With this article I want to show some basic configuration example on how to establish a site-to-site VPN using Cisco ASAs. Even though it is more comfortable to configure this kind of stuff using the ASDM GUI, i thought it was a pretty good exercise to try to setup everything on the console.
Goal
- Monitoring asaSiteA via SNMP and ICMP Ping from hosts hostSiteB-SNMP and hostSiteB-Ping
- Sending asaSiteA Syslogs to hostSiteB-Syslog
- Relaying DNS queries sent to asaSiteA to hostSiteB-DNS
- Allow access to a webservice hosted on hostSiteB-WWW from netSiteA
- All traffic between netSiteA and netSiteB has to be tunneled
Network Diagram
+-----------------------+ +---------------------------------+
| netSiteA | | netSiteB |
|-----------------------| |---------------------------------|
| +--------+| |+--------+ +----------------+|
| |asaSiteA|<---------->|asaSiteB+--+--+hostSiteB-SNMP ||
| +--------+| |+--------+ | +----------------+|
+-----------------------+ | |--+hostSiteB-WWW ||
| | +----------------+|
+---------------------------+ | |--+hostSiteB-Syslog||
| Network Entities | | | +----------------+|
|---------------------------| | |--+hostSiteB-DNS ||
|netSiteA: 10.0.1.0/24 | | | +----------------+|
|netSiteB: 10.0.2.0/24 | | +--+hostSiteB-Ping ||
| | | +----------------+|
|asaSiteA-int: 10.0.1.1 | +---------------------------------+
|asaSiteA-ext: 10.0.10.1 |
| |
|asaSiteB-int: 10.0.2.1 |
|asaSiteB-ext: 10.0.20.1 |
| |
|hostSiteB-Syslog: 10.0.2.10|
|hostSiteB-SNMP: 10.0.2.11|
|hostSiteB-Ping: 10.0.2.12|
|hostSiteB-DNS: 10.0.2.13|
|hostSiteB-WWW: 10.0.2.14|
+---------------------------+
Config of asaSiteA (only relevant parts)
! Object definitions
name asaSiteA-int 10.0.1.1
name asaSiteA-ext 10.0.10.1
name asaSiteB-ext 10.0.20.1
object network netSiteA
subnet 10.0.1.0 255.255.255.0
object network netSiteB
subnet 10.0.2.0 255.255.255.0
object network hostSiteB-Syslog
host 10.0.2.10
object network hostSiteB-SNMP
host 10.0.2.11
object network hostSiteB-Ping
host 10.0.2.12
object network hostSiteB-DNS
host 10.0.2.13
object network hostSiteB-WWW
host 10.0.2.14
object service dns
service udp destination eq domain
description dns
! Interface settings
interface Ethernet0/0
nameif int
security-level 100
ip address asaSiteA-int 255.255.255.0
interface Ethernet0/1
nameif ext
security-level 0
ip address asaSiteA-ext 255.255.255.0
! Traffic that gets encrypted and sent through VPN
access-list acl_crypt remark Crypt_IP_netSiteA_to_netSiteB
access-list acl_crypt extended permit ip object netSiteA object netSiteB
! ACE for interface "ext"
access-list acl_ext_in remark Allow_ICMP_hostSiteB-Ping_to_netSiteA
access-list acl_ext_in extended permit icmp object hostSiteB-Ping object netSiteA log
access-list acl_ext_in remark Allow_SNMP_hostSiteB-SNMP_to_netSiteA
access-list acl_ext_in extended permit udp object hostSiteB-SNMP object netSiteA eq snmp log
access-list acl_ext_in remark Default_Deny
access-list acl_ext_in extended deny ip any any log
! ACE for interface "int" -> allow all outbound IP traffic to netSiteB
access-list acl_int_in remark Allow_IP_netSiteA_to_netSiteB
access-list acl_int_in extended permit ip object netSiteA object netSiteB log
access-list acl_int_in remark Default_Deny
access-list acl_int_in extended deny ip any any log
! Mapping ACEs to interfaces
access-group acl_ext_in in interface ext
access-group acl_int_in in interface int
! Setting up VPN parameters
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map ext_map 100 match address acl_crypt
crypto map ext_map 100 set pfs group5
crypto map ext_map 100 set peer asaSiteB-ext
crypto map ext_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map ext_map interface ext
crypto ikev1 enable ext
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
! Setting up VPN tunnels
tunnel-group asaSiteB-ext type ipsec-l2l
tunnel-group asaSiteB-ext general-attributes
default-group-policy Policy_L2L
tunnel-group asaSiteB-ext ipsec-attributes
ikev1 pre-shared-key 1234
! Allow management access (i.e. SNMP) from interface int
management-access int
! Enable syslog logging to SiteB
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm notifications
logging host int hostSiteB-Syslog
logging permit-hostdown
! Enable SNMP
snmp-server group authPriv v3 priv
snmp-server user snmpuser authPriv v3 encrypted auth md5 xxx priv des xxx
snmp-server host inside hostSiteB-SNMP poll version 3 snmpuser
! Relay/NAT DNS queries against asaSiteA to hostSiteB-DNS
nat (int,ext) source static any any destination static interface hostSiteB-DNS service dns dns
Config of asaSiteB (only relevant parts)
! Object definitions
name asaSiteB-int 10.0.2.1
name asaSiteB-ext 10.0.20.1
object network netSiteA
subnet 10.0.1.0 255.255.255.0
object network netSiteB
subnet 10.0.2.0 255.255.255.0
object network hostSiteB-Syslog
host 10.0.2.10
object network hostSiteB-SNMP
host 10.0.2.11
object network hostSiteB-Ping
host 10.0.2.12
object network hostSiteB-DNS
host 10.0.2.13
object network hostSiteB-WWW
host 10.0.2.14
! Interface settings
interface Ethernet0/0
nameif int
security-level 100
ip address asaSiteB-int 255.255.255.0
interface Ethernet0/1
nameif ext
security-level 0
ip address asaSiteB-ext 255.255.255.0
! Traffic that gets encrypted and sent through VPN
access-list acl_crypt remark Crypt_IP_netSiteB_to_netSiteA
access-list acl_crypt extended permit ip object netSiteB object netSiteA
! ACE for interface "ext"
access-list acl_ext_in remark Allow_Syslog_asaSiteA-int_to_hostSiteB-Syslog
access-list acl_ext_in extended permit udp object asaSiteA-int object hostSiteB-Syslog eq syslog log
access-list acl_ext_in remark Allow_SNMP_asaSiteA-int_to_hostSiteB-Syslog
access-list acl_ext_in extended permit udp object asaSiteA-int object hostSiteB-SNMP eq snmp log
access-list acl_ext_in remark Allow_DNS_netSiteA_to_hostSiteB-DNS
access-list acl_ext_in extended permit udp object netSiteA object hostSiteB-DNS eq dns log
access-list acl_ext_in remark Allow_WWW_netSiteA_to_hostSiteB-WWW
access-list acl_ext_in extended permit tcp object netSiteA object hostSiteB-WWW eq www log
access-list acl_ext_in remark Default_Deny
access-list acl_ext_in extended deny ip any any log
! ACE for interface "int" -> allow all outbound IP traffic to netSiteA
access-list acl_int_in remark Allow_IP_netSiteB_to_netSiteA
access-list acl_int_in extended permit ip object netSiteB object netSiteA log
access-list acl_int_in remark Default_Deny
access-list acl_int_in extended deny ip any any log
! Mapping ACEs to interfaces
access-group acl_ext_in in interface ext
access-group acl_int_in in interface int
! Setting up VPN parameters
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map ext_map 100 match address acl_crypt
crypto map ext_map 100 set pfs group5
crypto map ext_map 100 set peer asaSiteA-ext
crypto map ext_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map ext_map interface ext
crypto ikev1 enable ext
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
! Setting up VPN tunnels
tunnel-group asaSiteA-ext type ipsec-l2l
tunnel-group asaSiteA-ext general-attributes
default-group-policy Policy_L2L
tunnel-group asaSiteA-ext ipsec-attributes
ikev1 pre-shared-key 1234
! Allow management access (i.e. SNMP) from interface int
management-access int
! Enable syslog logging to SiteB
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm notifications
logging host int hostSiteB-Syslog
logging permit-hostdown
! Enable SNMP
snmp-server group authPriv v3 priv
snmp-server user snmpuser authPriv v3 encrypted auth md5 xxx priv des xxx
snmp-server host inside hostSiteB-SNMP poll version 3 snmpuser
Remarks
Unfortunately, I could not test this setup 1:1 but it was derived from an actually running configuration I recently had to setup. If you think, something seems wrong, please drop me a comment.
Further Reference
Cisco ASA Config Guide
asciiflow – an online tool to draw ASCII network plans