Scribd Logo
Upload

Welcome to Scribd!

  • CCNA Sec Lab2

    Uploaded by

    Anonymous pNhxK0FK
    42 views5 pages
    CCNA Sec lab2

    Original Title

    CCNA Sec lab2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    CCNA Sec lab2

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    42 views5 pages

    CCNA Sec Lab2

    Uploaded by

    Anonymous pNhxK0FK
    CCNA Sec lab2

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Netmetric CCNP Security Workbook 2.

    Site-to-Site IPSec VPN over ASA

    LAB - 2 Making Site to Site IPSec Virtual Private Network Over ASA
    LAB Topology

    In Above topology two ASA are acting as border devices of two sites Site A & Site B Respectively and R2 is acting as Internet where as Router R1 and Router R3 are Local LAN of their respective sites Interface Configuration on Router Device ASA Site A ASA Site A ASA Site B ASA Site B R1 R3 Interface E0/0 E0/1 E0/0 E0/1 F0/0 F0/0 Name-if Outside Inside Outside Inside -- --- -Ip Address 1.1.1.1 11.11.11.10 2.2.2.2 33.33.33.10 11.11.11.11 33.33.33.33 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0

    *Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA Verification for routing ciscoasa-site-A# ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1 ciscoasa-Site-B# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/74/90 ms

    Netmetric CCNP Security Workbook 2.0

    Site-to-Site IPSec VPN over ASA

    Task 1 : Configure a IPSec site-to-site vpn between Site A and Site B to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)

    By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services, In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2 IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with Site to Site VPN we need to enable IKEv1 here ciscoasa-site-A(config)# crypto ikev1 enable Outside Configure all the Credentials of ISAKMP in a policy ciscoasa-site-A(config)# crypto ikev1 policy 10 ciscoasa-site-A(config-ikev1-policy)# encryption aes ciscoasa-site-A(config-ikev1-policy)# hash sha ciscoasa-site-A(config-ikev1-policy)# group 2 ciscoasa-site-A(config-ikev1-policy)# authentication pre-share ciscoasa-site-A(config-ikev1-policy)# lifetime 6000 Defining Pre-share key using Tunnel Group options A tunnel group specially designed to define the attributes related to VPN and its Functionality, The name of tunnel group of type L2L should be always the Peer Address ciscoasa-site-A(config)# tunnel-group 2.2.2.2 type ipsec-l2l ciscoasa-site-A(config)# tunnel-group 2.2.2.2 ipsec-attributes ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 Configure IPSec Credentials for both devices ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Definition of Interesting Traffic using Access-list ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33

    Netmetric CCNP Security Workbook 2.0 Create a Crypto map and bind all the credentials with that MAP

    Site-to-Site IPSec VPN over ASA

    ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2 ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-site-A(config)# crypto map mymap 10 match address 101 Apply The MAP on interface facing to Internet ciscoasa-site-A(config)# crypto map mymap interface Outside

    Make the VPN Configuration on Other Side As well ciscoasa-Site-B(config)# crypto ikev1 enable Outside ciscoasa-Site-B(config)# crypto ikev1 policy 10 ciscoasa-Site-B(config-ikev1-policy)# authentication pre-share ciscoasa-Site-B(config-ikev1-policy)# encryption aes ciscoasa-Site-B(config-ikev1-policy)# hash sha ciscoasa-Site-B(config-ikev1-policy)# group 2 ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600 ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 type ipsec-l2l ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 ipsec-attributes ciscoasa-Site-B(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Define interesting traffic by means of an access-list again which is mirrored to other side ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11 Crypto MAP Creation and Application ciscoasa-Site-B(config)# crypto map mymap 10 match address 109 ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1 ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-Site-B(config)# crypto map mymap interface outside

    Netmetric CCNP Security Workbook 2.0 Verification

    Site-to-Site IPSec VPN over ASA

    Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 68/102/144 ms Verification of ISAKMP functionality ciscoasa-site-A# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2.2.2.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Verification if IPSec Functionality
    ciscoasa-site-A# show crypto ipsec sa interface: Outside Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1 access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33 local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer: 2.2.2.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 80 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 58, media mtu 1500

    Netmetric CCNP Security Workbook 2.0 ciscoasa-Site-B# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 1.1.1.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE

    Site-to-Site IPSec VPN over ASA

    ciscoasa-Site-B# show crypto ipsec sa interface: outside Crypto map tag: mymap, seq num: 10, local addr: 2.2.2.2 access-list 109 extended permit ip host 33.33.33.33 host 11.11.11.11 local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) current_peer: 1.1.1.1 #pkts encaps: 362, #pkts encrypt: 362, #pkts digest: 362 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 362, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0

    You might also like