Friday, 23 March 2012

How to configure site-to-site VPN tunnel using ASA?

Site-to-Site secure VPN tunnel using the ASA (Adaptive Security Appliances) enables an encrypted connection between private networks over a public network such as the internet. 
Basic steps for VPN Configuration: 
1- First define the ISAKMP Policy.
For example:
  •  Authentication
  • Hash
  • Encryption
  • Group
2- Establish IPsec transform set.
For example:
 Ã‚·  Esp-des
  • Esp-md5-hmac
  • Esp-aes
  • Asp-sha-hmac
3- Configure crypto access list.
For example:         Define interesting traffics
4- Configure crypto map
     Used to verify the previously defined parameters 
5- Now apply crypto map on the outside interface.
     Used to verify the outgoing interface traffic
Configuration of ASA on side A 
First defined the IKE polices on ASA-A 
ASA-A(config)#crypto isakmp policy 10
(10 is isakmp policy number) 
ASA-A(config-isakmp)#encryption des 
(enable encryption des) 
ASA-A(config-isakmp)#hash md5
(enable algorithm md5 for hashing) 
ASA-A(config-isakmp)#authentication pre-share
(enable Pre-shared method)
ASA-A(config-isakmp)#group 2   
(enable diffie-Helman group 2)    
ASA-A(config-isakmp)#exit  
(Exit from crypto isakmp mode)
  • The next step is to create a pre-shared key (password) on ASA - A.
ASA-A(config)#crypto isakmp key office address 20.1.1.20
(Here Key is "office" and 20.1.1.20 is ASA - B Address)
  • Now create an access list to define only interesting traffic.
ASA-A(config)#access-list 100 permit ip host 20.1.1.10 host 20.1.1.20
(100 is access list number and 20.1.1.10 is source address and 20.1.1.20 is destination address.) 
  • Now create the transform-set for encryption and hashing.
ASA-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
(Here encryption type is des and hashing technique is md5-hmac)
ASA-A(config)#crypto map imap 10 ipsec-isakmp 
(crypto map name imap
ASA-A(config)# crypto map imap 10 match address 100   
(apply the access list)
ASA-A(config)# crypto map imap 10 set transform-set ts2
(apply the transform set) 
ASA-A(config)# crypto map imap 10 set peer 20.1.1.20 
(Set remote peer address)
  • Now apply the crypto map to the ASA - A interface
ASA-A(config)# crypto map imap interface outside
 (Apply crypto map on outside interface)
ASA-A(config)# crypto isakmp enable outside
(To enable crypto isakmp on ASA)
 
Configuration of ASA on side B 
First defined the IKE polices on ASA-B 
ASA-B(config)#crypto isakmp policy 10
(10 is isakmp policy number) 
ASA-B(config-isakmp)#encryption des 
(enable encryption des) 
ASA-B(config-isakmp)#hash md5
(enable algorithm md5 for hashing) 
ASA-B(config-isakmp)#authentication pre-share
(enable Pre-shared method)
ASA-B(config-isakmp)#group 2   
(enable diffie-Helman group 2)    
ASA-B(config-isakmp)#exit  
(Exit from crypto isakmp mode)
  • The next step is to create a pre-shared key (password) on ASA - B.
ASA-B(config)#crypto isakmp key office address 20.1.1.10
(Here Key is "office" and 20.1.1.10 is ASA - A Address)
  • Now create an access list to define only interesting traffic.
ASA-B(config)#access-list 100 permit ip host 20.1.1.20 host 20.1.1.10
(100 is access list number and 20.1.1.20 is source address and 20.1.1.10 is destination address.) 
  • Now create the transform-set for encryption and hashing.
ASA-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
(Here encryption type is des and hashing technique is md5-hmac)
ASA-B(config)#crypto map imap 10 ipsec-isakmp 
(crypto map name imap
ASA-B(config)# crypto map imap 10 match address 100   
(apply the access list)
ASA-B(config)# crypto map imap 10 set transform-set ts2
(apply the transform set) 
ASA-B(config)# crypto map imap 10 set peer 20.1.1.10 
(Set remote peer address)
  • Now apply the crypto map to the ASA - B outside interface
ASA-B(config)# crypto map imap interface outside 
(Apply crypto map on outside interface)
ASA-B(config)# crypto isakmp enable outside
(To enable crypto isakmp on ASA) 
Now to verify the secure tunnel, ping to other remote location. 
ASA-B(config)# ping 20.1.1.10

Thanks & regards,

"Remember Me When You Raise Your Hand For Dua"
Raheel Ahmed Khan
System Engineer
send2raheel@yahoo.com
send2raheel@engineer.com
sirraheel@gmail.com
send2raheel (skype id)

My Blog Spot
http://raheel-mydreamz.blogspot.com/
http://raheeldreamz.wordpress.com/

My Face book pages
http://www.facebook.com/pages/My-Dreamz-Rebiuld-our-nation/176215539101271    @[176215539101271:0]    
http://www.facebook.com/pages/Beauty-of-islam/223983470988333?sk=wall            @[223983470988333:0]               
http://www.facebook.com/pages/Health-is-wealth/289486761065829?sk=wall            @[289486761065829:0]

No comments:

Post a Comment

what is Juice Jacking SCAM

  Juice Jacking is a cybersecurity threat that occurs when cybercriminals manipulate public charging stations, such as USB charging ports in...