Site To Site VPN with VTIs on Cisco ASA (Route Based)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi there so for today's video i'm going to show you how to configure route-based vpn [Music] this time the only difference is that we're going to use the cisco asas with the tunnel interfaces we are not going to use policy-based vpn this is relatively a newer technology in cisco asas starting from version 9.7 you have the capability to create tunnel interfaces obviously there are advantages to route-based vpn you can participate the interfaces and the networks behind them into routing you can run bgp on those tunnel interfaces i think that's very cool and more importantly i think the killer feature is that you don't have to haggle with that and that is completely out of the game additionally this is one more benefit it's easier to set up when you have multiple vendors in your topology so for instance on this side i have cisco sa on the other i have checkpoint palo alto 40 net it's easier to set it up with policy-based vpn you have to be very careful that the policy matched on both ends cisco asa is very very picky about that access list the interesting traffic okay now we want to talk about our topology so i have two sites that i want to connect them together on the left hand side we have side a and on the right hand side we have side b both sides are connected to the internet via two cisco asas as the gateway on the left hand side i got y2168.1.0 24 which represents network a site a and on the right hand side i got y216a 24 representing network b i got one server 1.10 which is located on site a this is going to be a resource that we will access from this site site b and 2.10 is a client that is connected to this network obviously it can go to the internet et cetera et cetera but this is the green part that we want to establish this is the tunnel the site-side vpn that we want to establish and in this case it's going to be a route-based solution okay so here's what we're going to do first we want to have the object so i'm going to create the objects on the firewall even though it's not mandatory i prefer to stay organized so i'm going to log into both sides side a and side b cisco asa sure on object apparently i've already created them before so i'm not going to touch them inside represents the internal network and remote is the remote network that i have on site b same thing in here let me make sure that i have the objects created very well so i have that second i have to create the ike phase one policy in our example i'm gonna stick to ike version one and my i phase one i think i still have it in the system sure on crypto ike version one policy version one so i have this policy i don't need to touch it sure on crypto version one and i think i have a matching policy on both sides very good so i already created the i phase one policy now i have to create the ipsec transform set so let me see sure on crypto ipsec i do not have a transform set all right so i'm going to create one so crypto ipsec trans ike version one transform set i'm gonna name it ts1 and esp aes 128 esp sha hmac this is on site b i will create the same site a so this is going to be our ipsec transform set the next step would be to create the ipsec profile i have some residue from the previous configuration this is my profile so i already have that i already have the container but there is nothing in it so let me show you how do we create it so this profile is created by executing this command and then here you give it a name for sake of consistency and not getting lost in the process uh always stick to the site names but feel free to pick up whatever name you're comfortable with in our example i'm gonna say site b so this is my profile that i'm creating on firewall a but it's going to be related to site b in here from the commands i have this option to set the transform set i'm going to say set ike version transform set and the name of the transform set gonna be specified here i can do the security association lifetime seconds one hour and i think that's pretty much all i need i can set pfs but it's not mandatory so i'm going to skip that sure run crypto ipsec this is going to be my ipsec profile so i will have to create the same thing on site b sure and crypto ipsec i already have the container like i said you know how to create one so i'm just gonna enter and say ike version one transform set is gonna be ts1 and the lifetime security association life time seconds going to be 3600 seconds and sure encrypt ipsec so we verified we have the ipsec profile next we have to create the tunnel groups this is pretty much similar to policy-based vpn so we have to create a tunnel group for that sure antono group we have none so i'm going to create one so in this case i'm going to pick the interface on hold on let me see what firewall am i in site b so i'm going to specify this one's ip address as the name of the tunnel group so here i'm going to say 203 205 206.2 and then type gonna be ipsec lanceland and ipsec attributes i'm gonna say ike version one pre-shirt key he's cisco how about that let me make sure the ap address is correct tool three two five two six dot two okay correct now i have the tunnel group created i'm going to create the tunnel group inside a so i'm going to say ip address of this guy 180 2426 24 206.2 [Music] uh it's gonna be type ip61 still have problem with this naming why it's land to line why it's not s2s tell me cisco y then ipsec attributes and version one pre-shirt key cisco so we have our tunnel group bring next step we have to create the tunnel interface if you watch the video on policy-based vpn you know that we had crypto maps so crypto maps were kind of binding things together this responsibility now goes to the tunnel interfaces so i will create a tunnel interface the number can be anything anything between 00 to 100 in this case i'm going to say 10 and in here i have to specify a few things the ip address first so i'm going to say ip address this is pretty much like gre if you configure gre on a cisco router the the syntax the look and feel is pretty much the same not a hundred percent same but it's pretty close so i'm gonna say 10 or 10.10.1 it's going to be point to point name if i'm going to say site b oh yeah sorry b it's the gate to side b so i'm going to say site b and um it's already not shut down then i'm going to say tunnel source interface is going to be the outside interface and the tunnel destination ip address copy and paste feels good that and tunnel protection it's going to be ipsec ip episode profile you have to provide the name of the profile i already forgot what was the name of the profile ip6 that's the profile name so in here i gave the profile name then tunnel protection mode or tunnel mode yeah tunnel mode is going to be ipsec ipv4 there's no support for ipv6 at least on this version and show run interface time 10. we look complete so we have to do the same on the other firewall so i'm going to say in interface tunnel can be 100 doesn't have to be the same and then ip address now i have to pick the ip address from the same subnet 252. then name if i can name it whatever i want in here i'm going to stick to naming convention site a and then i appear just already gave it um already not shut down and a tunnel source gonna be interface outside tunnel destination the ip address of the peer tunnel protection ipsec profile oh god the name of the profile and tunnel mode is going to be ipsec ipv4 and we look better okay not complete but we look okay so after that i have to enable ike version one on the outside interface so i'm gonna say crypto crypto i version one enable outside i have to do it on both firewalls then the last step would be to configure the routing sure let me see what do i have in here so i have a few choices in here when it comes to routing i can configure bgp or i can configure static route so in here i'm going to configure static route so i'm going to say if i want to reach to from side a so from side a if i want to reach to 182.168.2.1 and syntax inconsistency i have to go to this guy so i add this this site static route now i need a return route i have to go to this guy paste it in there and because i like copy and paste i'm just gonna reverse it all right so we've configured everything now it's time for us to test our topology and see whether we have reachability between the two sites so now i'm going to go to the client and in here config yeah i am 2.10 which is this guy right here one of these clients and i'm trying to get to this server on site a ping 192.168.0 1 10. very fast and let me also test it from the other claim now something i want to tell you let's let's go to this firewall on site b the one that is facing the client that we have we just tested things with it if you want to verify things you can run this command show crypto ike version 1 sa when you see that there is a security association in here it means that your connection is active at least phase of one is there and if you want to check phase two you do this show run crypto show crypto ipsec sa here is the part that you have to pay attention to sometimes when you have problem when you're for whatever reason you have a mismatch or your configuration isn't applied correctly you will see your encapsulations and your encryption uh counters are incrementing but you're not you're not receiving the response and decap and decrypt basically does an increment that's an indicator that there is a problem somewhere it doesn't tell you what exactly is the problem but it it's a good indication that you have some misconfiguration over there either your side or the other side all right so now let's go to the client to the linux box guess that's the one um pa i am 192.168.1.10 i'm gonna try to ping 19168.2.10 and sure enough i'm able to reach to the client so pretty much we are done if you're wondering how else can you expand on that if you want to let's say added on a network into the topology let's say suddenly you have another department that needs to reach this server you have to basically just add the static route into it so let's say department 3 1 2 1 6 8 3.1 will be added here it's just another svi and then the traffic will be routed because this firewall has a route but then on the other side you need a route back and that's pretty much it you don't have to worry about so many details like the acls and you know updating both ends and stuff like that no no no it's pretty simple and additionally uh you can also configure bgp and you can redistribute this route in here on this side for instance you're learning about these networks and you can redistribute it to downstream routers or neighbor devices in your topology okay so that is pretty much all thank you guys for watching if you find this video useful please give it a thumbs up uh and also consider subscribing if you're not a subscriber and don't forget to click on that notification button so every time i post a new video you get a notification about it

Info

Channel: William Shanaei

Views: 1,483

Rating: undefined out of 5

Keywords: vpn, site to site, asa, configuration, access list, troubleshoot, ikev1, cisco, config, nat, exempt, sha, aes, transform set, virtual private network, diffuse-hellman, ipsec, isakmp, crypto, 5512-x, 5515-x, 5506, 5505, 5510, connection, policy based, route based, tunnel, gns3, routing, bgp, redistrbute, route, vti, policy, asav, training, free, meraki, palo alto, fortinet, william, shanaei, top, video, youtube, best

Id: -rbWYrjXO7I

Channel Id: undefined

Length: 18min 51sec (1131 seconds)

Published: Fri May 07 2021