SlideShare a Scribd company logo

Configuring Site-to-Site VPN's on ASA Firewalls

K
Kelvin Charles

In this presentation session, I cover how to configure L2L VPN's on Cisco ASA Firewalls

Technology
1 of 7
Download to read offline
Configuring Site-to-Site VPN’s on ASA Firewalls Knowledge Transfer with Kelvin #NetworkWizkids #LabEveryday
Overview of IPSec L2L VPN • Also known as Site-to-Site Virtual Private Networks • Allows for secure connectivity between private networks over untrusted networks such as the Internet • Two phases – Phase 1 (IKEv1/2) & Phase 2 (IPsec) • IKE is used for key management and the creation of IPsec Associations • IPsec provides security for data traffic • IPsec provides the following: • Confidentiality = Encryption of Data • Integrity = Ensures Data Isn’t Modified in Transit • Authentication = Verifies the identity of the sending IPsec device • Anti-replay protection = Stops and attacker replaying traffic using sequence numbers • IPsec makes use of 1 of 2 protocols: • Authentication Header (AH) Protocol 51 (RFC 4302) • Origin authentication and data integrity but not confidentiality • Encapsulating Security Payload (ESP) Protocol 50 (RFC 4303) • Confidentiality, Integrity & option of Authentication • AH & ESP support two modes: • Tunnel Mode: ESP & AH are applied to interesting traffic that is tunneled (Gateway-to-Gateway security) • Transport Mode: ESP & AH provide protection end-to-end, client to client but could be a network device also #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
Reference Points • C.I.A Triad Overview https://blog.cybercbk.co.uk/2016/12/29/cia-triad/ • Encapsulating Security Payload (ESP) RFC 4303 https://www.ietf.org/rfc/rfc4303.txt • Authentication Header (AH) RFC 4302 https://tools.ietf.org/html/rfc4302 • IKEv2 IPsec VPN’s by Graham Bartlett & Amjad Inamdar https://www.amazon.co.uk/IKEv2-IPsec-Virtual-Private- Networks/dp/1587144603 #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
Lab Topology #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
Steps & Configuration Phase 1 IKE Phase 2 IPsec Create IKE policy (Lowest policy has priority) TIP: HAGLE Hash – Authentication – Group – Lifetime – Encryption Configure objects for interesting traffic Configure S2S tunnel parameters Configure crypto ACL that will be defined by the crypto map Enable IKE on interface Configure IPsec transform set Configure crypto maps Consider NAT and interface security levels #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
Example Configuration Phase 1 IKE Phase 2 IPsec Example configuration crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 84600 tunnel-group 10.0.1.1 type ipsec-l2l tunnel-group 10.0.1.1 ipsec-attributes ikev1 pre-shared-key cisco crypto ikev1 enable outside Example Configuration object network TB1 subnet 192.168.1.0 255.255.255.0 object network TB2 subnet 192.168.2.0 255.255.255.0 access-list crypto extended permit ip object TB1 object TB2 crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac crypto map cryptomap 10 match address crypto crypto map cryptomap 10 set peer 10.0.1.1 crypto map cryptomap 10 set ikev1 transform-set myset crypto map cryptomap 10 set security-association lifetime seconds 84600 crypto map cryptomap interface inside nat (inside,outside) source static TB1 TB1 destination static TB2 TB2 no-proxy-arp route-lookup #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
Configuring a Site-to-Site VPN on ASA Firewalls LAB TIME #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid

Recommended

Networking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etcNetworking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etcStenio Ferreira
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...Dzmitry Durasau
 
Bridges and Tunnels: A Drive Through OpenStack Networking
Bridges and Tunnels: A Drive Through OpenStack NetworkingBridges and Tunnels: A Drive Through OpenStack Networking
Bridges and Tunnels: A Drive Through OpenStack Networkingmarkmcclain
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationDiogo Mónica
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardAndrew Denner
 
Network Monitoring and Analytics
Network Monitoring and AnalyticsNetwork Monitoring and Analytics
Network Monitoring and AnalyticsPLUMgrid
 
OpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaOpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaSean Roberts
 
Accomplishments_Brief_20150330
Accomplishments_Brief_20150330Accomplishments_Brief_20150330
Accomplishments_Brief_20150330Ryan Hsu
 

Recommended

Networking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etcNetworking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etcStenio Ferreira
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...Dzmitry Durasau
 
Bridges and Tunnels: A Drive Through OpenStack Networking
Bridges and Tunnels: A Drive Through OpenStack NetworkingBridges and Tunnels: A Drive Through OpenStack Networking
Bridges and Tunnels: A Drive Through OpenStack Networkingmarkmcclain
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationDiogo Mónica
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardCentral Iowa Linux Users Group May 2020 Meeting: WireGuard
Central Iowa Linux Users Group May 2020 Meeting: WireGuardAndrew Denner
 
Network Monitoring and Analytics
Network Monitoring and AnalyticsNetwork Monitoring and Analytics
Network Monitoring and AnalyticsPLUMgrid
 
OpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaOpenStack Neutron Advanced Services by Akanda
OpenStack Neutron Advanced Services by AkandaSean Roberts
 
Accomplishments_Brief_20150330
Accomplishments_Brief_20150330Accomplishments_Brief_20150330
Accomplishments_Brief_20150330Ryan Hsu
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Babaa Naya
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004James Morris
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Navigating OpenStack Networking
Navigating OpenStack NetworkingNavigating OpenStack Networking
Navigating OpenStack NetworkingPLUMgrid
 
Security onion
Security onionSecurity onion
Security onionKaustubh Padwad
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Rolling upgrade OpenStack
Rolling upgrade OpenStackRolling upgrade OpenStack
Rolling upgrade OpenStackVietnam Open Infrastructure User Group
 
Heartbleed Bug: A case study
Heartbleed Bug: A case studyHeartbleed Bug: A case study
Heartbleed Bug: A case studyAdri Jovin
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introductionn|u - The Open Security Community
 
Openstack Quantum Security Groups Session
Openstack Quantum Security Groups SessionOpenstack Quantum Security Groups Session
Openstack Quantum Security Groups SessionDavid Lapsley
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applicationsSteve Mylroie
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB PluginBIM
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to siteMostafa El Lathy
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation KishoreTs3
 

More Related Content

What's hot

Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Babaa Naya
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004James Morris
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Navigating OpenStack Networking
Navigating OpenStack NetworkingNavigating OpenStack Networking
Navigating OpenStack NetworkingPLUMgrid
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Heartbleed Bug: A case study
Heartbleed Bug: A case studyHeartbleed Bug: A case study
Heartbleed Bug: A case studyAdri Jovin
 
Openstack Quantum Security Groups Session
Openstack Quantum Security Groups SessionOpenstack Quantum Security Groups Session
Openstack Quantum Security Groups SessionDavid Lapsley
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applicationsSteve Mylroie
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB PluginBIM
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 

What's hot (20)

Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron)
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
Navigating OpenStack Networking
Navigating OpenStack NetworkingNavigating OpenStack Networking
Navigating OpenStack Networking
 
Security onion
Security onionSecurity onion
Security onion
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
Rolling upgrade OpenStack
Rolling upgrade OpenStackRolling upgrade OpenStack
Rolling upgrade OpenStack
 
Heartbleed Bug: A case study
Heartbleed Bug: A case studyHeartbleed Bug: A case study
Heartbleed Bug: A case study
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
 
Openstack Quantum Security Groups Session
Openstack Quantum Security Groups SessionOpenstack Quantum Security Groups Session
Openstack Quantum Security Groups Session
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applications
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB Plugin
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 

Similar to Configuring Site-to-Site VPN's on ASA Firewalls

IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation KishoreTs3
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01slavenvvv
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
I psec cisco
I psec ciscoI psec cisco
I psec ciscoDeepak296
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxAliMohamed855266
 
Design methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverDesign methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverijmnct
 
1. Application Security Administrator – Keep software / apps safe and secure...
1. Application Security Administrator – Keep software / apps safe and secure...1. Application Security Administrator – Keep software / apps safe and secure...
1. Application Security Administrator – Keep software / apps safe and secure...BalajiKoushikS
 
please give only correct option in given options?.PPT
please give only correct option in given options?.PPTplease give only correct option in given options?.PPT
please give only correct option in given options?.PPTBalajiKoushikS
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
Internet layer security protocol & IPsec
Internet layer security protocol & IPsecInternet layer security protocol & IPsec
Internet layer security protocol & IPsecKirti Ahirrao
 
28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)IAESIJEECS
 
28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)IAESIJEECS
 
Module_2_Slides.pdf
Module_2_Slides.pdfModule_2_Slides.pdf
Module_2_Slides.pdfgoldfer1
 

Similar to Configuring Site-to-Site VPN's on ASA Firewalls (20)

20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
I psec cisco
I psec ciscoI psec cisco
I psec cisco
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptx
 
Design methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverDesign methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa server
 
1. Application Security Administrator – Keep software / apps safe and secure...
1. Application Security Administrator – Keep software / apps safe and secure...1. Application Security Administrator – Keep software / apps safe and secure...
1. Application Security Administrator – Keep software / apps safe and secure...
 
please give only correct option in given options?.PPT
please give only correct option in given options?.PPTplease give only correct option in given options?.PPT
please give only correct option in given options?.PPT
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip sec
 
crypto.pptx
crypto.pptxcrypto.pptx
crypto.pptx
 
crypto.pptx
crypto.pptxcrypto.pptx
crypto.pptx
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
Internet layer security protocol & IPsec
Internet layer security protocol & IPsecInternet layer security protocol & IPsec
Internet layer security protocol & IPsec
 
28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)
 
28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)28 11 sep17 14aug 8386 9970-1-ed(edit)
28 11 sep17 14aug 8386 9970-1-ed(edit)
 
Module_2_Slides.pdf
Module_2_Slides.pdfModule_2_Slides.pdf
Module_2_Slides.pdf
 

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Configuring Site-to-Site VPN's on ASA Firewalls

  • 1. Configuring Site-to-Site VPN’s on ASA Firewalls Knowledge Transfer with Kelvin #NetworkWizkids #LabEveryday
  • 2. Overview of IPSec L2L VPN • Also known as Site-to-Site Virtual Private Networks • Allows for secure connectivity between private networks over untrusted networks such as the Internet • Two phases – Phase 1 (IKEv1/2) & Phase 2 (IPsec) • IKE is used for key management and the creation of IPsec Associations • IPsec provides security for data traffic • IPsec provides the following: • Confidentiality = Encryption of Data • Integrity = Ensures Data Isn’t Modified in Transit • Authentication = Verifies the identity of the sending IPsec device • Anti-replay protection = Stops and attacker replaying traffic using sequence numbers • IPsec makes use of 1 of 2 protocols: • Authentication Header (AH) Protocol 51 (RFC 4302) • Origin authentication and data integrity but not confidentiality • Encapsulating Security Payload (ESP) Protocol 50 (RFC 4303) • Confidentiality, Integrity & option of Authentication • AH & ESP support two modes: • Tunnel Mode: ESP & AH are applied to interesting traffic that is tunneled (Gateway-to-Gateway security) • Transport Mode: ESP & AH provide protection end-to-end, client to client but could be a network device also #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  • 3. Reference Points • C.I.A Triad Overview https://blog.cybercbk.co.uk/2016/12/29/cia-triad/ • Encapsulating Security Payload (ESP) RFC 4303 https://www.ietf.org/rfc/rfc4303.txt • Authentication Header (AH) RFC 4302 https://tools.ietf.org/html/rfc4302 • IKEv2 IPsec VPN’s by Graham Bartlett & Amjad Inamdar https://www.amazon.co.uk/IKEv2-IPsec-Virtual-Private- Networks/dp/1587144603 #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  • 4. Lab Topology #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  • 5. Steps & Configuration Phase 1 IKE Phase 2 IPsec Create IKE policy (Lowest policy has priority) TIP: HAGLE Hash – Authentication – Group – Lifetime – Encryption Configure objects for interesting traffic Configure S2S tunnel parameters Configure crypto ACL that will be defined by the crypto map Enable IKE on interface Configure IPsec transform set Configure crypto maps Consider NAT and interface security levels #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  • 6. Example Configuration Phase 1 IKE Phase 2 IPsec Example configuration crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 84600 tunnel-group 10.0.1.1 type ipsec-l2l tunnel-group 10.0.1.1 ipsec-attributes ikev1 pre-shared-key cisco crypto ikev1 enable outside Example Configuration object network TB1 subnet 192.168.1.0 255.255.255.0 object network TB2 subnet 192.168.2.0 255.255.255.0 access-list crypto extended permit ip object TB1 object TB2 crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac crypto map cryptomap 10 match address crypto crypto map cryptomap 10 set peer 10.0.1.1 crypto map cryptomap 10 set ikev1 transform-set myset crypto map cryptomap 10 set security-association lifetime seconds 84600 crypto map cryptomap interface inside nat (inside,outside) source static TB1 TB1 destination static TB2 TB2 no-proxy-arp route-lookup #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid
  • 7. Configuring a Site-to-Site VPN on ASA Firewalls LAB TIME #NetworkWizkids YouTube: NetworkWiizkiids Twitter:@iwiizkiid