Occasionally you just need a cheat sheet to configure something up. This is meant to be exactly that, a quick configuration of lan to lan IPSec between an ASA and IOS based router.
Host (for testing)
! /// Host is simply here to emulate a ! /// client on one end of the network ! hostname Host ! interface GigabitEthernet0/1 description to iosv-1 ip address 192.168.1.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 192.168.1.1
iosv-1 (IOS IPSec Endpoint)
! /// iosv-1 is terminating one end of an IPSec Tunnel ! hostname iosv-1 ! ! /// phase 1 policy ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! ! /// pre shared key ! crypto isakmp key [email protected] address 22.214.171.124 ! crypto ipsec transform-set myset esp-aes esp-sha-hmac mode tunnel ! crypto map mymap 10 ipsec-isakmp set peer 126.96.36.199 set transform-set myset set reverse-route distance 10 match address crypto ! interface GigabitEthernet0/1 description to Internet ip address 188.8.131.52 255.255.255.0 ! ! /// recommend to restrict inbound traffic ip access-group out-in in ! ! /// probably a good idea to disable ip ! /// unreachables on the outside interface no ip unreachables ! ! /// if nat is needed ip nat outside crypto map mymap ! interface GigabitEthernet0/2 description to Host ip address 192.168.1.1 255.255.255.0 ! ! /// if nat is needed ip nat inside ! ! /// if nat is needed ip nat inside source list nat interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 184.108.40.206 ! ! /// crypto acl (which packets to encrypt/expect encrypted) ip access-list extended crypto permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! /// if nat is needed, crypto traffic will likely need to be excluded (deny) ip access-list extended nat deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any ! ! /// acl attached to Gig 0/1. In this case we are ! /// only allowing traffic from the other end of the tunnel ip access-list extended out-in permit ip host 220.127.116.11 host 18.104.22.168 deny ip any any !
Internet (sp emulation)
! /// emulating the SP ! hostname Internet ! interface GigabitEthernet0/1 description to iosv-1 ip address 22.214.171.124 255.255.255.0 ! interface GigabitEthernet0/2 description to asav-1 ip address 126.96.36.199 255.255.255.0 !
asav-1 (fw IPSec Termination)
hostname asav-1 ! interface GigabitEthernet0/0 description to Internet nameif outside security-level 0 ip address 188.8.131.52 255.255.255.0 ! interface GigabitEthernet0/1 description to Server nameif inside security-level 0 ip address 192.168.2.1 255.255.255.0 ! ! /// objects to be used with NAT (and optionally crypto acl) object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 ! ! /// crypto ACL access-list L2LAccessList extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ! ! /// nat exemption of encrypted traffic nat (inside,any) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp ! object network obj_any nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 184.108.40.206 1 ! ! /// phase 2 transform crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac ! ! /// crypto map attached to outside crypto map mymap 10 match address L2LAccessList crypto map mymap 10 set peer 220.127.116.11 crypto map mymap 10 set ikev1 transform-set myset crypto map mymap 10 set reverse-route crypto map mymap interface outside ! ! /// phase 1 configuration and policy crypto ikev1 enable outside ! crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! tunnel-group 18.104.22.168 type ipsec-l2l tunnel-group 22.214.171.124 ipsec-attributes ikev1 pre-shared-key [email protected] !
Server (for testing)
! /// Testing Point ! hostname Servers ! ! interface GigabitEthernet0/1 description to asav-1 ip address 192.168.2.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 192.168.2.1
I included the IOS NAT configuration as a starting point for a situation where Internet was required at the remote site. In that case, the inbound acl will cause issues for returning traffic. This is something that is solved with CBAC. In short, this should be used as a template and modified to meet your organizations security and operational requirements.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.