Network diagram
Lab download
Lab name : | Lab 17 - Site to site IPSEC VPN with ASA 5505 |
Difficulty : | Medium |
Price : | Free |
Link : |
Solution
ASA configuration
Campus network - ASA 5505 IPSEC VPN headend device configuration .
Update 2018-05-09 : Corrected error in "crypto ipsec ikev1" command
interface Vlan1
nameif inside
security-level 100
ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
The ENTERPRISE_PRIVATE-TRAFFIC
access-group is important to allow the IP traffic through the firewall from remote subnets to the inside subnets. The traffic wiill be blocked by the ASA if this access-list is not configured and applied to the inside vlan interface.
Branch office n°1 - ASA 5505 remote device configuration
Update 2018-05-09 : Corrected error in "crypto ipsec ikev1" command
interface Vlan1
nameif inside
security-level 100
ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
Check the IPSEC tunnel establishment using show commands
Use the show crypto isakmp sa command to shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) which have been negociated between the two firewalls and the show crypto ipsec sa command to check IPSEC security associations and monitor encrypted traffic statistics
ASA-CAMPUS-VPN#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 134.95.56.18
Type : L2L Role : Initiator
Rekey : no State : QM_IDLE
There are no IKEv2 SAs
ASA-CAMPUS-VPN#show crypto ipsec sa
interface: outside
Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17
permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/6/0)
remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/6/0)
current_peer 134.95.56.18
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 0, #recv errors 0
local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x6386132D(1669731117)
current inbound spi: 0x04B729EA(1669731117)
inbound esp sas:
spi: 0x04B729EA(79112682)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6386132D(1669731117)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2008, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17
permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/1/0)
remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/1/0)
current_peer 134.95.56.18
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 1, #recv errors 0
local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x6386132D(1669731117)
current inbound spi: 0x04B729EA(1669731117)
inbound esp sas:
spi: 0x04B729EA(79112682)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6386132D(1669731117)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2008, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001