Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Configuring Site-to-Site VPN's on ASA Firewalls

231 views

Published on

In this presentation session, I cover how to configure L2L VPN's on Cisco ASA Firewalls

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Configuring Site-to-Site VPN's on ASA Firewalls

  1. 1. Configuring Site-to-Site VPN’s on ASA Firewalls Knowledge Transfer with Kelvin #NetworkWizkids #LabEveryday
  2. 2. Overview of IPSec L2L VPN • Also known as Site-to-Site Virtual Private Networks • Allows for secure connectivity between private networks over untrusted networks such as the Internet • Two phases – Phase 1 (IKEv1/2) & Phase 2 (IPsec) • IKE is used for key management and the creation of IPsec Associations • IPsec provides security for data traffic • IPsec provides the following: • Confidentiality = Encryption of Data • Integrity = Ensures Data Isn’t Modified in Transit • Authentication = Verifies the identity of the sending IPsec device • Anti-replay protection = Stops and attacker replaying traffic using sequence numbers • IPsec makes use of 1 of 2 protocols: • Authentication Header (AH) Protocol 51 (RFC 4302) • Origin authentication and data integrity but not confidentiality • Encapsulating Security Payload (ESP) Protocol 50 (RFC 4303) • Confidentiality, Integrity & option of Authentication • AH & ESP support two modes: • Tunnel Mode: ESP & AH are applied to interesting traffic that is tunneled (Gateway-to-Gateway security) • Transport Mode: ESP & AH provide protection end-to-end, client to client but could be a network device also #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  3. 3. Reference Points • C.I.A Triad Overview https://blog.cybercbk.co.uk/2016/12/29/cia-triad/ • Encapsulating Security Payload (ESP) RFC 4303 https://www.ietf.org/rfc/rfc4303.txt • Authentication Header (AH) RFC 4302 https://tools.ietf.org/html/rfc4302 • IKEv2 IPsec VPN’s by Graham Bartlett & Amjad Inamdar https://www.amazon.co.uk/IKEv2-IPsec-Virtual-Private- Networks/dp/1587144603 #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  4. 4. Lab Topology #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  5. 5. Steps & Configuration Phase 1 IKE Phase 2 IPsec Create IKE policy (Lowest policy has priority) TIP: HAGLE Hash – Authentication – Group – Lifetime – Encryption Configure objects for interesting traffic Configure S2S tunnel parameters Configure crypto ACL that will be defined by the crypto map Enable IKE on interface Configure IPsec transform set Configure crypto maps Consider NAT and interface security levels #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  6. 6. Example Configuration Phase 1 IKE Phase 2 IPsec Example configuration crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 84600 tunnel-group 10.0.1.1 type ipsec-l2l tunnel-group 10.0.1.1 ipsec-attributes ikev1 pre-shared-key cisco crypto ikev1 enable outside Example Configuration object network TB1 subnet 192.168.1.0 255.255.255.0 object network TB2 subnet 192.168.2.0 255.255.255.0 access-list crypto extended permit ip object TB1 object TB2 crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac crypto map cryptomap 10 match address crypto crypto map cryptomap 10 set peer 10.0.1.1 crypto map cryptomap 10 set ikev1 transform-set myset crypto map cryptomap 10 set security-association lifetime seconds 84600 crypto map cryptomap interface inside nat (inside,outside) source static TB1 TB1 destination static TB2 TB2 no-proxy-arp route-lookup #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  7. 7. Configuring a Site-to-Site VPN on ASA Firewalls LAB TIME #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid

×