Cisco ASA Site-to-Site VPN Configuration (Command Line): Cisco ASA Training 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi this is Don Crawley from sound training dotnet today I'm going to show you how to configure a site-to-site VPN using two Cisco AAS a security appliances you use a site-to-site VPN when you have say two offices in different locations and you want an always-on connection between them in the past you might have leased a dedicated line but today you usually just set up a VPN link such as what you're presently seeing on screen this video is based on chapter 8 in my book The Accidental administrator Cisco is a security appliance step by step configuration guides second edition you can follow along by purchasing a copy at wwm training net slash bookstore I also have a free document available for you to download with the actual configs and companion network diagram at wwm training net / l - l VPN configs it does require registration but there's no cost I'm going to use the network diagram you're seeing now for the following configuration you might want to pause the video for a moment and study the diagram I'll be working on a si0 one a si0 two has already been configured okay so let's go ahead and get started now we've already configured the other firewall on the other end of the connections so we're just going to be dealing with this one but let's start a ping a continuous pin to the other PC this PC is located on the inside subnet on the other side of the other firewall and by setting a continuous ping will be able to see as soon as the tunnel comes up and we have successfully configured the VP's VPN tunnel so we'll do ping 192.168.1 o 2.6 with a minus T that makes it a continuous ping you should probably know and as you can expect the tunnel the ping will fail because we ran out of the tunnel setup yet so now let's go to our aasa and we'll start configuring the the tunnel first of all we need to go into configuration mode so config T and now we're going to enable ISO camp on the outside interface that ISO camp is the handshake part of the configuration so we'll do crypto ISO camp enable outside now we're gonna do a couple of preliminary steps first of all we're going to set up our network objects to identify our inside subnet and our partners inside subnet our local and the remote inside subnet will also configure an access control list to identify and permit the traffic flows from our inside subnet to the remote inside subnet and we're going to configure the tunnel groups as well so let's start by configuring the network objects object network net - local net - local is just a text string that I use it's a name I prefer to give them descriptive names so that I can look at it in a configuration later and immediately know what it's all about we'll do subnet and we'll put in our subnet which is 192.168.1 oh one dot zero we have to put a mask with it 255.255.255.0 next we'll do the remote subnet this is the subnet on the inside network connected to the other firewall so object network net - remote again just a text string a name that I chose to give it and subnet 192.168.1 Oh 2.0 with the same 24 bit mask and there goes well type exit just to come out of it not necessary for the configuration but it does make it easier to to see as we go through the configs next we've got to build our access control list this access control list is used to identify the traffic flows identify and permit the traffic flows from our inside subnet to our partners inside subnet if you're not familiar with cisco aasa access controllers syntax how they're built please take a look at our video we have another video on our youtube channel or on our website at wowt.com then come back to this one so here we go with setting up the access control list access - lists outside underscore one underscore crypto map permit IP traffic from the network identified an object net - local going to the destination identified an object net - remote and that's our access control list next we've got to set up the tunnel group one thing to think about access control lists are inside-to-inside so that is our inside network to our partners inside Network Tunnel groups and peers are outside to outside so we're going to be connecting to our peers outside interface and referencing our peers outside interface you'll see what I mean as we go through it so let's go ahead and set up the tunnel group tunnel - group 192.168.0.1 outside address and we have to specify the type of IPSec tunnel so it's type IPSec - L - L I know it looks like 121 you'd think they could have used capital ELLs maybe it stands for land to land but just bear that in mind don't let the the appearance for you it is L - L next we have to set up the attributes for the tunnel so tunnel - group 192.168.0.1 I did there if you're not familiar with this it's pretty cool you can do command line completion just like on UNIX and Linux systems by typing enough of the command that it's unique and then hitting the tab key and that'll keep you from miss typing fat rendering like I do go ahead and hit enter notice the prompt changes now we can enter our pre shared key which is pass one two three four I hope in production of course you'll use something considerably more robust than that but bear in mind that whatever you do in in setting up the tunnel groups it's got to match on both ends of the connections so your key has to match the the IP addresses have to be the peers outside address you don't have to set keepa lives but we'll go ahead and do it anyway just in case you might want to if you have weird where conditions are something you may want to vary this but we'll do ISO camp keep alive threshold 10 retry - that's the default setting and then type exit so now we've done the preliminary work now it's time to set up phase 1 phase 1 is the handshake that is the key exchange phase 2 is actually setting up the tunnels so we'll start by setting up the handshake the key exchange will be doing eisah camp settings here that's internet security association key management protocol which is roughly synonymous with i ke internet key exchange so here we go crypto iso camp policy 10 authentication pre share now let me explain this crypto means were invoking cryptographic services ISO camp means that we are doing the phase 1 stuff policy 10 that that's just identifying the policy and it could be any number between 1 and 65 534 inclusive it's just a label saying that this is a grouping of settings and the authentication says we're how are we going to authenticate each other and we're going to do it with a pre-shared key which we already configured with the tunnel group next we need to set our encryption so we'll do crypto iso camp policy 10 encrypt 3 desks a lot of people are starting to use AES but this is the default 3 des is next we're going to set the hashing algorithm that we'll use and we'll use sha secure hash algorithm crypto ISO camp policy 10 hash sha md5 is also supported sha supports a a slightly longer key length so it's a little more robust and finally the diffie-hellman group which is actually used for the the key exchange so crypto aiesec m p-- policy 10 group most important things these settings have to match on both ends last thing we're gonna do is specify the key lifetime crypto ISO camp policy 10 lifetime 86,400 seconds or one day just make sure they match on both ends of the connection that's our phase 1 stuff now let's do the phase 2 setting up the tunnel this time instead of using ISO camp we're gonna use IPSec so crypto IPSec transform set ESP - 3 deaths - sha that is simply a text string identifying the transform set naming it you could call it Billy Bob or whatever you want to again prefer to use descriptive names so now we'll specify what we're going to use the different technologies that we use will use ESP that is the encapsulating security payload which is really the only one you can use authentication header is also used in an IPSec but it doesn't work with nap for reasons that I'm not going to get into here it's covered in the book if you want to know more about it but we'll just use ESP and we'll use it with three desks so three yes and then our hashing message authentication code will be Shaw so ESP Shaw HMAC that's our transform set which we will reference later on now let's map the crypto map to the access control is so crypto map outside underscore map one match address outside underscore one underscore crypto map now that crypto map outside map that means the outside map is the name of the crypto map one is just a sequence number within the crypto map and if you don't specify a different one it simply appends each line to the previous line match address outside underscore one underscore crypto map tells it to use the access control list that we configured right up here as you'll recall from earlier alright so next we're going to tell it to use perfect forwarding secrecy which randomizes TCP sequence numbers adding another layer of security so crypto map outside underscore map one set PFS group one notice there's no space between group and one and it will air if you put a space there next we're going to identify our peer at the other end of the connection you thought we'd already done that with the tunnel group but we also have to do it with the crypto maps so crypto map outside underscore map one set peer 192.168.0.0 thats something that's already configured next we're going to go in and tell the crypto map which transform set to use so we're going to reference the transform set that we configured earlier when we did right here you'll see what I mean in just a moment so let's do crypto map outside underscore map one set transform set ESP three deaths - sha and finally we're going to apply the crypto map to the outside interface with a command crypto map outside underscore map interface outside so that's our Phase two configuration we have two more steps we have to configure nap and this is really know Nats so this is gonna tell the firewall not to NAT the traffic that is destined from our local subnet to our remote subnet we don't want it to go out onto the internet in other words and it's weird syntax so just follow along if you're looking in the book it'll be helpful but if not here's how to here's how to do it NAT inside outside one source static - local net - local destination static net - remote - remote like I said it's pretty weird syntax and finally we have to configure a default route now you may be thinking gee this is point-to-point why do we need a default route because if you don't do it it won't work don't you love answers like that so right outside zero zero 192.168.0.1 or whatever your default gateway is now we'll go ahead and hit enter and in a moment we should see the ping responses come back from our partner on the other end of the connection and there it is [Music]
Info
Channel: soundtraining.net
Views: 288,139
Rating: undefined out of 5
Keywords: technology, access-control list, security, site-to-site, system, ipsec, vpn, access-list, Vpn For Cisco, Vpns, What Is Vpn, isakmp, asa, Cisco Vpn, computers, hacking, What Is Cisco Vpn, firewall, ike, cisco, Virtual Private Network, data, What Is A Vpn, Vpn Cisco
Id: sIbi_bYb2k4
Channel Id: undefined
Length: 14min 11sec (851 seconds)
Published: Wed Jun 29 2011
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.