Configuring Site-to-Site IPSec VPN Between Cisco ASA Firewall IOS Version 9.x and Cisco Router

1. Overview

 

In the previous article we had talked about configuring IPSec VPN site-to-site between head office and branch office with two Cisco ASA firewall appliances. Sometime, there is a case that  both sites are not using the same devices.

In this article will show you how to configure IPSec VPN site-to-site between Cisco ASA firewall appliance and Cisco Router.

2. Prerequisites

 

In this tutorial, it is assumed that:

a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

3. Lab Scenario Set up

 

The following network diagram of GNS3 Lab will be used to demonstrate configuring IPSec VPN site-to-site between Cisco ASA firewall with IOS version 9.x and Cisco router.


Cisco ASA firewall appliances, with host name HOFW01 locates in head office and Cisco router with host name BORT1 locates in branch office. There is one router act as internet. The following is the IP configuration of each device.

On PC1

PC1> ip 10.10.10.10/24 10.10.10.1

On HOFW01

#int g0/0
   no sh
   ip add 10.10.10.1 255.255.255.0
   security-level 100
   nameif inside
#int g0/1
   no sh
   ip add 203.200.200.2 255.255.255.252
   security-level 0
   nameif outside
#policy-map global_policy
   class inspection_default
      inspect icmp
      inspect icmp erro

On Internet router

#int f0/0
   no sh
   ip add 203.200.200.1 255.255.255.252
#in f0/1
   no sh
   ip add 117.168.100.1 255.255.255.252

On BORT01

#int f0/0
   no sh
   ip add 172.16.20.1 255.255.255.0
#in f0/1
   no sh
   ip add 117.168.100.2 255.255.255.252

On PC2

PC1> ip 172.16.20.10/24 172.16.20.1

4. IPSec VPN Site-to-Site Form

 

The following is the information that IPSec VPN site-to-site will be used to in the configuration.

Firewall Type Head Office Branch Office
Manufacturer Cisco Cisco
Model ASA 5555-X Router
Version 9.4 12.4(15)T13

 

Configuration Head Office Branch Office
Phase 1
IKE Encryption Algorithm 3DES 3DES
IKE Hash Algorithm SHA-1 SHA-1
IKE Security Lifetime 86400 86400
Diffie-Hellman Group 2 2
Pre-shared key vpn@Ho2Bo vpn@Ho2Bo
Phase 2
IPSEC security protocol ESP ESP
IPSEC Encryption Algorithm 3DES 3DES
IPSEC Hash Algorithm MD5 MD5
IPSEC Security Lifetime (Optional) □ 14400 □ 28800 (default) □ 86400 □ Other:………. □ 14400 □ 28800 (default) □ 86400 □ Other: ……….
Perfect Forward Secrecy(PFS) (Optional) PFS □ No □Yes Group □ 2(default) □ 5 □ 7 PFS □ No □ Yes Group □ 2 (default) □ 5 □ 7

 

IP Addressing Head Office Branch Office
Peer IP address 203.200.200.2 117.168.100.2
Local IP address 10.10.10.10/32 172.16.20.10/32

5. Configuration

5.1 Configure Default Route

 

Apply the the following default router configuration

On HOFW01

#route outside  0 0 203.200.200.1

On BORT01

#ip route 0.0.0.0 0.0.0.0 117.168.100.1

Now both HOFW01 and BORT01 should be able to ping their public IP each other.

5.2 Set Up ISAKMP Policy

 

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command.

On HOFW01

#crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400

On BORT01

#crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400

 

5.3 Create IPSec Transform Set

 

Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HOFW01 to create a transform set name “HO-TRSET01-3DES-MD5”.

#crypto ipsec ikev1 transform-set HO-TRSET01-3DES-MD5 esp-3des esp-md5-hmac

Apply the follow configuration on BORT01 to create a transform set name “BO-TRSET01-3DES-MD5”.

#crypto ipsec transform-set BO-TRSET01-3DES-MD5 esp-3des esp-md5-hmac

5.4 Create ACL For VPN Tunnel

 

To match the traffic for IPSec VPN tunnel, an ACL must be created.

Create the following ACL on HOFW01.

#object-group network HO-Server
   network-object host 10.10.10.10
#object-group network BO-Server
   network-object host 172.16.20.10
#access-list ACL-HO2BO extended permit ip object-group HO-Server object-group BO-Server

Create the following ACL on BORT01.

#ip access-list extended ACL-BO2HO
   permit ip host 172.16.20.10 host 10.10.10.10

5.5 Create VPN Tunnel Group

 

Create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.

On HOFW01

#tunnel-group 117.168.100.2 type ipsec-l2l
#tunnel-group 117.168.100.2 ipsec-attributes
  ikev1 pre-shared-key vpn@Ho2Bo

On BORT01

#crypto isakmp key 0 vpn@Ho2Bo address 203.200.200.2

5.6 Configure and Apply Crypto Map

 

Now come to the final step that we need to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.

The following are the commands to be executed

On HOFW01

#crypto map HO-VPN 1 match address ACL-HO2BO
#crypto map HO-VPN 1 set peer 117.168.100.2
#crypto map HO-VPN 1 set ikev1 transform-set HO-TRSET01-3DES-MD5
#crypto map HO-VPN interface outside
#crypto ikev1 enable outside

On BORT01

#crypto map BO-VPN 1 ipsec-isakmp
  set peer 203.200.200.2
  set transform-set BO-TRSET01-3DES-MD5
  match address ACL-BO2HO
#interface FastEthernet0/1
  crypto map BO-VPN

5.7 Test and Verify the Configuration

 

To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.

As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HOFW01.

#sh vpn-sessiondb detail l2l filter ipaddress 117.168.100.2


*** 10 is the IPSec Security Lifetime. Even thought we did not configure the value of 3600, it is come by default. Anyway, we can change it. Check section 5.8 below for how to change it.

And with the following command on BORT01.

#sh crypto session

5.8 IPSec Security Lifetime and PFS (Optional)

 

IPSec security lifetime and PFS is optional. Without it the VPN tunnel still up and running. If it is required, the following are the commands to configure it.

On HOFW01

#crypto map HO-VPN 1 set security-association lifetime seconds 86400
#crypto map HO-VPN 1 set pfs

On BORT01

#crypto map BO-VPN 1 ipsec-isakmp
   set pfs group2
   set security-association lifetime seconds 86400

5.9 IPSec VPN With Dynamic NAT on Cisco Router

 

Normal, Dynamic NAT is configured on Cisco router to provide internet access to all computers within Local Area Network (LAN).

#int f0/0
     ip nat inside
#int f0/1
     ip nat outside
#ip access-list extended ACL-DNAT
     permit ip 172.16.20.0 0.0.0.255 any
#ip nat inside source list ACL-DNAT interface f0/1 overload

In this case, we need to configure router not to NAT the IPSec VPN traffic otherwise VPN tunnel would not be up. This could be done with the deny statement in top of the NAT ACL.

#ip access-list extended ACL-DNAT
     9 deny ip host 172.16.20.10 host 10.10.10.10

6. Conclusion

 

Now you should be able to configure IPSec VPN site-to-site between Cisco ASA firewall appliance with IOS version 9.x with Cisco router. It would be great if you could practice with GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments