IKEV1 IPSEC VPN between 2 ASA's

As mentioned in a previous POST IPSEC VPN's are used to ensure that data that is being transmitted over the public network between devices that are geographically apart from each other is keept private and secure.

On the following topology, the client that is on the 192.168.10.0/24 network wants to access the webserver that is on the 192.168.20.0/24 over the network 10.0.0.0/8 which represents the public network.


The configuration of a VPN can be done in the following steps:

- Configure an ACL to identify the traffic that is being sent over the VPN

- Configure IKEV1 or 2 phase 1

- Configure IKEV1 or 2 phase 2

- Configure tunnel group

- Configure a Crypto map and assign it the outside interface

ASA1: ACL configuration.
ASA1(config)#access-list L2L extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
ASA1: IKEV1 phase 1 configuration.
ASA1(config)#crypto ikev1 policy 10
ASA1(config-ikev1-policy)#authentication pre-share
ASA1(config-ikev1-policy)#encryption aes
ASA1(config-ikev1-policy)#hash sha
ASA1(config-ikev1-policy)#group 2
ASA1(config-ikev1-policy)#lifetime 8600
ASA1(config-ikev1-policy)#exit
ASA1(config)#crypto ikev1 enable outside
ASA1: IKEV1 phase 2 configuration.
ASA1(config)#crypto ipsec ikev1 transform-set DATAENC esp-aes esp-sha-hmac
ASA1: tunnel group configuration.
ASA1(config)#tunnel-group 10.2.2.254 type ipsec-l2l
ASA1(config)#tunnel-group 10.2.2.254 ipsec-attributes
ASA1(config-tunnel-ipsec)#ikev1 pre-shared-key ciscokey
ASA1: Crypto Map configuration.
ASA1(config)#crypto map THISMAP 10 match address L2L
ASA1(config)#crypto map THISMAP 10 set peer 10.2.2.254
ASA1(config)#crypto map THISMAP 10 set ikev1 transform-set DATAENC
ASA1(config)#crypto map THISMAP interface outside
ASA2: ACL configuration.
ASA2(config)#access-list L2L extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
ASA2: IKEV1 phase 1 configuration.
ASA2(config)#crypto ikev1 policy 10
ASA2(config-ikev1-policy)#authentication pre-share
ASA2(config-ikev1-policy)#encryption aes
ASA2(config-ikev1-policy)#hash sha
ASA2(config-ikev1-policy)#group 2
ASA2(config-ikev1-policy)#lifetime 8600
ASA2(config-ikev1-policy)#exit
ASA2(config)#crypto ikev1 enable outside
ASA2: IKEV1 phase 2 configuration.
ASA2(config)#crypto ipsec ikev1 transform-set DATAENC esp-aes esp-sha-hmac
ASA2: tunnel group configuration.
ASA2(config)#tunnel-group 10.1.1.254 type ipsec-l2l
ASA2(config)#tunnel-group 10.1.1.254 ipsec-attributes
ASA2(config-tunnel-ipsec)#ikev1 pre-shared-key ciscokey
ASA2: Crypto Map configuration.
ASA2(config)#crypto map THISMAP 10 match address L2L
ASA2(config)#crypto map THISMAP 10 set peer 10.1.1.254
ASA2(config)#crypto map THISMAP 10 set ikev1 transform-set DATAENC
ASA2(config)#crypto map THISMAP interface outside

Configuring Cisco IOS Zone-Base Policy Firewall

Cisco Zone-Base Policy Firewall is the latest technology in Cisco IOS Firewall and was introduced in IOS version 12.4(6)T and updated to a much more reliable Firewall since then.

ZFW are configured by assigning interfaces to zones, which must be created first. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another zone. The default policy is to deny all traffic, this means that traffic cannot flow between zones, unless a policy is explicitly configured. The configuration of ZFW follows the policy language known as CPL. Users familiar with the Cisco IOS Software Modular quality-of-service (QoS) CLI (MQC) might recognize that the format is similar to QoS’s use of class maps to specify which traffic will be affected by the action applied in a policy map.

Before we begin configuring our firewall, we must first visualize how do we want the traffic to flow through our firewall and which traffic to be inspect by our firewall. For this tutorial we want traffic that is initiated from the Trusted zone to either zones to be allowed to return, traffic from the Untrusted zone can be initiated to the DMZ zone but not to the trusted zone and finally traffic cannot be initiated from the DMZ zone to any zone. Apart from this we will inspect all traffic from the Trusted zone and inspect http/https traffic from the Untrusted zone initiated against the DMZ zone.


The first step is to create zones, this is done in global configuration mode with the command "zone security". Our Trusted zone will be the local area network which represents the corporate traffic. Our Untrusted zone represents the internet and the DMZ is the server zone. Let's configure the zones as shown in our topology.

R1(config)#zone security Trusted
R1(config-sec-zone)#zone security Untrusted
R1(config-sec-zone)#zone security DMZ
R1(config-sec-zone)#exit
R1(config)#

Now that we have our zones configured, we can assign interfaces to the zones. This is obviously done in interface configuration mode with the command "zone-member security".

R1(config)#int f0/0
R1(config-if)#zone-member security Untrusted
R1(config-if)#int f1/1
R1(config-if)#zone-member security Trusted
R1(config-if)#int f1/0
R1(config-if)#zone-member security DMZ
R1(config-if)#exit
R1(config)#
After assigning interfaces to the zones, traffic can no longer flow between zones due to the default policy of ZFW until we finish our configuration. Now we configure the Class-maps which identify the traffic the ZFW is going to inspect. To do this, in configuration mode we create a class-map of type inspect with the command "class-map type inspect" followed by the keyword match-all or match-any. It is important to know the difference between these two match criteria. Match-all specifies that all traffic in the class-map criteria must match, match-any specifies that traffic must meet only one of the match criteria in the class-map. Let's configure one class-map that match all IP traffic and one class-map that match http/https traffic only.

R1(config)#class-map type inspect match-any Trusted2Any
R1(config-cmap)#match protocol icmp
R1(config-cmap)#match protocol udp
R1(config-cmap)#match protocol tcp
R1(config-cmap)#exit
R1(config)#class-map type inspect match-any Untrusted2DMZ
R1(config-cmap)#match protocol http
R1(config-cmap)#match protocol https
R1(config-cmap)#exit
R1(config)#
The next step is to configure the policy-maps which will apply the policy to the inspected traffic by the class-maps. Like the previous step we will configure two policy-maps one for the Trusted and another for the Untrusted zones.

R1(config)#policy-map type inspect Trusted2Any
R1(config-pmap)#class Trusted2Any ?
R1(config-pmap-c)#inspect
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#policy-map type inspect Untrusted2DMZ
R1(config-pmap)#class Untrusted2DMZ
R1(config-pmap-c)#inspect
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#
The final step is to configure the flow of traffic and which policy to apply to that traffic. We do this by configuring the zone-pairs and a service policy inside those zone-pairs.

R1(config)#zone-pair security Trusted2DMZ source Trusted destination DMZ
R1(config-sec-zone-pair)#service-policy type inspect Trusted2Any
R1(config-sec-zone-pair)#exit
R1(config)#zone-pair security Trusted2Untrusted source Trusted destination Untrusted
R1(config-sec-zone-pair)#service-policy type inspect Trusted2Any
R1(config-sec-zone-pair)#exit
R1(config)#zone-pair security Untrusted2DMZ source Untrusted destination DMZ
R1(config-sec-zone-pair)#service-policy type inspect Untrusted2DMZ
R1(config-sec-zone-pair)#exit
R1(config)#
As stated earlier in this tutorial to configure cisco ZFW you must create zones and assign them to interfaces. ZFW have a default "special" zone called the self zone. This zone refers to the router it self, and caution must be taken when applying rules to this zone, as by mistake legit traffic might be denied. In our configuration we can ping any device from the Trusted zone, because this type of traffic is allowed. We know that according to our configuration we cannot ping the Trusted zone and the DMZ from the Untrusted zone, but we can ping the ZFW from the Untrusted zone. Knowing this we can configure the ZFW to drop all pings against it self.

R1(config)#class-map type inspect match-any Untrusted2Self
R1(config-cmap)#match protocol icmp
R1(config-cmap)#exit
R1(config)#policy-map type inspect Untrusted2Self
R1(config-pmap)#class Untrusted2Self
R1(config-pmap-c)#Drop
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#zone-pair security Untrusted2Self source Untrusted destination self
R1(config-sec-zone-pair)#service-policy type inspect Untrusted2Self
R1(config-sec-zone-pair)#exit

Connecting eNSP to GNS3 on Windows 8.x

GNS3 along with UNL is one of the most used network emulators that allows us to create multi vendor topologies. Unfortunately there are no Huawei images to use within GNS3, but we can connect Huawei eNSp with GNS3 using the cloud.

On Windows 8 you can connect Huawei eNSP to the physical network if on the cloud configurations you select your physical connection, you will then be able to ping the physical address on the host pc and that's all, you will not be able to ping any further then that. 

I've seen tutorials on the net whereby configuring the cloud to use your physical connection you can connect Huawei eNSP with GNS3. But on Windows 8 things don't work like that.

So to  accomplish this we need to create a loopback adaptor and connect eNSP and GNS3 through the loopback adaptor. If we share the physical connection with the loopback adaptor we will then be able to access the real network.

The first step is to create a loopback adaptor which we will not cover here, note that you can assign any ip address to the loopback adaptor. In my loopback adaptor the ip address is 192.168.0.0/24 as you can see from the following picture. It is also important to remember the name of your loopback adaptor, in my case is Ethernet 2. 



Next we configure the eNSP, drag and drop a cloud, right-click, select settings and configure as shown in the following picture.


Now we configure GNS3, drag and drop a cloud, right-click, select configure and configure as shown in the following picture.


And we are ready to start pinging each other. 



Configuring IPSEC VPN tunnel between cisco routers

Short overview:

The purpose of VPN's is to connect two devices that are geographically apart from each other by creating a logical connection over the wide area network.

VPN's use encryption to ensure that data is kept private and is not altered or manipulated along the path.

Topology:


NorthSite:
NorthSite(config)# interface FastEthernet 0/0
NorthSite(config-if)# ip add 10.1.1.1 255.0.0.0
NorthSite(config-if)# no shut
NorthSite(config-if)# interface vlan 1
NorthSite(config-if)# ip add 192.168.1.1 255.255.255.0
NorthSite(config-if)# exit
NorthSite(config)# ip route 192.168.2.0 255.255.255.0 10.2.2.2
NorthSite(config)# ip route 192.168.3.0 255.255.255.0 10.3.3.3

WestSite:
WestSite(config)# interface FastEthernet 0/0
WestSite(config-if)# ip add 10.2.2.2 255.0.0.0
WestSite(config-if)# no shut
WestSite(config-if)# interface vlan 1
WestSite(config-if)# ip add 192.168.2.1 255.255.255.0
WestSite(config-if)# exit
WestSite(config)# ip route 192.168.1.0 255.255.255.0 10.1.1.1
WestSite(config)# ip access-list extended VPN-TRAFFIC
WestSite(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
WestSite(config-ext-nacl)# exit
WestSite(config)# crypto isakmp policy 1
WestSite(config-isakmp)# authentication pre-share
WestSite(config-isakmp)# encryption aes
WestSite(config-isakmp)# encryption aes
WestSite(config-isakmp)# hash md5
WestSite(config-isakmp)# group 2
WestSite(config-isakmp)# lifetime 84600
WestSite(config-isakmp)# exit
WestSite(config)# crypto isakmp key 6 cisco123 address 10.3.3.3
WestSite(config)# crypto ipsec transform-set DATAENC esp-aes 256 esp-md5-hmac
WestSite(cfg-crypto-trans)# exit
WestSite(config)# crypto map WEST-to-EAST 1 ipsec-isakmp
WestSite(config-crypto-map)# set peer 10.3.3.3
WestSite(config-crypto-map)# set transform-set DATAENC
WestSite(config-crypto-map)# match address VPN-TRAFFIC
WestSite(config-crypto-map)# exit
WestSite(config)# int f0/0
WestSite(config-if)# crypto map WEST-to-EAST

EastSite:
EastSite(config)# interface FastEthernet 0/0
EastSite(config-if)# ip add 10.3.3.3 255.0.0.0
EastSite(config-if)# no shut
EastSite(config-if)# interface vlan 1
EastSite(config-if)# ip add 192.168.3.1 255.255.255.0
EastSite(config-if)# exit
EastSite(config)# ip route 192.168.1.0 255.255.255.0 10.1.1.1
EastSite(config)# ip access-list extended VPN-TRAFFIC
EastSite(config-ext-nacl)# permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
EastSite(config-ext-nacl)# exit
EastSite(config)# crypto isakmp policy 1
EastSite(config-isakmp)# authentication pre-share
EastSite(config-isakmp)# encryption aes
EastSite(config-isakmp)# encryption aes
EastSite(config-isakmp)# hash md5
EastSite(config-isakmp)# group 2
EastSite(config-isakmp)# lifetime 84600
EastSite(config-isakmp)# exit
EastSite(config)# crypto isakmp key 6 cisco123 address 10.2.2.2
EastSite(config)# crypto ipsec transform-set DATAENC esp-aes 256 esp-md5-hmac
EastSite(cfg-crypto-trans)# exit
EastSite(config)# crypto map EAST-to-WEST 1 ipsec-isakmp
EastSite(config-crypto-map)# set peer 10.2.2.2
EastSite(config-crypto-map)# set transform-set DATAENC
EastSite(config-crypto-map)# match address VPN-TRAFFIC
EastSite(config-crypto-map)# exit
EastSite(config)# int f0/0
EastSite(config-if)# crypto map EAST-to-WEST