypto map.

2651-3(config)#crypto map mymap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
2651-3(config-crypto-map)#match address 100
2651-3(config-crypto-map)#set peer 192.168.1.2
2651-3(config-crypto-map)#set transform-set myset
2651-3(config-crypto-map)#exit

Step 6:Apply crypto map on interface.

2651-3(config)#int fa0/1

2651-3(config-if)#crypto map mymap
2651-3(config-if)#
*Sep 19 14:39:22.695: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Test the tunnel

ciscoasa(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

ciscoasa(config)# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.1.1
Type    : L2L             Role    : initiator
Rekey   : no              State   : MM_ACTIVE

2651-3#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
2651-3#sh crypto sess
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Advertisements
This entry was posted in ASA/PIX, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s