ASA FIREWALL VPN CONFIGURATION
An ASA has at least two interfaces, referred to
here as outside and inside. Typically, the outside interface is
connected to the public Internet, while the inside interface is
connected to a private network and is protected from public access.
To begin, configure and enable two interfaces
on the ASA. Then assign a name, IP address and subnet mask. Optionally,
configure its security level, speed and duplex operation on the security
appliance.
To configure interfaces, perform the following steps, using the command syntax in the examples:
Detailed Steps
| |
|
|
Step 1
|
hostname(config)# interface ethernet0
|
Enters interface configuration mode from global configuration mode.
|
Step 1
|
ip address ip_address [mask] [standby
ip_address]
hostname(config)# interface ethernet0
hostname(config-if)# ip address
10.10.4.200 255.255.0.0
|
Sets the IP address and subnet mask for the interface.
|
Step 2
|
hostname(config-if)# nameif outside
|
Specifies a name for the interface (maximum of 48 characters). You cannot change this name after you set it.
|
Step 3
|
hostname(config-if)# no shutdown
|
Enables the interface. By default, interfaces are disabled.
|
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
This section describes the procedure to configure an ISAKMP policy on the outside interface and how to enable the policy.
Detailed Steps
Perform the following steps and use the command syntax in the following examples as a guide.
| |
|
|
Step 1
|
crypto ikev1 policy priority
authentication {crack | pre-share |
rsa-sig}
hostname(config)# crypto ikev1 policy 1
authentication pre-share
|
Specifies the authentication method and the set of parameters to use during IKEv1 negotiation.
Priority
uniquely identifies the Internet Key Exchange (IKE) policy and assigns a
priority to the policy. Use an integer from 1 to 65,534, with 1 being
the highest priority and 65,534 the lowest.
In this example and the steps that follow, we set the priority to 1.
|
Step 2
|
crypto ikev1 policy priority encryption
{aes | aes-192 | aes-256 | des | 3des}
hostname(config)# crypto ikev1 policy 1
encryption 3des
|
Specifies the encryption method to use within an IKE policy.
|
Step 3
|
crypto ikev1 policy priority hash {md5 |
sha}
hostname(config)# crypto ikev1 policy 1
hash sha
|
Specifies the hash algorithm for an IKE policy (also called the HMAC variant).
|
Step 4
|
crypto ikev1 policy priority group
{1 | 2 | 5}
hostname(config)# crypto ikev1 policy 1
group 2
|
Specifies the
Diffie-Hellman group for the IKE policy—the crypto protocol that allows
the IPsec client and the ASA to establish a shared secret key.
|
Step 5
|
crypto ikev1 policy priority lifetime
{seconds}
hostname(config)# crypto ikev1 policy 1
lifetime 43200
|
Specifies the encryption key lifetime—the number of seconds each security association should exist before expiring.
The range for a finite lifetime is 120 to 2147483647 seconds.
Use 0 seconds for an infinite lifetime.
|
Step 6
|
crypto ikev1 enable interface-name
hostname(config)# crypto ikev1 enable
outside
|
Enables ISAKMP on the interface named outside.
|
Step 7
|
hostname(config-if)# write memory
Building configuration...
Cryptochecksum: 0f80bf71 1623a231 63f27ccf
8700ca6d
11679 bytes copied in 3.390 secs (3893
bytes/sec)
|
Saves the changes to the configuration.
|
Configuring an Address Pool
The ASA requires a method for assigning IP
addresses to users. This section uses address pools as an example. Use
the command syntax in the following examples as a guide.
|
|
|
ip local pool poolname
first-address—last-address [mask mask]
hostname(config)# ip local pool testpool
192.168.0.10-192.168.0.15
|
Creates an address pool with a range of IP addresses, from which the ASA assigns addresses to the clients.
The address mask is optional. However, You must supply the mask value
when the IP addresses assigned to VPN clients belong to a non-standard
network and the data could be routed incorrectly if you use the default
mask. A typical example is when the IP local pool contains
10.10.10.0/255.255.255.0 addresses, since this is a Class A network by
default. This could cause routing issues when the VPN client needs to
access different subnets within the 10 network over different
interfaces.
|
Adding a User
This section shows how to configure usernames and passwords. Use the command syntax in the following examples as a guide.
|
|
|
username name {nopassword | password password
[mschap | encrypted | nt-encrypted]}
[privilege priv_level]
hostname(config)# username testuser password 12345678
|
Creates a user, password, and privilege level.
|
Creating an IKEv1 Transform Set or IKEv2 Proposal
This section shows how to configure a transform
set (IKEv1) or proposal (IKEv2), which combines an encryption method
and an authentication method.
Use the command syntax in the following examples as a guide.
|
|
|
To configure an IKEv1 transform set:
crypto ipsec ikev1 transform-set
transform-set-name encryption-method
[authentication]
hostname(config)# crypto ipsec transform set
FirstSet esp-3des esp-md5-hmac
|
Configures an
IKEv1 transform set that specifies the IPsec IKEv1 encryption and hash
algorithms to be used to ensure data integrity.
Use one of the following values for encryption:
•  esp-aes to use AES with a 128-bit key.
• esp-aes-192 to use AES with a 192-bit key.
• esp-aes-256 to use AES with a 256-bit key.
• esp-des to use 56-bit DES-CBC.
• esp-3des to use triple DES algorithm.
• esp-null to not use encryption.
Use one of the following values for authentication:
• esp-md5-hmac to use the MD5/HMAC-128 as the hash algorithm.
• esp-sha-hmac to use the SHA/HMAC-160 as the hash algorithm.
• esp-none to not use HMAC authentication. |
To configure an IKEv2 proposal:
crypto ipsec ikev2 ipsec-proposal
proposal_name
protocol {esp} {encryption {des | 3des | aes
| aes-192 | aes-256 | null} | integrity {md5
| sha-1}
hostname(config)# crypto ipsec ikev2
ipsec-proposal secure_proposal
hostname(config-ipsec-proposal)# protocol
esp encryption des integrity md5
|
Configures an IKEv2 proposal set that specifies the IPsec IKEv2 protocol, encryption, and integrity algorithms to be used.
esp specifies the Encapsulating Security Payload (ESP) IPsec protocol (currently the only supported protocol for IPsec).
Use one of the following values for encryption:
• des to use 56-bit DES-CBC encryption for ESP.
• 3des (default) to use the triple DES encryption algorithm for ESP.
• aes to use AES with a 128-bit key encryption for ESP.
• aes-192 to use AES with a 192-bit key encryption for ESP.
• aes-256 to use AES with a 256-bit key encryption for ESP.
• null to not use encryption for ESP.
Use one of the following values for integrity:
• md5 specifies the md5 algorithm for the ESP integrity protection.
• sha-1
(default) specifies the Secure Hash Algorithm (SHA) SHA-1, defined in
the U.S. Federal Information Processing Standard (FIPS), for ESP
integrity protection. |
Defining a Tunnel Group
This section describes how to configure a
tunnel group, which is a set of records that contain tunnel connection
policies. You configure a tunnel group to identify AAA servers, specify
connection parameters, and define a default group policy. The ASA stores
tunnel groups internally.
There are two default tunnel groups in the ASA
system: DefaultRAGroup, which is the default remote-access tunnel group,
and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You
can change them but not delete them. The ASA uses these groups to
configure default tunnel parameters for remote access and LAN-to-LAN
tunnel groups when there is no specific tunnel group identified during
tunnel negotiation.
Use the command syntax in the following examples as a guide.
Detailed Steps
| |
|
|
Step 1
|
tunnel-group name type type
hostname(config)# tunnel-group testgroup
type ipsec-ra
|
Creates an IPsec remote access tunnel-group (also called connection profile).
|
Step 2
|
tunnel-group name general-attributes
hostname(config)# tunnel-group testgroup
general-attributes
hostname(config-tunnel-general)#
|
Enters tunnel group general attributes mode where you can enter an authentication method.
|
Step 3
|
address-pool [(interface name)]
address_pool1 [...address_pool6]
hostname(config-general)# address-pool
testpool
|
Specifies an address pool to use for the tunnel group.
|
Step 4
|
tunnel-group name ipsec-attributes
hostname(config)# tunnel-group testgroup
ipsec-attributes
hostname(config-tunnel-ipsec)#
|
Enters tunnel group ipsec attributes mode where you can enter IPsec-specific attributes for IKEv1 connections.
|
Step 5
|
hostname(config-tunnel-ipsec)#
pre-shared-key 44kkaol59636jnfx
|
(Optional) Configures a pre-shared key (IKEv1 only). The key can be an alphanumeric string from 1-128 characters.
The keys for the adaptive security appliance and the client must be
identical. If a Cisco VPN Client with a different preshared key size
tries to connect, the client logs an error message indicating it failed
to authenticate the peer.
Note Configure AAA authentication for IKEv2 using certificates in the tunnel group webvpn-attributes.
|
Creating a Dynamic Crypto Map
This section describes how to configure dynamic
crypto maps, which define a policy template where all the parameters do
not have to be configured. These dynamic crypto maps let the ASA
receive connections from peers that have unknown IP addresses. Remote
access clients fall in this category.
Dynamic crypto map entries identify the
transform set for the connection. You also enable reverse routing, which
lets the ASA learn routing information for connected clients, and
advertise it via RIP or OSPF.
Use the command syntax in the following examples as a guide.
Detailed Steps
| |
|
|
Step 1
|
For IKEv1, use this command:
crypto dynamic-map dynamic-map-name
seq-num set ikev1 transform-set
transform-set-name
hostname(config)# crypto dynamic-map dyn1
1 set ikev1 transform-set FirstSet
For IKEv2, use this command:
crypto dynamic-map dynamic-map-name
seq-num set ikev2 ipsec-proposal
proposal-name
hostname(config)# crypto dynamic-map dyn1
1 set ikev2 ipsec-proposal FirstSet
|
Creates a dynamic crypto map and specifies an IKEv1 transform set or IKEv2 proposal for the map.
|
Step 2
|
crypto dynamic-map dynamic-map-name
dynamic-seq-num set reverse-route
hostname(config)# crypto dynamic-map dyn1
1 set reverse route
|
(Optional) Enables Reverse Route Injection for any connection based on this crypto map entry.
|
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
This section describes how to create a crypto
map entry that lets the ASA use the dynamic crypto map to set the
parameters of IPsec security associations.
In the following examples for this command, the name of the crypto map is
mymap, the sequence number is 1, and the name of the dynamic crypto map is
dyn1, which you created in the previous section, "
Creating a Dynamic Crypto Map."
Use the command syntax in the following examples as a guide.
Detailed Steps
| |
|
|
Step 1
|
crypto map map-name seq-num ipsec-isakmp
dynamic dynamic-map-name
hostname(config)# crypto map mymap 1
ipsec-isakmp dynamic dyn1
|
Creates a crypto map entry that uses a dynamic crypto map.
|
Step 2
|
crypto map map-name interface
interface-name
hostname(config)# crypto map mymap
interface outside
|
Applies the crypto map to the outside interface.
|
Saving the Security Appliance Configuration
After performing the preceding configuration tasks, be sure to save your configuration changes as shown in this example:
|
|
|
hostname(config-if)# write memory
Building configuration...
Cryptochecksum: 0f80bf71 1623a231 63f27ccf 8700ca6d
11679 bytes copied in 3.390 secs (3893 bytes/sec)
|
Saves the changes to the configuration.
|
Configuration Examples for Remote Access IPsec VPNs
The following example shows how to configure a remote access IPsec/IKEv1 VPN:
hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type remote-access
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory
The following example shows how to configure a remote access IPsec/IKEv2 VPN:
hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)# integrity sha
hostname(config-ikev2-policy)# lifetime 43200
hostname(config-ikev2-policy)# prf sha
hostname(config)# crypto ikev2 outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev2 ipsec-proposal FirstSet
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes
hostname(config)# tunnel-group testgroup type remote-access
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup webvpn-attributes
hostname(config-webvpn)# authentication aaa certificate
hostname(config)# crypto dynamic-map dyn1 1 set ikev2 ipsec-proposal FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory
Feature History for Remote Access VPNs
Table 69-1 lists the release history for this feature.
Table 69-1 Feature History for Feature-1
|
|
|
|
Remote access VPNs for IPsec IKEv1 and SSL.
|
7.0
|
Remote access VPNs allow users to connect to a central site through a
secure connection over a TCP/IP network such as the Internet.
|
Remote access VPNs for IPsec IKEv2
|
8.4(1)
|
Added IPsec IKEv2 support for the AnyConnect Secure Mobility Client.
|
![]()
No comments:
Post a Comment