PIX/ASA Static-to-Static IPsec with NAT Configuration
In a previous post, I explained how to configure a Cisco ASA firewall on GNS3, In this post I will show you the basic ASA interface configuration and then site-to-site IPsec IKEv1 VPN configuration between two Cisco ASA firewalls.
Let’s start
We are going to build Cisco ASA lab environment with fresh security appliance, If you are working on a production environment be careful when you apply this setting in order to avoid override your existing setting.ASA Configuration
If the ASA interfaces are not configured, ensure that you configure at least the IP addresses, interface names, and security-levels:
Configure the ASA Interfaces (main office – Toronto)
!
hostname Toronto
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 170.10.1.1 255.255.255.224
no shutdown
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.10.1 255.255.255.0
no shutdown
!
access-list acl_out extended permit icmp any any
access-list acl_in extended permit icmp any any
access-list acl_in extended permit icmp any any echo-reply
access-list acl_in extended permit icmp any any time-exceeded
access-list acl_in extended permit icmp any any unreachable
access-list acl_in extended permit ip any any
pager lines 24
mtu outside 1500
mtu Inside 1500
arp timeout 14400
global (outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
access-group acl_in in interface Inside
route outside 0.0.0.0 0.0.0.0 170.10.1.30 1
Configure the ASA Interfaces (branch office – Istanbul)
!
hostname Istanbul
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 170.10.1.2 255.255.255.224
no shutdown
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.10.11.1 255.255.255.0
no shutdown
!
access-list acl_out extended permit icmp any any
access-list acl_in extended permit icmp any any
access-list acl_in extended permit icmp any any echo-reply
access-list acl_in extended permit icmp any any time-exceeded
access-list acl_in extended permit icmp any any unreachable
access-list acl_in extended permit ip any any
pager lines 24
mtu outside 1500
mtu Inside 1500
arp timeout 14400
global (outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
access-group acl_in in interface Inside
route outside 0.0.0.0 0.0.0.0 170.10.1.30 1
Note: use a ping in order to ensure that there is connectivity to both the internal and external networks, and especially to the remote peer that will be used in order to establish a site-to-site VPN tunnel.
The PC can ping successfully the inside address of the firewall but failed to ping the remote PC.
Static-to-Static IPsec VPN Configuration
After ASA/PIX firewall initial configuration and connectivity test, we are ready now to configure VPN.
In a point-to-point ( site-to-site) VPN topology, two devices communicate directly with each other over the Internet.
To establish a point-to-point VPN topology, you specify two endpoints as peer devices,
Because either of the two devices can initiate the connection,
In this post I will configure the IPsec tunnel with regular IPsec type in a following post I will configure the tunnel with generic routing encapsulation ( IPsec/GRE ).
In this example the point-to-point IPsec VPNs were used to connect two distant LANs together over the Internet. Private addresses were used on the LAN that means without tunneling the two LANs would be unable to communicate with each other.
ASA site 1 (Toronto)
!— ACL to avoid NAT on the IPsec packets
access-list notnat permit ip 192.168.10.0 255.255.255.0 10.10.11.0 255.255.255.0
!— Bind ACL nonat to the NAT statement to avoid NAT on the IPsec packets.
nat (inside) 0 access-list notnat
!— The sysopt command avoids conduit on the IPsec encrypted traffic
sysopt connection permit-ipsec
access-list istanbul_vpn permit ip 192.168.10.0 255.255.255.0 10.10.11.0 255.255.255.0
!— Phase 2 encryption type
crypto ipsec transform-set istanbulset esp-aes-256 esp-sha-hmac
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address istanbul_vpn
crypto map outside_map 1 set peer 170.10.1.2
crypto map outside_map 1 set transform-set istanbulset
!— Bind the IPsec on the outside interface.
crypto map outside_map interface outside
!— Enable ISAKMP key exchange
isakmp enable outside
!— ISAKMP policy for connecting to Istanbul FW.
isakmp key ITmug123456 address 170.10.1.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
ASA site 2 (Istanbul)
!— ACL to avoid NAT on the IPsec packets
access-list notnat permit ip 10.10.11.0 255.255.255.0 192.168.10.0 255.255.255.0
!— Bind ACL nonat to the NAT statement to avoid NAT on the IPsec packets.
nat (inside) 0 access-list notnat
!— The sysopt command avoids conduit on the IPsec encrypted traffic
sysopt connection permit-ipsec
access-list toronto_vpn permit ip 10.10.11.0 255.255.255.0 192.168.10.0 255.255.255.0
!— Phase 2 encryption type
crypto ipsec transform-set torontoset esp-aes-256 esp-sha-hmac
crypto map toronto 1 ipsec-isakmp
crypto map toronto 1 match address toronto_vpn
crypto map toronto 1 set peer 170.10.1.1
crypto map toronto 1 set transform-set torontoset
!— Bind the IPsec on the outside interface.
crypto map toronto interface outside
!— Enable ISAKMP key exchange
isakmp enable outside
!— ISAKMP policy for connecting to Toronto FW.
isakmp key ITmug123456 address 170.10.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
IPsec tunnel was established, Ping across the VPN tunnel from the host PC at each end were successful.
Troubleshoot
some of the helpful command you may need to verify channel state and for troubleshoot
show crypto isakmp sa
show crypto ipsec sa
Good luck!
I hope this post will be useful to you. If you like the post , Please don’t forget to Vote and click the Like Button.
Email me at itmug.pro@gmail.com for corrections, additions, or questions.