PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

Similar documents
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Configuring IOS to IOS IPSec Using AES Encryption

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Configuration Example of ASA VPN with Overlapping Scenarios Contents

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

How to Configure the Cisco VPN Client to PIX with AES

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

HOME-SYD-RTR02 GETVPN Configuration

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

RFC 430x IPsec Support

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

ASA/PIX 8.x: Radius Authorization (ACS 4.x) for VPN Access using Downloadable ACL with CLI and ASDM Configuration Example

Dynamic Site to Site IKEv2 VPN Tunnel Between Two ASAs Configuration Example

Abstract. Avaya Solution & Interoperability Test Lab

VPN Connection through Zone based Firewall Router Configuration Example

Lab 4.5.5a Configure a PIX Security Appliance Site-to-Site IPSec VPN Tunnel Using CLI

Configure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI on the ASA

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Cisco - VPN Load Balancing on the CSM in Dispatched Mode Configuration Example

Network Security CSN11111

LAN to LAN IPsec Tunnel Between Two Routers Configuration Example

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Configuring Router to Router IPsec (Pre shared Keys) on GRE Tunnel with IOS Firewall and NAT

Sharing IPsec with Tunnel Protection

Invalid Security Parameter Index Recovery

co Configuring PIX to Router Dynamic to Static IPSec with

ASA-to-ASA Dynamic-to-Static IKEv1/IPsec Configuration Example

Quick Note 060. Configure a TransPort router as an EZVPN Client (XAUTH and MODECFG) to a Cisco Router running IOS 15.x

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

Chapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS

Invalid Security Parameter Index Recovery

ASA Version 7.2(4)30! hostname vpn domain-name hollywood.com enable password BO5OGdtIUElAVJc7 encrypted passwd BO5OGdtIUElAVJc7 encrypted names name

IPsec Anti-Replay Window Expanding and Disabling

IKEv2 with Windows 7 IKEv2 Agile VPN Client and Certificate Authentication on FlexVPN

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

IPSec tunnel for ER75i routers application guide

IPsec Data Plane Configuration Guide

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default)

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

FlexVPN Between a Router and an ASA with Next Generation Encryption Configuration Example

L2TP IPsec Support for NAT and PAT Windows Clients

Applying the Tunnel Template on the Home Agent

Configuring Easy VPN Services on the ASA 5505

Cisco Virtual Office: Easy VPN Deployment Guide

Swift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code

AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

Configure the ASA for Dual Internal Networks

Lab 9: VPNs IPSec Remote Access VPN

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

IPsec Management Configuration Guide Cisco IOS Release 12.4T

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

Secure ACS Database Replication Configuration Example

IPsec Dead Peer Detection Periodic Message Option

Downloaded from: justpaste.it/i2os

CONFIGURATION DU SWITCH

Site-to-Site VPN. VPN Basics

IPsec Dead Peer Detection PeriodicMessage Option

SYSLOG Enhancements for Cisco IOS EasyVPN Server

Syslog "%CRYPTO 4 RECVD_PKT_MAC_ERR:" Error Message with Ping Loss Over IPsec Tunnel Troubleshooting

Implementing Traffic Filters and Firewalls for IPv6 Security

PIX/ASA as a DHCP Server and Client Configuration Example

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

PIX/ASA 7.x ASDM: Restrict the Network Access of Remote Access VPN Users

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

PIX/ASA: PPPoE Client Configuration Example

Cisco PIX. Interoperability Guide

IPsec Dead Peer Detection Periodic Message Option

Permitting PPTP Connections Through the PIX/ASA

Configuring IPsec and ISAKMP

Configuring Remote Access IPSec VPNs

Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Configuring LAN-to-LAN IPsec VPNs

LAN-to-LAN IPsec VPNs

Configuring Security for VPNs with IPsec

IPsec Anti-Replay Window: Expanding and Disabling

Sample Business Ready Branch Configuration Listings

Three interface Router without NAT Cisco IOS Firewall Configuration

SSL VPN Configuration of a Cisco ASA 8.0

Easy VPN Configuration Guide, Cisco IOS Release 15S

EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example

SSG Configuration Example

Fundamentals of Network Security v1.1 Scope and Sequence

Deploying VPN IPSec Tunnels with Cisco ASA/ASAv VTI on Oracle Cloud Infrastructure

Monitoring Remote Access VPN Services

Configuring Internet Key Exchange (IKE) Features Using the IPSec VPN SPA

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Configuring the VSA. Overview. Configuration Tasks CHAPTER

IPsec Anti-Replay Window Expanding and Disabling

Lab Configure a Router with the IOS Intrusion Prevention System

SEC _05_2001_c , Cisco Systems, Inc. All rights reserved.

Configuring a Cisco 827 Router to Support PPPoE Clients, Terminating on a Cisco 6400 UAC

Transcription:

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example Document ID: 68815 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot Troubleshoot the Router Troubleshoot the ASA Related Information Introduction This document provides a sample configuration for IPsec between a Cisco Adaptive Security Appliance (ASA) 5520 and a Cisco 871 router using Easy VPN. The ASA 5520 acts as the Easy VPN Server and the Cisco 871 router acts as the Easy VPN Remote Client. While this configuration uses an ASA 5520 device that runs ASA software version 7.1(1), you can also use this configuration for PIX Firewall devices that run PIX operating system version 7.1 and later. In order to configure a Cisco IOS router as an EzVPN in Network Extension Mode (NEM) that connects to a Cisco VPN 3000 Concentrator, refer to Configuring the Cisco EzVPN Client on Cisco IOS with the VPN 3000 Concentrator. In order to configure IPsec between the Cisco IOS Easy VPN Remote Hardware Client and the PIX Easy VPN Server, refer to IOS Easy VPN Remote Hardware Client to a PIX Easy VPN Server Configuration Example. In order to configure a Cisco 7200 Router as an EzVPN and the Cisco 871 Router as the Easy VPN Remote, refer to 7200 Easy VPN Server to 871 Easy VPN Remote Configuration Example. Prerequisites Requirements Ensure that you have a basic understanding of IPsec and the ASA 7.x operating systems.

Components Used The information in this document is based on these software and hardware versions: The Easy VPN Server is an ASA 5520 that runs version 7.1(1). The Easy VPN Remote Hardware Client is a Cisco 871 router that runs Cisco IOS Software Release 12.4(4)T1. Note: Cisco ASA 5500 series version 7.x runs a similar software version seen in PIX version 7.x. The configurations in this document are applicable to both product lines. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Configure In this section, you are presented with the information to configure the features described in this document. Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document. Network Diagram This document uses this network setup:

Configurations This document uses these configurations: Cisco ASA 5520 Cisco 871 Router Cisco ASA 5520 ciscoasa#show run : Saved : ASA Version 7.1(1) hostname ciscoasa interface GigabitEthernet0/0 nameif outside security level 0 ip address 172.25.171.1 255.255.0.0 interface GigabitEthernet0/1 nameif inside security level 100 ip address 10.10.10.1 255.255.255.0 interface Management0/0 shutdown no nameif no security level no ip address Output is suppressed. access list no nat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0 access list ezvpn extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0 access list Split_Tunnel_List remark The corporate network behind the ASA access list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0 nat (inside) 0 access list no nat access group OUT in interface outside route outside 0.0.0.0 0.0.0.0 172.25.171.2 1 Use the group policy attributes command in global configuration mode to enter the group policy attributes mode. group policy DfltGrpPolicy attributes banner none wins server none dns server none dhcp network scope none vpn access hours none vpn simultaneous logins 3 vpn idle timeout 30 vpn session timeout none vpn filter none vpn tunnel protocol IPSec password storage enable ip comp disable re xauth disable group lock none pfs disable ipsec udp enable ipsec udp port 10000

split tunnel policy tunnelspecified split tunnel network list value Split_Tunnel_List default domain none split dns none secure unit authentication disable user authentication disable user authentication idle timeout 30 ip phone bypass disable leap bypass disable Network Extension mode allows hardware clients to present a single, routable network to the remote private network over the VPN tunnel. nem enable backup servers keep client config client firewall none client access rule none username cisco password 3USUcOPFUiMCO4Jk encrypted http server enable no snmp server location no snmp server contact snmp server enable traps snmp authentication linkup linkdown coldstart These are IPsec Phase I and Phase II parameters. The parameters have to match in order for the IPsec tunnel to come up. crypto ipsec transform set myset esp des esp md5 hmac crypto dynamic map mydyn MAP 5 set transform set myset crypto map mymap 60 ipsec isakmp dynamic mydyn MAP crypto map mymap interface outside isakmp identity address isakmp enable outside isakmp policy 1 authentication pre share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 tunnel group DefaultRAGroup general attributes default group policy DfltGrpPolicy tunnel group DefaultRAGroup ipsec attributes pre shared key * telnet timeout 5 ssh timeout 5 console timeout 0 : end ciscoasa# C871#show running config Current configuration : 1639 bytes version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password encryption Cisco 871 Router

hostname C871 boot start marker boot end marker ip cef Creates a Cisco Easy VPN Remote configuration and enters the Cisco Easy VPN Remote configuration mode. crypto ipsec client ezvpn ASA The IPsec VPN tunnel is automatically connected when the Cisco Easy VPN Remote feature is configured on an interface. connect auto The group name should match the remote group name. group DefaultRAGroup key cisco Specifies that the router should become a remote extension of the enterprise network at the other end of the VPN connection. mode network extension Sets the peer IP address or hostname for the VPN connection. peer 172.25.171.1 Specifies how the Easy VPN Client handles extended authentication (Xauth) requests. xauth userid mode interactive Output is suppressed. interface FastEthernet0 interface FastEthernet1 interface FastEthernet2 interface FastEthernet3 Assigns a Cisco Easy VPN Remote configuration to an outside interface. interface FastEthernet4 ip address 172.30.171.1 255.255.0.0 ip access group 101 in no ip redirects no ip unreachables no ip proxy arp ip nat outside ip virtual reassembly ip route cache flow duplex auto speed auto crypto ipsec client ezvpn ASA Assigns a Cisco Easy VPN Rremote configuration to an outside interface.

interface Vlan1 ip address 192.168.10.1 255.255.255.0 ip access group 100 out no ip redirects no ip unreachables no ip proxy arp ip nat inside ip virtual reassembly ip route cache flow ip tcp adjust mss 1452 crypto ipsec client ezvpn ASA inside ip classless ip route 0.0.0.0 0.0.0.0 172.30.171.2 Enables NAT on the inside source address. ip nat inside source route map EzVPN1 interface FastEthernet4 overload access list 100 permit ip any any access list 101 permit ip any any access list 103 permit ip 192.168.10.0 0.0.0.255 any route map EzVPN1 permit 1 match ip address 103 end C871# Verify Use this section to confirm that your configuration works properly. The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. Once you configure both devices, the Cisco 871 router attempts to setup the VPN tunnel by contacting ASA 5520 automatically using the peer IP address. After the initial ISAKMP parameters are exchanged, the router displays this message: Pending XAuth Request, Please enter the following command: crypto ipsec client ezvpn xauth You have to enter the crypto ipsec client ezvpn xauth command which prompts you for a username and password. This should match the username and password configured on the ASA 5520. Once the username and password is agreed by both peers, the rest of the parameters are agreed and the IPsec VPN tunnel comes up. EZVPN(ASA): Pending XAuth Request, Please enter the following command: EZVPN: crypto ipsec client ezvpn xauth Enter the crypto ipsec client ezvpn xauth command. crypto ipsec client ezvpn xauth Enter Username and Password.: cisco

Password: : test Use these commands to verify if the tunnel works properly on both the ASA 5520 and the Cisco 871 router: show crypto isakmp sa Displays all current IKE security associations (SAs) at a peer. The QM_IDLE state denotes that the SA remains authenticated with its peer and can be used for subsequent quick mode exchanges. show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn id slot status 172.25.171.1 172.30.171.1 QM_IDLE 1011 0 ACTIVE IPv6 Crypto ISAKMP SA show crypto ipsec sa Displays the settings used by current SAs. Check for the peer IP addresses, the networks accessible at both the local and remote ends, and the transform set that is used. There are two Encapsulating Security Protocol (ESP) SAs, one in each direction. Since Authentication Header (AH) transform sets are not used, it is empty. show crypto ipsec sa interface: FastEthernet4 Crypto map tag: FastEthernet4 head 0, local addr 172.30.171.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 172.25.171.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.171.1, remote crypto endpt.: 172.25.171.1 path mtu 1500, ip mtu 1500 current outbound spi: 0x2A9F7252(715092562) inbound esp sas: spi: 0x42A887CB(1118341067) transform: esp des esp md5 hmac, in use settings ={Tunnel, } conn id: 39, flow_id: C87X_MBRD:39, crypto map: FastEthernet4 head 0 sa timing: remaining key lifetime (k/sec): (4389903/28511) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2A9F7252(715092562) transform: esp des esp md5 hmac, in use settings ={Tunnel, } conn id: 40, flow_id: C87X_MBRD:40, crypto map: FastEthernet4 head 0 sa timing: remaining key lifetime (k/sec): (4389903/28503) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas: outbound pcp sas: show ipsec sa Displays the settings used by current SAs. Check for the peer IP addresses, the networks accessible at both the local and remote ends, and the transform sets that are used. There are two ESP SAs, one in each direction. ciscoasa#show ipsec sa interface: outside Crypto map tag: mydyn MAP, seq num: 5, local addr: 172.25.171.1 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 172.30.171.1, username: cisco dynamic allocated peer ip: 0.0.0.0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.25.171.1, remote crypto endpt.: 172.30.171.1 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 42A887CB inbound esp sas: spi: 0x2A9F7252 (715092562) transform: esp des esp md5 hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 8, crypto map: mydyn MAP sa timing: remaining key lifetime (sec): 28648 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x42A887CB (1118341067) transform: esp des esp md5 hmac in use settings ={RA, Tunnel, } slot: 0, conn_id: 8, crypto map: mydyn MAP sa timing: remaining key lifetime (sec): 28644 IV size: 8 bytes replay detection support: Y show isakmp sa Displays all current IKE SAs at a peer. The AM_ACTIVE state denotes that Aggressive mode was used for the exchange of parameters. Troubleshoot ciscoasa#show isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.30.171.1 Type : user Role : responder Rekey : no State : AM_ACTIVE Use this section to troubleshoot your configuration. Troubleshoot the Router Troubleshoot the ASA

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. Note: Refer to Important Information on Debug Commands before you use debug commands. Troubleshoot the Router debug crypto isakmpdisplays the ISAKMP negotiations of IKE phase 1. debug crypto ipsecdisplays the IPsec negotiations of IKE phase 2. Troubleshoot the ASA debug crypto isakmp 127Displays the ISAKMP negotiations of IKE phase 1. debug crypto ipsec 127Displays the IPsec negotiations of IKE phase 2. Related Information Easy VPN with an ASA 5500 as the Server and PIX 506E as the Client (NEM) Configuration Example Cisco ASA 5500 Series Adaptive Security Appliances Product Support Cisco 800 Series Routers Product Support IPSec Negotiation/IKE Protocols Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map 2013 2014 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Dec 22, 2008 Document ID: 68815

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback