Site to Site VPN lab using ASA as Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right side to side VP R now this is what the topology I'm going to make and whenever I do VPN from this blue back whenever I ping from this low back to this loopback address I want VPN to realized but when I ping from this low back to let's say this low back 22 then no VPN no that's what we are aware we are planning to do or what I'll do is to make more understandable I'll connect another router not here and can we come to the router you be here and ipera sister up 20 or 0.03 and luboc is 3.3 dot 3.3 the back interface so this is the plan whenever traffic goes from this Lubeck to this loop back package should be encrypted and decrypted any other destination I could really go without encryption this is the you know this is what we are we're here we will be doing and testing the configuration of site to site VPN do you have any question before we implement this so what if a router or firewall middle one is the one is a okay it's not a normal router or if you say we will keep a normal router and then do it later we will change it into a say I'm okay with it how do you want to go you want to go with the a say or they is fine okay all right so this is what our aim is but to achieve this we may take one or two classes it depends on how much you know a si before if this is the first lab with the a si then it may take some time to finish this they may not be finishing today let's see all right let's get into the lab now all right so let me start from a si on the firewall a AC this is the default configuration that you will see by D for the hostname is called a Cisco a si when we tie been able it will ask for password it will be a blank password no password actually you need to simply hit enter you are inside the privilege mode now and we say what config key to get into the global mode if you want to give your name for this you can give a name I'll give hostname edge EDG edge firewall okay underscore is not allowed - ok edge - firewall we need to provide IP address on interface Ethernet 0 I wish to give 10.0.0.0 me a say on a essay we wish to give 10 on both the interface Ethernet is send out 0.08 n e thread 1 is 10 20 dot 0 dot 0 dot ten first add resistant host ID is 10 now what is the mask for the default mask for 10 is what slash rate so we have not done subnetting we have just slash 8 you have not submitted 10 network if you have not submitted in firewalls you no need to type subnet mask you can simply hit enter whereas on the Cisco IOS routers we have to give the subnet mask whether we submitted or not that is mandatory if you don't give you a subnet mask in cisco routers iOS routers they will say in complete command the operating system will not take the IP address in here in a say if we have not submitted you need not to mention the mask it takes default mask if you don't mention so / it is already taken if you want to verify you can see show run you see the mask I didn't give the mask one more thing is you might have seen me typing show command here so usually in Cisco IOS router show commands work only on the privilege moon in a side works from anywhere next I need to bring this interface up I have said no shutdown and I must key the name for the interface if you don't give name see what happens show interface IP brief we used to type show IP interface brief in router show IP interface brief in firewall is a show interface IP brief you need to put interface and then IP to see the status of the interface you see I really I assigned an IP address you saw me assigning it but I don't see the IP address here when I type running configuration I can see the IP address on Ethernet 0 but when I type show interface IP brief IP address is missing [Music] so what happened to our IP address where it is gone why it is not coming it is actually configured it is not seen here the reason is the interface need to be in a zone to to do this firewall job till you assign the interface to a zone till you assign a name to the interface it cannot actively participate in the traffic flow it cannot run any protocol to run any protocol it needs an IP address assigned there so what we need to do is very important interface Ethernet 0 name if name if is a command to name the interface name if I say inside I NS IDE C as soon as I give inside the security level by default assign this one and read I didn't assign it is it is is it is assigned by default it get assigned when I type inside it assigns a 100 if I will give some other name 0 will be given any name even if I say in I and in as a name if then I will get only 0 so the word inside is recognized as a key word to say this is the highly secure interface i interested interface if you wish to give security level by yourself you can use this command security level and then give any number between 0 to 100 100 is highly trusted interface traffic from 100 interface can go to Cafe go to the interface which is lower than hundred lesser than hundred so this is the this is the most trusted interface of the firewall so no inspection will happen for this on this interface so 100 is the default for inside so I am NOT assigning it because it is already assigned by default next is verification so interface IP brief last time when I type there was no IP address but now we see it but this is taken so likewise let us create let us configure another interface interface Ethernet 1 no shutdown IP address 20 dot 0 dot 0 dot 10 name if outside see the default security level for outside is 0 next is verification so interface or if you brief I can see the other IP address so there is a new command that you have not used in routers which is show name if show name it will show you the name of the interface and the security level so if you want to see the name that is assigned against the interface this is the command show name if along with the security level it will show you if you want to see just the IP address show interface IP brief is the comment what about the routing table to see the routing table we used type show I fear out but that is not the command here show route that's it so IP is not necessary simply type show route it will show you the routing table here we can see that 20 is connected on the outside interface 10 is connected on the inside interface 20 is on the outside 10 is on the inside you don't see the name like 20s or Ethernet 110 is on Ethernet 0 in stuff interface we see only the names these are the zones of this firewall inside and outside now the basic configuration of the firewall is then I saved it let's move to the routers let's start from inside router this is inside router R is inside yoga a fresh router I'll say hostname inside interface Ethernet 0/0 no IP space address 10.0.0.0 one you must type subnet mask here one more interface interface loopback zero IP space address as per the plan will give one dot one dot one dot one all must so on inside router this is what we have 10.1 and 1.1 let me write down here Oh then likewise the not - we are going to have 20 dot 0 dot 0 dot 2 and Lubeck is going to be 2.2 letter to and in r3 you you 20 dot 0 dot 0 dot three threes are 303 that's it so this is the plan let me use a notepad to finish this Joe fuss notepad is ready I am starting from the first router first router is then I believe so let's go to second router enable config T and interface Ethernet 0/0 no shirt IP space address is 20 dot 0 dot 0 dot 2 T 4 v dot 0 dot 0 dot 0 let's run OSPF IP ospf process ID 180 and 0 interface blue back 0 IP space address - Rattata - IP u OSPF one area 0 end this those 1 0 2 2 [Music] okay so in order to the hostname I want is inside so the outside out one there are two routers on the outside how to one and out to this is out one next let's do it for outer to persevere oh two three zero two three the hostname is r3 20.0 to 0.3 you back is three got three or 3 or 3 or 2 3 done so all three rotors are configured what is not earnest what is not Dennis we have not been able to OSPF on ESA and also and also on the inside so let's go to AAC and enable OSPF router OSPF network 20 dot 0 dot 0 dot 0 255 dot 0 dot 0 dot 0 here 0 on AFA you should not write wildcard mask it's only subnet mask no I will cut mask on AC ok so we are running OSPF on a si also now if I go and check the routing table show route I should see to return to the two and three dots 303 it will come in some time we need to give some time so meanwhile we'll go to router 2 and finish the configuration sorry doctor 1 the inside router interface Dewback 0 IP ospf one area 0 interface Ethernet IP ospf one area 0 so we are running noise to have everywhere even on the firewall let's check the neighbor show IP ospf neighbor it's still in two-way give some time it will come to full state if you don't know much about OSPF no worries we'll be learning incoming this class in detail okay extra state now full state done let's check the routing table on the inside show IP route see I see that out for reaching 1 1 1 1 which is my oven sorry again I can see we're out for reaching why I OSPF the outside networks 22.2 Latura 2 3 2 3 3 2 3 and to any network so through OSPF we are learning it ok what's next next is if you try pinging from inside to outside the ping will not happen when I bring like this I am thinking from a Lube at 2 2 to the to the ping will not happen the reason is that traffic from high to low will go but low to high will not be allowed to come so the return traffic's are blocked by a si traffic from inside to outside is going but outside to inside is not coming what should I do for this you need to permit from outside or inside by writing an access list because we have not done access list I am NOT doing it but when I allow VPN when I found bpn through VPN it should come yes I cannot identify as I cannot stop me if the return traffic the ping happens through VPN if the ping happens to the VPN this thing will be successful so when you finish configuring your VPN when we finish configuring our VPN we will find our [Music] pinger successful the same thing should happen after I finish VPN let's do VPN now on the inside first let me finish the VPN configuration crypto is a km policy I'm defining the phase 1 policy I'm going to define how my key is going to be encrypted I'm defining how I need to authenticate my reward office what de fail man algorithm I'll use for integrity what hashing algorithm I'll use for my protection so let's do it I'll give policy number 1 for encryption I'm going to use C you can use any one of this I'm going to use 3 days if I use three days the side the other side must also be configured as three days next is for hashing I want to use md5 you see there are five different levels of hashing sapphi tool is very strong size stronger than md5 in char fighter is much more strong here which you can decide but in companies they will give you what to configure they say use only sure or use only md5 so you need is only that now assuming that we have amplify to be configured I am giving md5 again I am repeating if you say md5 this side the other side also should be configured with md5 next encryption is over hashing is over for authentication I would like to use pre shared key I want to give the passwords on both the side pre shared key and for integrity I would like to give diffie-hellman Group you see you have the film an algorithm with seven sixty eight bits 1024 bits various eyes you have I would I would like to go with one zero to four so I say group two this is for providing integrity what is next is I said I want to use pre shared key but I didn't mention the key the password so the command to you do that is crypto key now crypto is a KMP key with whom you ago you are going to form VPN I'm going to form a beam with router 2 and what is that reserved router to the physical interest is 20 dot 0 dot 0 dot - ok first you say the key key I wish to give is Cisco 1 2 3 it's the same key you should give on the other side and with whom you of VR you are checking with key with 20 dot 0 dot 0 dot 2 there is a keyword called a dress that's it so only with 20 dot 0 dot 0 dot 2 it will share the key if this password is matching next what we will do is will manually configure r2 so as of now what I have configure here is shown here show run so this is what I have configured so far what I'll do is I just copy this to a notepad alter this and paste it on the load to this policy number can be different need not to be same it can be different so to make you understand that I will give some number 10 this must match this must match this must match this must match here the difference is the address the address here should be word 10.0 dot zero dot one that is router ones router one's address let's quickly check the address of router one show IP interface brief yes 10.0.0.0 I also want to verify one so two twos address show IP interface brief okay just when you got zeros if it's cry so I change that 20.2 to 10.1 because we are we are forming V pin from router 2 to route 1 so let me paste this on drugs it is then so phase one configuration is over what is phase two let's do it on router one first the inside notre phase two is the place where you will decide how to encrypt your data so for that the command is crypto so it is not crypto yeah correct crypto IPSec transforms it so I'm going to transform your data you need to define the algorithm to transform your data crypto IPSec transforms that give any name I will give name as a transform set t underscore set sorry T underscore set followed by any of this combination I want to say for encryption I will use ESP AES encapsulation security payload AES algorithm for encryption and for hashing I would like to use ESPM defi hash Mac if you use this combination you must use the same combination on the other side so let me copy this line and paste it on the other side also through to run so phase 2 configuration is also done what is left you need to define which access which which traffic to use VPN we need to say which traffic will be using VPN for that we write the access list like this access list 101 permit IP going from 101 you know so let me put the host keyword host wonder 101 so when when traffic goes from here to the host to the to the to the to only that's what I want to permit all the rest I'm not denying but all the rest I'm denying from where from denying them from getting VPN service that's all I am denying from getting weekend service so this access list will be used in crypto okay so if I will do this access this on now - - it will be opposite sound router to Hawaii right I'll say anyhow going from turret to the to the - should be allowed if it goes 200 100 so this is how V this is how we will do if we are in order to mistake yep so this is our our access list will be access list 100 0 1 for mate IP house - so to do 201 1 because we want to have VPN service only for the zubik on r1 and after now we are writing the access list for router 2 this is how it goes because there is implicit deny in the access list all the rest of the traffic will be denied using VPN they will they can go anywhere else but they cannot go using VPN anywhere so I am going to use these access list for VPN now how to do that for that you need to create something called crypto map this is the final step in your VPN configuration crypto map yep crypto map and give any number I give crypto map 1 and then give a name sorry crypto map give a name first I'll give a sea map and then give an ID 1 and then we are doing IPSec is a KMP I'm inside the crypto map now in here I need to call everything I'm going to say match address which address you want to allow in VPN that is that you mentioned in the access list match address 1 0 1 if that match happens transform the data using the transforms it so set TransAm set the transom set name i give is t sit with appear who is appear set pier for inside is outside outside addresses twenty dot 0 dot 0 dot two that's all that's all now what is next I need to simply call this crypto map under the physical interface this is the crypto map name sea map I need to go under the interface Ethernet 0/0 and say crypto map see map that's all you see now is a cane becoming a comme des come up similarly I need to do configuration on router to similar configuration what is that crypto map name can be different there I gave see map here I gave cm and then ID number one it can be anything again IP sage is a km p match address the access list set friend some set I think I gave okay T set and then set P R is ten dot 0 dot 0 dot it is router once address assign this to the physical interface that is facing the NSA interface eth0 slash zero crypto map cm cm is the name of the crypto map by K so now these two devices are ready for VPN they are ready for VPN so let me go to router one and try pinging even now the P will not happen last time outside was not happening I said what is the VPN is up it will be pinging but even now the spring will not happen the reason is the VPN is not fully up if I would have kept a router in the middle instead of a si the spring would have happened if I would have kept a router in the middle and stuff a a say this thing would have happened but firewall you need to do something on the firewall you need to permit something what is that I need a permit this VPN uses is a KMP for phase one and I'd be sick for Phase two that is what you need a permit on a si so what I do is I go to a si and say I know I have not taken access this for you but what to do you know to finish this task I need to use access lists so try to understand if you don't understand no issues will be learning access this later access list I'll give a name how to in any name permit UDP any grainy equal to 500 so 500 is the is a KMP port number and then you might have seen me in phase 2 in is a game IP sake I was using ESP encapsulation security payload so for face so I need to permit that also so I say access-list how to in permit ESP ESP any then the where should I apply this I should apply it on the outside interface because outside interface is good security level zero lower circuit level so how to apply that access group how to in in interphase outside this is a command to apply the access list on the outside interface now when I go to r1 before I think I will show you show crypto is a KMP security Association you know it shows active but okay I have always been phenol that's why it has come up let me see whether the ping happens now this thing is happening see how cool it is very quick now I want to prove also this is getting encrypted show crypto IPSec si look at this 14 packets are encrypted and 10 packets are decrypted let me ping one more time so it should be increasing 14 should begin 19:10 should become 15 because 5 packets are going you see 14s become 1910s become 15 so our VPN is working by default the ping is not allowed on a si we didn't allow pinger we just allow early VPN then how this thing is happening it is because it is going through the canal is going through the turret go to a si and check show connection you see it shows the ESP connection what is ESP VPN phase two encapsulation security payload if the neighbor is allowed on outside interface it is allowing traffic coming from outside to inside it is allowed so when you go to r2 and ping 101.1 is the source of Tula Tula Tula - this thing is happening from outside also because it is going through the tunnel but when you ping without Lubeck it won't thing why your access list is not matching in the source address if the access this is not matching your VPN service cannot be given the ping won't happen if it is not using the VPN service same story from r1 also you see from r1 if I will thing without Lubeck the destination address is to do to do but the source addresses they exist in two V's 10.0.0.0 the ping is not happening it won't happen we need to match with the access list that is permitted in the VPN tunnel so I'm matching now it thinks any question [Music] actually a lot of course and I go stay a little bit lost mean no problem what I we recommend is go through the video two three times and then bring your questions no this is not the right time for the question I know that but if you will go through the video now pass it forward it rewind it now if possible parallely do it in your home environment or if you want to login to my server and use this you can use it take your time cleaning out to immediately come with the doubts you take your own time any number of days go through this video understand fully and after you know focusing of on this for many times still if you have doubt you bring it to me but it is under your control you can really understand this if you ker if you will go through the previous video on VPN and this video for the videos cries the theory video as well as this video you need to good sure I have seen now site to site VPN videos of your shop this is a simple site to site VPN only we have not done any VPN configuration on the aasa' we are just allowing the VPN traffic to pass throughs itself so we are trying to be we have done a real world scenario here in real world we will be doing VPN some time from a SI also but most of the time from a router inside the urbanization to the router outside the organization and the firewall will be in the middle seem like gas we had now so this is one of the real-world scenario but in the real world sometimes they also do whatever we did in r2 they do it on a sh self now sometimes they do we pin from a si to an outer but what we did is router to a router by keeping firewall in the middle if you keep firewall in the middle there are certain considerations that we need to make what is that you need to allow the UDP 500 is a KMP only then phase 1 will be successful and then you need to allow ESP which is for the transom set for the phase 2 when I allow both things on a si we are through we are able to form VPL so let me show you the AC else that i configure show access list if I sure like this you won't understand but I will try to make you understand I am allowing UDP is a came I didn't say is a KMP I say the port number 500 so it understood that I want is a can be so inspir meeting Facebook and here it is permitting ESP which is face to the command I used to create these exercises show run access list these are the two comments in stuff is again be I said 500 it is in it's an intelligent device it it understood that I see can be only these two lines and then I applied it on the interface by using this command access group same name I applied on the outside interface because outside interface will not allow the traffic unless you permit it because the security level is zero zero but the inside interface have no problem inside interface will allow everything because the security level is 100 this so we had problem only on the outside interface so I permitted on the outside interface I have a question like so what is it like there is like to networking said is tender tender tender one and now saddest one is what is the role of this to network ok very good see we are we have not formed VPN with a Dewback interface are like on computers inside the organization we are pinging from one computer to another computer but the VPN is not found between computers they are found between routers so the actual role of 10.0.0.0 0.01 is to form VPN you see now show crypto is a kmpc see where we the whom you formed VPN with the interface that is connecting towards the IASA and towards the isp VPN is formed between these two and [Music] interesting traffic that uses VPN is on the Lubeck so let me draw an explained you in a better way see between these two I negotiated and I form the tunnel just that panel is built between this now anyone can use the tunnel so I'm using from this Lu back to this little bit so this is like on computer inside this is like another computer inside going through the tunnel so we are not forming VPN from but to Lubeck we are having VPN from our egress interface to egress interface or rather we negotiated channel so same if you turn again go through that canal if we allow right yep if you allow in the access list any network can go through this all right so

Info

Channel: Jayachandran

Views: 11,539

Rating: 4.9000001 out of 5

Keywords: ASA, VPN, site, to, networking, security, online, training, cisco, jayachandran, sathiyan

Id: -lYUOyG2n58

Channel Id: undefined

Length: 50min 9sec (3009 seconds)

Published: Tue Apr 04 2017