Cisco ASA VPN Static to Dynamic IP (DHCP)

KB ID 0001683

Problem

I had a call with a client last week, they are in one of my employer’s DCs, and their servers are behind a vASA. They had purchased some Meraki MX devices for their IT team who were working remotely (during the Covid-19 lockdown), and were struggling. Normally we would just suggest AnyConnect, but these guys were building new machines for  their clients, and needed access directly to the domain from their home networks to facilitate this. So a Site-to-Site VPN was the ‘best fit’ for them.

But being home internet connections they were on DHCP for their public IP addresses. If we were all Meraki, then Meraki Auto VPN would have them up and running in no time. Conversely if they were all ‘proper’ Cisco we would be OK. In fact if they had static IP’s at home we would be OK.

So how to setup a site-to-site VPN ‘into’ a Cisco ASA with a static IP,  from another firewall with a dynamically assigned (DHCP) public IP?

I tested this firstly using a Cisco ASA at the ‘remote/dynamic’ end, then tested with a Meraki MX Device. But the methodology can be applied to any ISAKMP/IPSEC capable firewall with a dynamically assigned public IP that you want to establish a VPN into an ASA with a static IP address.

Solution

Step 1: Investigate Your Remote Device

Do your homework on the remote device, find out what it supports for VPN connectivity, you will need to answer the following questions;

  • IKE Version: Does it use/support IKEv1 or IKEv2 (or both) Set the ASA config accordingly
  • Phase 1 Encryption: What does it support? DES <- Don’t Use this if you can avoid it! 3DES, AES, AES-128, AES-192, AES-256 etc.
  • Phase 1 Hashing: What does it support? MD5, SHA/SHA1, SHA256 etc.
  • Phase 1 Diffie Hellman Group (for IKEv1): Group 1,2,5,14 etc.
  • Lifetime: {in seconds}
  • Pseudorandom function (for IKEv2): MD5, SHA1 or SHA256
  • Phase 2 (IPSEC) Encryption: 3DES, AES, AES-128, AES-192, AES-256 etc.
  • Phase 2 (IPSEC) Hashing: MD5, SHA1 or SHA254
  • Phase 2 PFS: Off or DH1, DH2, DH5, or DH14 etc.
  • Subnet on the remote site: Make sure it does not overlap with your central site, (or anyone else who will also be ‘dynamically’ connecting*).
  • Pre-Shared-Key: MAKE SURE this is long/complicated and hard to guess. 

*Note This may mean your remote sites may need to change their subnets so they don’t overlap!

Step 1 Configure the ‘Central’ ASA

I’ve covered IKEv1 VPNs and IKEv2 VPNs elsewhere on the site, feel free to go and see what what the following configuration is doing. For my Meraki Tunnel I’m going to use IKEv1, Phase 1 (3DES, SHA, Diffie Hellman Group 2, and a Lifetime of 86400 Seconds,) and Phase 2 (3DES, SHA and no PFS). Note: Some would consider this weak, but it’s the default setting on the remote device so lets keep it simple. In production you can slowly make phase1/2 more secure to your liking once you know it’s working.

Change the values in Red;

WARNING: If you already have a crypto map in use then change the keyword CRYPTO-MAP (below) to match yours. (Or all your VPNs will suddenly stop working!) Issue the command show run crypto map, if you’re unsure.

[box]

!
object network OBJ-MainSite
subnet 192.168.100.0 255.255.255.0
object network OBJ-RemoteSite-01
subnet 192.168.1.0 255.255.255.0
!
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite-01 OBJ-RemoteSite-01 no-proxy-arp route-lookup
!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ikev1 enable outside
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set reverse-route
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
crypto map CRYPTO-MAP interface outside
!
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key V3ryL0ng&H@rd2Gue55
!

[/box]

Step 3: Configure the Remote (DHCP) Firewall

If the remote end was going to be another Cisco ASA, here’s the config;

[box]

object network OBJ-MainSite
 subnet 192.168.1.0 255.255.255.0 
object network OBJ-RemoteSite
 subnet 192.168.100.0 255.255.255.0 
! 
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-RemoteSite object OBJ-MainSite 
nat (inside,outside) source static OBJ-RemoteSite OBJ-RemoteSite destination static OBJ-MainSite OBJ-MainSite no-proxy-arp route-lookup 
!
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ikev1 enable outside
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-3des esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
crypto map CRYPTO-MAP 1 set peer 203.0.113.1 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM 
crypto map CRYPTO-MAP interface outside
!
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
pre-shared-key V3ryL0ng&H@rd2Gue55
isakmp keepalive threshold 10 retry 2

[/box]

Note For IKEv2 sample ASA Configs, Click Here

However if the remote end was going to be a Meraki Device.

Log into the Meraki Portal, and select your ‘customer’ (if you have more than one) > Security & SD WAN > Site-to-Site VPN.

Type: Hub > Scroll down.

Non-Meraki VPN Peers > Add a peer.

  • Name: Give it a sensible name.
  • IKE Version: IKEv1 (Note some versions don’t support IKEv2).
  • Public IP :Of the ASA.
  • Private Subnets: The subnet(s) behind the ASA.
  • Availability: ‘All Networks’ Unless you want to filter it.
  • Save.

Note: Should you wish to change any phase1/phase2 settings, click the link that says ‘Default‘ under IPSec policies.

 

Related Articles, References, Credits, or External Links

Special thanks to Paul White for putting me on the right road, and to Andrew Dorrian for taking the time to test the Meraki VPN config for me.

Cisco FTD Site to Site VPN

KB ID 0001681

Problem

While working out how to create a VPN on the Cisco FTD (Firepower 1010), I thought I might as well set it up to the Cisco ASA that I have in the Data Center on my test network. This is what I’m connecting;

 

Create Site to Site VPN On Cisco FTD (using FDM)

Using a web browser connect to the devices FDM > Site to Site VPN > View Configuration.

Create Site-to-site-connection.

  • Connection profile name: Something sensible like VPN-To-HQ or VPN-To-Datacentre.
  • Local VPN Access Interface: outside.
  • Local Network: Crete new network.

  • Name: This will be your local LAN so give it a recognisable name.
  • Type: Network
  • Network: Your local (behind the FTD) network i.e. 10.254.254.0/24
  • OK.

  • Remote IP Address: The public IP address of the other device (in my case the Cisco ASA).
  • Remote Network: Add
  • Crete new network

  • Name: This will be the remote sites LAN so give it a recognisable name.
  • Type: Network
  • Network: The remote (behind the ASA) network i.e. 192.168.100.0/24
  • OK.

 

Check the settings are correct > Next.

I’m using IKEv2 (if your ASA is older than version 8.4 you will need to use IKEv1) > IKE Version 2 Globally Applied > Edit.

Create new IKE Policy.

 

  • Priority: 1
  • Name: S2S-IKEv2-Policy
  • Encryption: DES Really! (Why is that the default?) Remove DES and replace with AES256

I leave the rest of the settings as they are some people might not like Sha1 if you want to change it to sha254 for example then do so, but remember to change it on the IKEv2 policy on the ASA also. Also DON’T CONFUSE PRF with PFS, we will get the chance to set PFS later. > OK.

IPsec Proposal > Edit.

Add in AES-SHA > OK. 

Enter (and confirm) the local and remote Pre-Shared Key (I usually set these the same, but they don’t have to be). Scroll down.

  • Nat Exempt: inside
  • Diffie Helman Group for Perfect Forward Secrecy (PFS): Leave disabled.
  • Next

Review the settings > Finish.

FTD VPN One Way VPN Traffic Warning!

At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. This confused me for a while, I could ping from my house to my servers at the DC but they could not ping me!

Resolution: What you need to do is (on the FTD) ALLOW traffic ‘inbound’ on the outside interface, for the subnet behind the ASA. (Yes that’s bobbins I know, it should do that for you, but at the moment it does not).

Policies > Access Control > Add.

  • Title: Allow-VPN-Traffic
  • Source Zone: outside_zone
  • Source Networks: The Network behind the ASA
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks: ANY
  • Destination Ports/Protocols: ANY
  • OK

Pending changes > Deploy Now.

It can take a while to deploy, I recheck pending changes, and wait until it says it’s finished.

Create ASA Config for VPN to Cisco FTD

I’ve covered Cisco ASA IKEv2 VPN configs elsewhere, so I’ll just post the config here and you can change the details (in red) and copy and paste it into your ASA.

[box]

object network OBJ-SITE-A
 subnet 192.168.100.0 255.255.255.0
object network OBJ-SITE-B
 subnet 10.254.254.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123
!

[/box]

Troubleshooting and debugging FTD VPN

All the traditional command line tools we used to use for VPN troubleshooting are available to you, you will need to SSH into the ‘Management Port’ before you can use them though! Or you can simply do the debugging and troubleshooting on the ASA!

Troubleshoot phase 1 (IKE)

[box]

show crypto isa
debug crypto ikev2 protocol

[/box]

Troubleshoot phase 2 (IPSec)

[box]

show crypto ipsec sa
debug crypto ipsec 255

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA Site To Site VPN IKEv1 “Using CLI”

KB ID 0000050

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Note: This is quite an OLD POST, only use these instructions if you need to create a VPN tunnel that uses IKEv1, (i.e. The other end is not a Cisco ASA, or it’s a Cisco ASA running code older than 8.4). You can still use an IKEv1 tunnel of course, so this article is still valid, it’s just IKEv2 has some better levels of encryption.

Everyone else, go to the following article instead!

Cisco Site To Site VPN IKEv2 “Using CLI”

You want a secure IPSEC VPN between two sites.

Solution

Note: There have been a number of changes both in NAT and IKE on the Cisco ASA that mean commands will vary depending on the OS that the firewall is running, make sure you know what version your firewall is running (either by looking at the running config or issue a “sho ver” command).

Note 2: Cisco introduced IKE version 2 with ASA 8.4(x). This assumes we are configuring a tunnel using IKE version 1. (For version 2, both ends need to be running version 8.4(x) or greater).

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see “crypto isakmp enable outside” or “crypto ikev1 enable outside” then you need to issue that command.

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA# show run crypto
crypto ikev1 enable outside << Mines already enabled and its IKE version1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

Firewall Running an OS Earlier than 8.4(x) 

PetesASA# show run crypto
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

[/box]

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt. If you are running an ASA older than version 8.3(x) you will need to create a second access list to STOP the ASA performing NAT on the traffic that travels over the VPN.

Warning: (ASA Version 8.3 or older): If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

[box]

Firewall Running an OS of 8.3(x) or newer

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

Firewall Running an OS Earlier than 8.3(x) 

PetesASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)# access-list NO-NAT-TRAFFIC line 1 extended permit 
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)#nat (inside) 0 access-list NO-NAT-TRAFFIC

[/box]

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

[box]

PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

[/box]

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established, we have already put in a shared secret, this policy will make sure we use it. It also sets the encryption type (3DES), the hashing algorithm (SHA) and the Level of PFS (Group 2). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (that’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto ikev1 policy 10
PetesASA(config-ikev1-policy)#authentication pre-share
PetesASA(config-ikev1-policy)#hash sha
PetesASA(config-ikev1-policy)#group 2 
PetesASA(config-ikev1-policy)#lifetime 86400

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto isakmp policy 10 authen pre-share
PetesASA(config)# crypto isakmp policy 10 encrypt 3des
PetesASA(config)# crypto isakmp policy 10 hash sha
PetesASA(config)# crypto isakmp policy 10 group 2
PetesASA(config)# crypto isakmp policy 10 lifetime 86400

[/box]

4. We stated above that we are going to use 3DES and SHA so we need a “Transform Set” that matches. [box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

[/box]

5. Finally we need to create a “Cryptomap” to handle “Phase 2” of the VPN Tunnel, that also will use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map outside_map 1 set pfs group2 
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 
PetesASA(config)# crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA 
PetesASA(config)# crypto map outside_map interface outside

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map outside_map 1 set pfs group2 
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 
PetesASA(config)# crypto map outside_map 1 set transform-set ESP-3DES-SHA 
PetesASA(config)# crypto map outside_map interface outside

[/box]

5. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site VPN Copy and Paste Config

Note: This uses AES and SHA. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

[box]

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
[/box]

Simply change the values in red where;

  • 10.0.00 255.255.255.0 is the network behind the ASA you are working on.
  • 10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
  • 2.2.2.2 is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links

Original Article Written 07/06/11, updated 20/04/14

Meraki To Cisco ASA 5500 Site to Site VPN

KB ID 0001255 

Problem

This was surprisingly easier than I was expecting! Special thanks to  Steve for letting me loose on his test network for the Meraki end of the tunnel. Here I’m using an MX 64 Security appliance, and a Cisco ASA 5510.

Note: The Meraki device will need a static IP.

Solution

Configuring Meraki MX Device for VPN to a Cisco ASA

From your Meraki dashboard > Security Appliance > Site To Site VPN.

If you have no VPNs setup then you will need to select ‘Hub’, then scroll down to ‘Non-Meraki VPN Peers’ > Add a peer.

Give the tunnel a name > Public IP is the address of the ASA > Private Subnets is the network(s) behind the ASA > Preshare secret is a shared key you will enter on the ASA (below). Above select all the networks you have behind the Meraki that you want to participate in the VPN and set their ‘Use VPN’ Status to ‘Yes’

Note: If you click the IPSEC policy you will see what it wants to use for phase 1 and phase 2 of the VPN tunnel. BE AWARE: By default PFS (Perfect Forward Secrecy) is disabled. If you setup your AS VPN from within the ASDM wizard this may be enabled on the ASA. More reason to use the command line options I give you below!

If you don’t know the public IP of your Meraki device, here is where to find it (so you can use it when configuring the ASA).

Configuring Cisco ASA5500 for VPN to a Meraki MX Device

To make things simple, change the values in RED below then you can paste in the command to your Cisco ASA.

WARNING: Below I use a crypto map called CRYPTO-MAP If you already have one then CHANGE the name to match your existing one (‘show run crypto map‘ will show you). e.g. if yours is called outside_map  then change the entries below to outside_map 2.

Note: This config uses newer (post 8.3) NAT commands.

[box]

!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 12800
!
object network OBJ-This-Site
subnet 192.168.100.0 255.255.255.0
object network OBJ-Meraki-Site
subnet 192.168.102.0 255.255.255.0
!
access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-This-Site object OBJ-Meraki-Site
nat (inside,outside) source static OBJ-This-Site OBJ-This-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup
!
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
pre-shared-key 123456
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 203.0.113.1
crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco PIX 500 – IPSEC Site to Site VPNs (v6)

KB ID 0000611 

Problem

Note: This is for firewalls running an operating system BEFORE version 7, if you have an PIX running version 7 or above go here instead. I’ll run though he commands first and then the configuration from PDM at the end.

Solution

PIX 500: Configure a site to site VPN from command line

1. Connect to the PIX, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure Terminal
PetesPIX(config)# 

[/box]

2. I’m assuming the network BEHIND the PIX 500 is 192.168.124.0/24 and the network at the far end of the tunnel is 192.168.123.0/24. So I’m going to create two ACL’s one to tell the PIX that this traffic should be encrypted, and the second to tell the PIX NOT to perform NAT on the VPN traffic.

Note: Yes I can use one ACL, but having two makes it easier to troubleshoot any VPN problems.

[box]

PetesPIX(config)# access-list VPN_CRYPTO_ACL permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0
PetesPIX(config)# access-list VPN_NO_NAT line 1 permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0

[/box]

3. Now I’ve got an ACL that will stop performing NAT I need to add it as a “Nat 0” (this means don’t perform NAT).

Note: Check to make sure you do not already have a nat(inside) 0 xxx command, if you do, use the SAME ACL that is already in use.

[box]

PetesPIX(config)# nat (inside) 0 access-list VPN_NO_NAT

[/box]

4. To set up all the VPN parameters you need to create a crypto map. In the example below I set the peer IP (the firewall at the other end of the tunnel), to 81.81.81.81. Then I tie it to the ACL I created earlier (VPN_CRYPTO_ACL). I’ve set the encryption and hashing used for the tunnel to 3DES and SHA (These will be used for IPSec (Phase 2)). Set the timeouts for the tunnel, and finally apply the cryptomap I’ve just created, to the outside interface.

[box]

PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set peer 81.81.81.81
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 match address VPN_CRYPTO_ACL
PetesPIX(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set security-association lifetime seconds 28800 kilobytes 4608000
PetesPIX(config)# crypto map VPN_CRYPTO_MAP interface outside

[/box]

5. The next command lets VPN traffic bypass any other ACLs configured on the firewall.

[box]

PetesPIX(config)# sysopt connection permit-ipsec

[/box]

6. I’m using a “shared secret” that also needs to be setup on the other end of the tunnel. As I said earlier the peer IP is 81.81.81.81.

[box]

PetesPIX(config)# isakmp key 123456 address 81.81.81.81 netmask 255.255.255.255 no-xauth no-config-mode

[/box]

7. To establish the VPN phase 1 (ISAKMP) the devices at both ends of the tunnel need a matching ISAKMP policy. I’ve already set up my shared secret, the first line lets the other end know that’s how we will be communicating. Then once again I’m using 3DES and SHA. I’m telling the system to use Diffie Hellman group 2 for the secure key exchange, and then binding this policy to the outside interface.

Note: If you are interested on how all this stuff works see here

[box]

PetesPIX(config)# isakmp policy 20 authen pre-share
PetesPIX(config)# isakmp policy 20 encrypt 3des
PetesPIX(config)# isakmp policy 20 hash sha
PetesPIX(config)# isakmp policy 20 group 2
PetesPIX(config)# isakmp enable outside

[/box]

8. Then save the changes with a write mem command.

[box]

PetesPIX# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesPIX#

[/box]

PIX 500: Configure a site to site VPN from the PDM

1. To connect to the PDM you are going to need two things, an OLD browser (IE6) and an OLD version of Java. Select Wizards > VPN Wizard.

2. Site to Site > Next.

3. Set the Peer (Device at the other end of the tunnel) and a shared secret that you will also use at the other end > Next.

4. Set the policy that will be used for phase 1 > Next.

5. Now the phase 2 policy > Next

6. Enter the network behind the PIX > Next.

7. Enter the network at the far end of the tunnel > Finish.

8. Finish by saving the changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Set up a PIX Firewall with the PDM

PIX 506E and 501 Firewall Image and PDM Upgrade

Site to Site IPSEC VPN from SonicWALL to Cisco ASA

KB ID 0000357

Problem

You want to put in a secure IPSEC VPN tunnel from a Cisco ASA Device to a Sonicwall Firewall. Note in this example we will use 3DES for encryption, SHA1 for Hashing, Diffie Hellman Group 2, PFS enabled, and we will use a shared secret (Pre Shared Key).

SonicWALL used in this example is a PRO 3060.

Solution

The main two gotcha’s

Update 12/03/11 Feedback from Wajma Omari:

I would like to add that this configuration will build the Tunnel but one more step needed to enable the Traffic between the two networks and that is by adding ACL from Inside network to the Remote Site Configuration – Firewall – Advanced – ACL Manager – Add – Add ACL and then ADD ACE

Thanks for the very helpful article

Many Thanks for the feedback! Pete

Related Articles, References, Credits, or External Links

Special thanks to David Pounds for his help with the SonicWALL configuration.