Simple Networking

Configuring VPN on Cisco ASA

16.10.2015

This material follows up on the topic covered in the Configuring VPN between two Cisco routers, but is being dedicated an entirely separate article, since it deals explicitly with configuring Cisco ASA devices.

The task will again consist of connecting a main and a branch office through VPN, but this time the main office works on a Cisco ASA 5510 firewall instead of a Cisco 2800 router.

At our disposal we have:
Cisco ASA 5510 firewall in the main office

  • Users are inside LAN 192.168.10.0 /24
  • External static IP address is 1.1.1.2 /30
  • ISP gateway is 1.1.1.1 /30

Router Cisco 881 at the branch office

  • Users are inside LAN 192.168.20.0 /24
  • External static IP address is 2.2.2.2 /30
  • ISP gateway 2.2.2.1 /30

Configuring VPN on Cisco ASA

The process of configuring the Cisco 881 router has been described in the “second universal method” section for configuring VPN tunnels in the article  Configuring VPN between two Cisco routers, so here we will focus only on configuring the Cisco ASA firewall. The firewall is already configured with the basic settings outlined in Cisco ASA. The Basics. Internet access article:  it is accessible for remote administration and the office LAN can reach the Internet.

Step 0

If your ASA IOS version is older than 8.3 (you can check the current version with the “sh ver” command), then turn off nat-control option for the ease of configuration:

FW-DELTACONFIG-1(config)#
no nat-control

Step 1. Interface configuration check

First, let’s check that our firewall has correctly configured outside and inside interfaces. Since we are working on Cisco ASA 5510 model (as opposed to 5505), this configuration is slightly different than the one mentioned in the initial article. The IP addresses and other parameters are assigned directly to the physical interfaces Ethernet0 and Ethenet1 instead of the virtual VLAN interface.

The outside interface:
FW-DELTACONFIG (config)#
interface Ethernet 0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
no shut

The inside interface for the internal LAN:
FW-DELTACONFIG (config)#
interface Ethernet 1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
no shut

deltaconfig cisco outsourcing

Step 2. Define the encryption parameters

Here we configure the encryption parameters for the VPN tunnel between the main office and the branch location and turn on the VPN on the outside interface. These parameters are identical to the ones used on the Cisco 881 router at the remote site:
For IOS version less than 9.0
FW-DELTACONFIG-1(config)#
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp enable outside

For IOS version greater than 9.0
 FW-DELTACONFIG-1(config)#
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 enable outside

Step 3. Define the “interesting traffic” that should be encrypted and sent into the tunnel

Create an access list named ACL_CRYPTO_DO, in which we define the traffic that needs to be encrypted into the VPN tunnel, this is called “interesting traffic” in Cisco. All other packets will not be routed into the VPN.

FW-DELTACONFIG-1(config)#
access-list ACL_CRYPTO_DO extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

Step 4. Create the encryption policy

Create the encryption policy, also known as a “crypto map“, in which we will reference all the rules and encryption parameters that were created in steps 2 and 3:
For IOS version less than 9.0
FW-DELTACONFIG-1(config)#
crypto map SECMAP 1 match address ACL_CRYPTO_DO
crypto map SECMAP 1 set peer 2.2.2.2
crypto map SECMAP 1 set transform-set ESP-3DES-SHA

Apply the created policy to the outside interface:
FW-DELTACONFIG-1(config)#
crypto map SECMAP interface outside

Create the encryption key that is exchanged between peers:
FW-DELTACONFIG-1(config)#
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key XXXXX

Instead of XXXXX enter the key you wish to use for the VPN with the remote peer. It needs to be identical on both the Cisco ASA in the main office and the Cisco 881 at the branch office. I recommend making it complex, no less than 50 symbols, using digits, letters and special characters.

All the same but for IOS version greater than 9.0
FW-DELTACONFIG-1(config)#
crypto map SECMAP 1 match address ACL_CRYPTO_DO
crypto map SECMAP 1 set peer 2.2.2.2
crypto map SECMAP 1 set ikev1 transform-set ESP-3DES-SHA
crypto map SECMAP interface outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key XXXXX

Step 5. Routing

Directly define the route to the branch LAN network through the outside interface and the gateway, provided by the ISP (1.1.1.1) :
FW-DELTACONFIG-1(config)#
route outside 192.168.20.0 255.255.255.0 1.1.1.1

Step 6. Avoiding unneccessary translation (NO-NAT)

If the Cisco ASA is used for user access to the Internet (Dynamic NAT is configured to translate internal addresses to the outside), you need to prevent unneccessary translation of packets which should be routed to the private ip networks through the tunnel. In order to avoid this add these strings

For IOS version after 8.3
object-group network NET_PRIVATE_IP
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
nat (any,any) source static any any destination static NET_PRIVATE_IP NET_PRIVATE_IP no-proxy-arp description NO-NAT

For IOS version before 8.3
access-list NO-NAT extended permit ip any 10.0.0.0 255.0.0.0
access-list NO-NAT extended permit ip any 192.168.0.0 255.255.0.0
access-list NO-NAT extended permit ip any 172.16.0.0 255.240.0.0
nat (inside) 0 access-list NO-NAT

If this won’t be done, the tunnel will be established, but packets will not be transmitted.

Step 7. Check the VPN tunnel

After we create the mirror configuration on the branch office’s Cisco 881, next step is to check whether the VPN tunnel works by sending a ping from a workstation in the main office to a workstation at the branch office.

You can check the tunnel with the following commands:

  • Check the active VPN connections with the “show crypto isakmp sa” command

FW-DELTACONFIG-1# sh cry isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 2.2.2.2
Type    : L2L             Role    : responder
Rekey   : no              State   : MM_ACTIVE

Any state except (!) MM_ACTIVE means that the VPN is not working. If it is taking more than one minute in order to establish the tunnel, you need to check all the configured encryption parameters and ensure that they are identical on both VPN peers.
If this command does not produce any output, then you are probably missing some part of configuration – for example, you did not aplpy the crypto map to the outside interface.

Important!
Please note that the VPN tunnel does not come up when there is no traffic to be encrypted between two devices.

  • The “show crypto ipsec sa” command give you the number of transmitted and received packets inside the VPN tunnel. This is the ultimate command for troubleshooting a connection. The information is available only (!) when the tunnel has been established – otherwise the output is empty.

FW-DELTACONFIG-1# sh cry ips sa
interface: outside
/... output cut .../
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.255/0/0)
current_peer: 2.2.2.2
    #pkts encaps: 4748, #pkts encrypt: 4748, #pkts digest: 4748
      #pkts decaps: 4432, #pkts decrypt: 4432, #pkts verify: 4432
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4748, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
/... output cut .../

The line containing “pkts encaps” shows how many packets were encrypted and sent in the direction of the remote office
The line containing “pkts decaps” shows how many packets were received and decrypted

  • The “clear crypto isakmp sa” command allows to reset all the current VPN tunnels and force them to re-initialize. The command “clear crypto ipsec sa peer 2.2.2.2” will reset the counters of all transmitted and received packets.

Important!

Don’t forget to save the changes you made to the configuration with the write or copy run start/ commands. Otherwise you will lose all changes after the next reload.
FW-DELTACONFIG-1#write
Building configuration...
[OK]

 
This article was written by Alexey Yurchenko
 

Back to Table of contents

avatar
×

How can I help you?