Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Similar documents
Configuration Summary

Configuring LAN-to-LAN IPsec VPNs

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

LAN-to-LAN IPsec VPNs

Configuration of an IPSec VPN Server on RV130 and RV130W

Abstract. Avaya Solution & Interoperability Test Lab

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

VPN Ports and LAN-to-LAN Tunnels

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Google Cloud VPN Interop Guide

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Virtual Tunnel Interface

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Configuring a Hub & Spoke VPN in AOS

Configuring Remote Access IPSec VPNs

VPN Overview. VPN Types

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Case 1: VPN direction from Vigor2130 to Vigor2820

VPN Tracker for Mac OS X

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

HOW TO CONFIGURE AN IPSEC VPN

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

Table of Contents 1 IKE 1-1

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Virtual Private Network. Network User Guide. Issue 05 Date

Site-to-Site VPN with SonicWall Firewalls 6300-CX

Network Security CSN11111

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

Virtual Private Networks

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

VPN Configuration Guide. Cisco ASA 5500 Series

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

co Configuring PIX to Router Dynamic to Static IPSec with

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

How to create the IPSec VPN between 2 x RS-1200?

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Efficient SpeedStream 5861

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Dynamic Multipoint VPN between CradlePoint and Cisco Router Example

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

Configuring IPsec and ISAKMP

Configuration Example of ASA VPN with Overlapping Scenarios Contents

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Virtual Private Cloud. User Guide. Issue 03 Date

FAQ about Communication

Cisco Exam Questions & Answers

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

VPN Configuration Guide. NETGEAR FVS318v3

Virtual Tunnel Interface

Configuring IPSec tunnels on Vocality units

KB How to Configure IPSec Tunneling in Windows 2000

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

Cisco ASA 5500 LAB Guide

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

VPN Auto Provisioning

How to Configure IPSec Tunneling in Windows 2000

Manual Key Configuration for Two SonicWALLs

Abstract. Avaya Solution & Interoperability Test Lab

BCRAN. Section 9. Cable and DSL Technologies

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

ASA-to-ASA Dynamic-to-Static IKEv1/IPsec Configuration Example

ASA 8.x/ASDM 6.x: Add New VPN Peer Information in an Existing Site-to-Site VPN using ASDM

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

IKE and Load Balancing

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Cisco Asa 8.4 Ipsec Vpn Client Configuration. Example >>>CLICK HERE<<<

S2S VPN with Azure Route Based

The EN-4000 in Virtual Private Networks

Configuring VPNs in the EN-1000

Dynamic Site to Site IKEv2 VPN Tunnel Between Two ASAs Configuration Example

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

VPN Tracker for Mac OS X

Configuring IPsec on Cisco Routers Mario Baldi Politecnico di Torino (Technical University of Torino)

CCNA Security PT Practice SBA

Virtual Private Network

Remote Access IPsec VPNs

Transcription:

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled) mode in front of a Cisco ASA firewall that is an endpoint for a site-to-site VPN tunnel. In firewall-enabled mode as a remote VPN endpoint with the Cisco ASA on the other end. Related Article Site-to-Site VPN Overview How to Create a Site-to-Site VPN Tunnel This example combines both scenarios. That is, assume a corporate headquarters with an existing Cisco ASA device and a branch office in Michigan. To improve the network uptime and resilience, the company installs a Barracuda Link Balancer at both sites. At headquarters it is deployed in transparent (firewall-disabled) mode upstream of the Cisco ASA device. In Michigan, it is deployed in firewall-enabled mode. Both the Barracuda and the Cisco devices must have static WAN IP addresses in order to set up a VPN tunnel between them. Barracuda Labs has tested and validated the settings described in this document. All settings and screenshots contained in this document are taken from a Barracuda Link Balancer version 2.4.1, and a Cisco device running Cisco Adaptive Security Appliance Software version 8.2 and Cisco Device Manager version 6.2. Before You Begin Barracuda recommends using release version 2.4.1 or newer on the Barracuda Link Balancer. To update your Barracuda Link Balancer units, you can install the newest firmware from the ADVANCED > Firmware Updates page. For more information, see How to Update the Firmware. Before proceeding, please collect all information in the table below that is valid for your setup. The example values in the table are used in this article. 1 / 8

Corporate Headquarters (uses Cisco ASA) 1 Unused Public IP from ISP* 111.1.1.100/24 2 Local network behind Cisco ASA 192.168.1.0/24 3 Management IP of the Cisco ASA 10.11.23.33 4 Outside interface for VPN endpoint on Cisco ASA 111.1.1.100/24 5 Mgmt IP of Barracuda Link Balancer at Headquarters 10.11.23.157 6 Mgmt IP of Cisco ASA 10.11.23.33 Remote Site Michigan 7 Mgmt IP of Barracuda Link Balancer (Michigan branch) 10.11.23.165 8 Remote network 172.24.0.0/16 9 WAN IP for Barracuda Link Balancer for tunnel endpoint 109.1.1.1/24 * To avoid changing the existing configuration on the Cisco ASA, provision an additional public IP address from your ISP on the WAN port of the Barracuda Link Balancer and retain the WAN IP address on the Cisco ASA. If necessary, contact your ISP in order to obtain a new IP address. The network diagram below shows the headquarters on the left and the Michigan branch office on the right. The headquarters has an existing Cisco ASA firewall which forms an IPsec tunnel with a Barracuda Link Balancer at the branch office. A Barracuda Link Balancer is deployed at the headquarters in front of the Cisco ASA in transparent mode. In this mode, it does not terminate the VPN but just passes the VPN traffic through to the Cisco ASA. 2 / 8

Configuring Cisco ASA To configure an IPsec VPN on the Cisco device requires the following configuration steps: 1. 2. 3. Configure Interfaces and ACL for the Tunnel Configure Phase 1 Configure Phase 2 Step 1. Configure Interfaces and ACL for the Tunnel interface Ethernet0/0 & nbsp; # this will be the tunnel endpoint description WAN Interface nameif Outside security-level 0 ip address 111.1.1.100 255.255.255.0 interface Ethernet0/1 description LAN Interface nameif Inside security-level 0 ip address 192.168.1.254 255.255.255.0 This access list (MI_Tunnel) is used with the crypto map (MI_Map) to determine which traffic needs to be encrypted and sent across the tunnel: access-list MI_Tunnel extended permit ip 192.168.1.0 255.255.255.0 172.24.0.0 255.255.0.0 Step 2. Configure Phase 1 The following configuration commands define the Phase 1 policy parameters to be used. A policy is created with priority=1 used to negotiate the IKE SA. crypto isakmp policy 1 # Priority = 1 authentication preshare # Use pre-shared keys encryption 3des # 3des is more secure for encryption than des hash md5 &nb sp; &nb sp; # use sha-1 for max protection (though less throughput) group 2 &nbsp ; # group 2 provides adequate security; avoid group 1 lifetime 86400 Now, enable ISAKMP on the interface that terminates the VPN tunnel: 3 / 8

crypto isakmp enable outside Step 3. Configure Phase 2 1. Define the transformation set for Phase 2. It will be used in the crypto map entry. crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 2. Define a crypto map and specify which traffic should be sent to the IPsec peer with the access list defined above. crypto map MI_Map 1 match address MI_Tunnel 3. Set the IPsec peer (remote endpoint) to the appropriate WAN port on the Barracuda Link Balancer: crypto map MI_Map 1 set peer 109.1.1.1 4. Configure the IPsec transform set ESP-3DES-MD5 to be used with the crypto map entry: crypto map MI_Map 1 set transform-set ESP-3DES-MD5 5. Specify the interface to be used with the settings defined in this configuration: crypto map MI_Map interface Outside 6. Disable NAT-T and set the Phase 2 lifetime: crypto map MI_Map 1 set nat-t-disable crypto map MI_Map 1 set security-association lifetime seconds 3600 7. Create the tunnel group and assign the preshared key for authentication: tunnel-group 109.1.1.1 type ipsec-l2l tunnel-group 109.1.1.1 ipsec-attributes pre-shared-key my_secret_key # must be identical to the key on the remote peer ICMP must be enabled on the IP address of the Cisco device to allow the Barracuda Link Balancer at headquarters to perform health checks for the remote VPN endpoint. Configuring the Barracuda Link Balancer (at Corporate Headquarters) for VPN Passthrough To configure the Barracuda Link Balancer at headquarters, complete the following major steps: 1. 2. 3. Add Missing Applications Configure the IP / Application Routing Define Actions to be Taken To allow the VPN traffic to pass through, outbound routing rules for the following applications must be configured: ESP IKE NAT-T GRE PPTP AH GRE, PPTP, AH and NAT-T are not really required in this deployment. However, they are mentioned here for completeness, and are useful when you want to allow other tunnels to pass through the Barracuda Link Balancer. Step 1. Add Missing Applications IKE, GRE, and PPTP are included in the Predefined Applications by default. Navigate to POLICY > Applications > Custom Applications and create custom applications for ESP, AH, and NAT-T with the 4 / 8

following settings: Application ESP AH NAT-T Settings Application Name: ESP Protocol Type: ESP Application Name: AH Protocol Type: AH Application Name: NAT-T Protocol Type: UDP Port Number: 4500 Step 2. Create a New IP / Application Routing Rule Navigate to POLICY > Outbound Routing > IP/Application Routing and add a new rule with a unique Rule Name. Configure the following condition fields: Setting Source IP Address Source Netmask Application Destination IP Address Destination Netmask Link Balance Description The IP address (e.g. 111.1.1.100) being NAT d on the Cisco ASA The netmask (e.g. 255.255.255.255 if it is a single host, or, if it is a set of IP addresses, the subnet mask must reflect that accordingly). Create rules here for each protocol. The IP address of the VPN remote gateway (e.g. 114.1.1.21). The netmask (e.g. 255.255.255.255 if it is a single host, or, if it is a set of IP addresses, the subnet mask must reflect that accordingly). Select No and then select a Primary and a Backup link: Primary Link Select Default to direct the outgoing traffic to the WAN link on the same subnet. Alternatively, select a specific link from the list to bind traffic to that link. Backup Link Select None to drop traffic if the primary link is not available. Or, select a specific link from the list to bind traffic to that link. 5 / 8

NAT To maintain the original source IP address if there is no backup link, clear this check box. If there is a backup link, select the NAT check box and add Source Network Translation rules to retain the original source IP address(the NAT'd IP address on the firewall behind the Barracuda Link Balancer) for the five applications. The rules in the IP/Application Routing table are processed from top to bottom, in the order listed in the table. Only the first matching rule is executed. New rules are added to the bottom of the table. To change the order of rules, use the arrows on the right side of the table. Also, if you have a large number of tunnels with varying peer addresses, it might be more convenient to relax the Source and Destination fields and use only the Application field for rules. Configuring the Remote Barracuda Link Balancer (at Michigan) Create a new tunnel at the remote Barracuda Link Balancer (running in firewall-enabled mode) to connect with the Cisco ASA. Make sure that the Security Policies > Phase 1 and Phase 2 settings are identical to the Cisco settings. The following table provides the reference settings for adding the new VPN tunnel: Edit VPN Tunnel Security Policies Section IPsec Key Exchange Policy Phase 1 IPsec Key Exchange Policy Phase 2 Settings Enable NAT-Traversal: No Remote NAT-T IP: No IPsec Keying Mode: Shared Secret Shared Secret: my_secret_key Encryption: 3DES Authentication: MD5 DH Group: Group 2 Lifetime: 86400 Encryption: 3DES Authentication: MD5 Enable Perfect Forward Secrecy: No DH Group: Group 2 Lifetime: 3600 6 / 8

Verify Whether the Tunnel Works After the tunnel has been established successfully, a green check mark displays next to it on the VPN page on the Barracuda Link Balancer at both corporate headquarters and Michigan. Both private IP addresses should now be accessible using the ping command. Troubleshooting A yellow triangle next to the VPN tunnel on the VPN page of the Barracuda Link Balancer indicates that something does not work as intended. To troubleshoot: Check the LOGS > VPN Log page on the Barracuda Link Balancer. You can also refer to the logs generated by the Cisco ASDM web interface. Make sure that routing is correctly configured on the client networks and on the Cisco device. Cisco ASDM provides network logs. You may also use the TCP Dump command on the ADVANCED > Troubleshooting page on the Barracuda Link Balancer. 7 / 8

Figures 8 / 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback