IPSec S2S VPN Firewall

Configuration on OLD ASA:

Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic

  • (config)# access-list <acl_name> permit host <source address> host <destination address>

Step 2: Configure ISAKMP Policy

  • (config)# crypto isakmp policy <priority>
  • (config-policy)#encryption <encryptions>
  • (config-policy)# hash <hash>
  • (config-policy)# group <number>
  • (config-policy)# authentication <authentication>
  • (config-policy)# lifetime <time> [Default: 86400]

Step 3: Define Tunnel Group [DIFFERENT FROM ROUTER]

  • (config)# tunnel-group <destination ip address> type ipsec l2l
  • (config)# tunnel-group <destination ip address> ipsec-attributes // This command is enabled only after the previous command // If the authentication mechanism is  Pre-Share Key use this 1 line:
  • (config-tunnel-ipsec)# pre-shared-key <key> // If the authentication mechanism is RSA-Sig use these 2 lines:
  • (config-tunnel-ipsec)# peer-id-valid-check nocheck
  • (config-tunnel-ipsec)# trust-point <trust-point name>

Step 4: Configure Transform Set

(config)# crypto ipsec transform-set <transform-set_name> <encapsulation-encryption> <encapsulation-hash>

Step 5: Configure Crypto Map [DIFFERENT FROM ROUTER]

  • (config)# crypto map <cmap_name> <#> set peer <peer_address>
  • (config)# crypto map <cmap_name> <#> transform-set <transform-set_name>
  • (config)# crypto map <cmap_name> <#> match address <acl_name> // If the authentication mechanism is RSA-Sig ADD the following
  • (config)# crypto map <cmap_name> <#> trustpoint <trust-point name>

Step 6: Apply Crypto Map to an Interface

  • (config)# crypto map <name> interface <nameif>

Step 7: Enable ISAKMP on the interface [EXTRA Command]

  • (config)# crypto isakmp enable <nameif>
Configuration on new ASA: [5 Changes]

Replace the keyword ‘isakmp’ with ‘ikev1’

In Step 2

  • (config)# crypto ikev1 policy <priority>

In Step 7

  • (config)# crypto ikev1 enable <nameif>

Add the key word ‘ikev1’ as follows:

In Step 3

  • (config-tunnel-ipsec): ikev1 pre-shared-key <key>

In Step 4

  • (config)# crypto ipsec ikev1 transform-set <transform-set_name> <encapsulation-encryption> <encapsulation-hash>

In Step 5

  • (config)# crypto map <cmap_name> <#> ikev1 transform-set <transform-set_name>
Without NAT: Communicates over UDP 500 (Phase1) and ESP (Phase 2)
Commands At ASA:
  1. UDP is inspected, so there is no need to open UDP ACL if traffic initiated from inside
    • (config)# access-list OUT_IN permit esp any any
    • (config)# access-group OUT_IN in interface OUTSIDE
  2. If traffic is initiated from the outside, add this 1 command:
    • (config)# access-list OUT_IN permit UDP host 2.2.2.1 host 1.1.1.1 eq 500
With NAT: Open an ACL in ASA for UDP 500 (Phase1) and UDP 4500 (Phase 2)
Commands at ASA:
  1. UDP is inspected, so there is no need to open any ACL if traffic initiated from inside
  2. If traffic is initiated from the outside, create these 2 ACLs:
    • (config)# access-list OUT_IN permit UDP host 2.2.2.1 host 1.1.1.1 eq 500
    • (config)# access-list OUT_IN permit UDP host 2.2.2.1 host 1.1.1.1 eq 4500
    • (config)# access-group OUT_IN in interface OUTSIDE

Was this article helpful?

Yes No

Related Articles

Leave A Comment?