Implement IPSec virtual private networks on Cisco's ASA firewall

Bowen outline:

• First, the network environment needs
• Second, pre-configured ready
• Third, configure a virtual private network
• IV Summary

---

Preface:

Written before the blog post: IPSec virtual private network of Cisco routers , it is used in the company gateway is the case of Cisco routers to build a virtual private network, then the company's gateway if Cisco ASA firewall do? Let this blog to bring you configure it.

About knowledge and concepts which are introduced at the beginning of the thing I read Bowen linked article almost, virtual private network on the firewall and router, the principle is similar, so there is not long-winded, directly on the configuration.

Network environment as follows:

First, the network environment needs

1, the need to establish IPSec virtual private network gateway on the ASA head office and each branch, head office and implement a network segment branch (usually the need for only a certain sector of exchange) exchange.
2, between the two branches need to configure a virtual private network to achieve interoperability, and to achieve interoperability (of course, can bypass the firewall by ASA Corporation E0 / 1 outside the region of the head office gateway ASA, based on the actual It needs to be fixed).
The need for a virtual private network between 3, not only the head office and branches, and do not affect the company's internal hosts on the Internet (implemented by port PAT, the configuration is complete, Telnet to log router R2 to verify).
4, internal routers use a PC instead of the test, in addition to the Internet router R2 of the IP address configuration, the configuration is not any route entries.

Second, pre-configured ready

(If configured directly in a production environment, and configure the basic interface IP, routing, etc., you can ignore Before Configuration)

1, I used here is GNS3 simulator, build their own network topology, a firewall is used, the type of the interface need to change it, as follows (without GNS3 default firewall, load needs of their own, if they need help private letter I):

2, self-configure an IP address and routing entries, as in:

'路由器配置接口IP及路由条目（R2除外，都需要配置默认路由，相当于它的网关）'
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#in f0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.254
'防火墙ASA配置接口IP及路由条目：'
ciscoasa> en
Password:      #默认没有密码，直接回车即可
ciscoasa# conf t
ciscoasa(config)# in e0/0
ciscoasa(config-if)# nameif inside     #需要先定义区域
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip add 192.168.1.254 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config)# in e0/1
ciscoasa(config-if)# nameif ouside
INFO: Security level for "ouside" set to 0 by default.
ciscoasa(config-if)# ip add 201.0.0.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# route ouside 0 0 201.0.0.2     #配置默认路由，下一跳指向互联网的R2路由器。

Third, configure a virtual private network

After you configure interfaces and IP routing information, you can follow the following configuration virtual private network.

1, head office and branch configuration virtual private network between 1:

(1) Corporation, ASA-1 is configured as follows:

ASA-1(config)# crypto isakmp enable outside    #启用ISAKMP/IKE
#'以下是配置ISAKMP策略（也就是管理连接的配置）'
ASA-1(config)# crypto isakmp policy 1   #策略序列号为“1”，范围是1~10000，数值越小，优先级越高
ASA-1(config-isakmp-policy)# authentication pre-share  #声明设备认证方式为“预先共享密钥”
ASA-1(config-isakmp-policy)# encryption aes   #配置加密算法  
ASA-1(config-isakmp-policy)# hash md5    #hash命令指定验证过程中采用的散列算法
ASA-1(config-isakmp-policy)# group 2   #采用DH算法的强度为group2
ASA-1(config-isakmp-policy)# lifetime 10000   #可选，管理连接生存周期，默认为86400s（24小时）
ASA-1(config-isakmp-policy)# crypto isakmp key 2019.com address 202.0.0.1        #配置“预先共享密钥”
ASA-1(config)# access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0    #定义虚拟专用网保护的流量   
ASA-1(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac #数据连接协商参数，“test-set”是自定义的名称
ASA-1(config)# crypto map test-map 1 match address lan1_lan2   #匹配的ACL
ASA-1(config)# crypto map test-map 1 set peer 202.0.0.1    #虚拟专用网对端地址
ASA-1(config)# crypto map test-map 1 set transform-set test-set    #将数据连接关联刚才创建的传输集
ASA-1(config)# crypto map test-map interface outside   #将crypto map 应用到outside接口上。

(2) ASA-2 Branch 1 is arranged as follows:

ASA-2(config)# crypto isakmp enable outside
ASA-2(config)# crypto isakmp policy 1
ASA-2(config-isakmp-policy)# authentication pre-share
ASA-2(config-isakmp-policy)# encryption aes
ASA-2(config-isakmp-policy)# hash md5
ASA-2(config-isakmp-policy)# group 2
ASA-2(config-isakmp-policy)# lifetime 10000
ASA-2(config-isakmp-policy)# crypto isakmp key 2019.com address 201.0.0.1
ASA-2(config)# acce
ASA-2(config)# access-li
ASA-2(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.1$
ASA-2(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ASA-2(config)# crypto map test-map 1 match address lan2_lan1
ASA-2(config)# crypto map test-map 1 set peer 201.0.0.1
ASA-2(config)# crypto map test-map 1 set transform-set test-set
ASA-2(config)# crypto map test-map interface outside

So far, the head office and branch VPN 1 on the establishment of complete, you can use the R3 and R1 ping test, virtual private network connection takes time to establish, in the case of correct configuration routing and interface IP, ping two or three times before can the ping, ping if no three or five times to ping, mostly cold, self-troubleshoot it, see through the show run command to configure where the wrong bar!

2, head office and branch configuration virtual private network between 3:

(1) Corporation, ASA-1 is configured as follows (management connection may be arranged on the head office and a branch common to the configuration, it can be said as long as the configuration involves ACL command changes the IP address and then click on the configuration) :

ASA-1(config)# crypto isakmp key 2020.com address 203.0.0.1
ASA-1(config)# access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
ASA-1(config)# crypto map test-map 2 match address lan1_lan3
WARNING: The crypto map entry is incomplete!
ASA-1(config)# crypto map test-map 2 set peer 203.0.0.1
WARNING: The crypto map entry is incomplete!
ASA-1(config)# crypto map test-map 2 set transform-set test-set

(2) ASA-3 Branch 2 is arranged as follows:

ASA-3(config)# crypto isakmp enable outside
ASA-3(config)# crypto isakmp policy 1
ASA-3(config-isakmp-policy)# authentication pre-share
ASA-3(config-isakmp-policy)# encryption aes
ASA-3(config-isakmp-policy)# hash md5
ASA-3(config-isakmp-policy)# group 2
ASA-3(config-isakmp-policy)# lifetime 10000
ASA-3(config-isakmp-policy)# crypto isakmp key 2020.com address 201.0.0.1
ASA-3(config)# access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA-3(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ASA-3(config)# crypto map test-map 1 match address lan3_lan1
ASA-3(config)# crypto map test-map 1 set peer 201.0.0.1
ASA-3(config)# crypto map test-map 1 set transform-set test-set
ASA-3(config)# crypto map test-map interface outside

Thus configured, the router 2 on the branch R4 can ping the routers R1 Corporation.

3, equipped with 2 branch offices and 3 virtual private networks (in fact, you can configure several ACL):