...

Tuesday, June 8, 2010

Misc 32

In this topology, we'll build on Site-to-Site VPNs. This time, we'll be using an ASA as one of the endpoints. Configuration should be so similar that you won't need any kind of reference if you know how to make use of the context sensitive help. We'll begin by going through the topology in this example, which looks like this:


In this topology, we'll establish a site-to-site VPN between the LeftOutside router and the ASA. I'll break down the interfaces as follows:
LeftInside
f0/0 - 1.1.1.2

LeftOutside
f0/0 - 1.1.1.1
f0/1 - 2.2.2.1

ASA
e0 - Outside - 2.2.2.1
e1 - Inside - 3.3.3.1

RightInside
f0/0 - 3.3.3.2

All network masks are /24. Suppose that LeftOutside and LeftInside is the HQ, and ASA and RightInside is the Remote Office. To protect the traffic between the two sites, we'll need to establish an IPSec tunnel between LeftOutside f0/1 and ASA e0.

For this setup I'll assume that routing is functional on both sides. The first thing we want to do is to set up IPSec on a familiar interface. We'll begin on LeftOutside:
crypto isa en
crypto isa pol 1
hash sha
auth pre
group 5
life 120
encr aes
crypto isa key 0 cisco add 2.2.2.2
crypto ipsec transform TRANSFORM esp-aes
ip access-l extended INTERESTING
permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
crypto map MAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform TRANSFORM
match add INTERESTING
in f0/1
crypto map MAP


Note that I set the lifetime to 120. I usually set it to 60 but the lowest you can go on an ASA is 120 and so we must conform to that. Now we'll set up IPSec on the ASA. The commands are exactly the same, with some slight variations which you can iron out using the context sensitive help. We'll begin by enabling ISAKMP:
crypto isa en Outside

Now we'll set up the ISAKMP policy 1:
crypto isa pol 1
hash sha
auth pre
group 5
life 120
encr aes


Next, since authentication is set to PSK, we'll have to manually specify the key. Use this syntax:
crypto isa key cisco add 2.2.2.1

Now we'll create a transform set exactly like how you would on an IOS router:
crypto ipsec transform TRANSFORM esp-aes

Then we make an extended access-list permitting traffic from 3.3.3.0 to 1.1.1.0:
access-l INTERESTING extended permit ip 3.3.3.0 255.255.255.0 1.1.1.0 255.255.255.0

Finally we'll bring it together with a crypto map:
crypto map MAP 1 set peer 2.2.2.1
crypto map MAP 1 set transform TRANSFORM
crypto map MAP 1 match add INTERESTING


Now we'll apply the magical map to the interface:
crypto map MAP interface Outside

No comments :

Post a Comment

<