What is a Firewall, Firewall Types, ASA Firewall, Modes in ASA firewall

What is a Firewall?
Firewall is a system which is being use for prevent unauthorized access from or to a
secure network. It’s a software, or dedicated hardware or combination of both.
According to the policies it examines all the traffic leaving and entering in a secure
network and it blocks all the packets which unable to follow the policy.

Software Firewall

It designed for home and small office computers to have internet access. It detects
suspicious activities from outside.

Hardware Firewall

It’s a dedicated device; we will discuss it briefly on following topics.

All the Cisco routers and multilayer switches support IOS based firewall capabilities.
Even though Cisco has fully dedicated security Appliances too such as:-

 PIX (Private Internet Exchange)

 ASA (Adaptive Security Appliance)

Note:-ASA is the newest replacement for PIX firewall.

Cisco PIX Firewall

Types of Firewall

1. Packet Filtering Firewall

It works on layer 2 and 3 i.e. network and transport layer in OSI model. Its first
generation of firewall and it works on analyzing IP address and port no.

It has so many drawbacks such as it is vulnerable to ip spoofing and can’t determine

if the packet has malicious code.

2. Stateful Packet Filtering Firewall

It’s a second generation of firewalls. It maintains a table of all the states of

connections through it i.e. TCP or UDP. It accepts or rejects traffic on a connection by
connection basis. Once the connection is terminated, its entry has been deleted from
the table and data transmission is closed.

3. Application Firewall

It’s the third generation firewall. It operates at levels 3,4,5,6 and 7 (network,
transport, session, presentation and application layers) of the OSI model. This type of
firewall is more secure but offers lowest performance.

4. Dynamic Packet Filter Firewall

This is fourth generation of firewall. It allows security roles to be modified. Here we

can use multiple techniques to configure this firewall.

ASA Firewall

ASA perform different tasks on arriving packets depending upon whether it’s a new
packet or an existing packet.

For new packet

1. Perform the access-list check

2. Perform the route look up
 3. Allocating NAT translation(Xlate table)
4. Establish a session in the fast path(maintaining a TCP connection)

For existing packet

1. IP checksum verification

2. Session lookup

3. TCP sequence no check

4. NAT translation based on existing connection(Xlate table)

5. layer 3 (ip address) and layer 4 (port no) header adjustment

There are two basic modes in ASA firewall

1. Routed mode

a) Single mode (it support dynamic routing)

b) Multiple mode (it doesn’t support dynamic routing only static or default routing)

2. Transparent mode

Cisco ASA firewall is basically a stateful firewall and there is a concept called Security
levels which is an integral part of such firewall. There are basically three zones:-

1. Outside: - it’s the untrusted network. Default security level is 0(zero)

2. Inside: - it’s the trusted network i.e. office LAN. Default security level 100.
3. DMZ: - It’s neither trusted nor untrusted. Its more secure than outside but less
secure than inside. Default is 0 but we can assign security level anything
between 0 and 100. All the publically accessible servers such as web, e-mail
servers are needed to be place in this zone.

Note: - Higher the security level more the secure zone. By default any packet from
lower security level to higher security level is denied. And packet from same security
levels is dropped.
Basic ASA Configuration,NAT in ASA Firewall

Basic ASA Configuration

Objective
Interface name: f0/0, outside, security level – 0, ip address- 192.20.20.1

Interface name: f0/1, inside, security level – 100, ip address- 10.10.10.1

Interface name: f0/2, DMZ, security level – 50, ip address- 192.10.10.1

Configure static route to all internal network.

Configuration on ASA

Interface f0/0

Nameif outside

Ip address 192.20.20.1 255.255.255.0

No shutdown

Exit

Interface f0/1

Nameif inside

Ip address 10.10.10.1 255.255.255.0

No shutdown

Exit

Interface f0/2

Nameif DMZ

Security-level 50

Ip address 192.10.10.1 255.255.255.0

No shutdown

Exit

Router configuration

R1:-
Int f0/0

Ip address 10.10.10.2 255.255.255.0

No shutdown

Int f0/1

Ip address 10.20.20.2 255.255.255.0

No shutdown

R2:-

Int f0/0

Ip address 192.20.20.2 255.255.255.0

No shutdown

Int f0/1

Ip address 10.20.30.2 255.255.255.0

No shutdown

R3:-

Int f0/0

Ip address 192.10.10.2 255.255.255.0

No shutdown

Int f0/1

Ip address 10.10.20.2 255.255.255.0

No shutdown

Configure static routes

ASA
Route inside 10.20.20.0 255.255.255.0 10.10.10.2 (next hop is R1’s f0/0
interface)

Route DMZ 192.10.20.0 255.255.255.0 192.10.10.2(next hop is R3’s f0/0

interface)

Configure default route to R2

Route outside 0 0 192.20.20.2 (next hop is R2’s f0/0 interface)

Configure default route on R1 and R3 towards ASA

R1:-

Ip route 0.0.0.0 0.0.0.0 10.10.10.1 (next hop is ASA’s f0/1 interface)

R3:-

Ip route 0.0.0.0 0.0.0.0 192.10.10.1 (next hop is ASA’s f0/2 interface)

After that we will have a full connectivity between all the devices in the
whole network. We can check that by pinging to any destination

Note: - Basic troubleshooting commands in ASA-

ASA(config)# show interface ip brief (as like in router show ip interface brief)

ASA(config)# show route

ASA(config)# show run

NAT in ASA Firewall

Network Address translation is very important to make a network secure.
Here the real IP is converted into some other IP so that from outside the real
IP won’t be visible.
It has some other usefulness too such as many private IP can use one public
IP for outside communication. We will discuss various types of NAT in this
section.

1. Dynamic NAT
2. Static NAT
3. NAT control
4. NAT overload (PAT)
5. Static PAT

1. Dynamic NAT

Through this NAT a group of real addresses are translated from a pool of
mapped addresses that are routable on the destination network. The pool
might have fewer addresses than the real group. When a host wants to
communicates with the outside network the ASA assigns an IP address from
this pool. The translation is possible only when the real host initiates the
connection. The translation prevails till the connection exists and that user
can’t retain the same IP after the translation times out.

Syntax

Define the network that to be translate-

Nat (name of the zone< inside or DMZ>) <pool id> <source

network><subnet mask>

Define translated IP in the pool-

Global (outside) <pool id><range of IP>

Note: - pool id should match in both cases

2. Static NAT

Its one to one translation and that’s why we need the equal no of mapped
addresses as the real addresses. A persistent translation exists because the
mapped address is same for each consecutive connection. Due to this
feature host on the destination network can initiate connection to a
translated host if access list is applied and allowed it.

Syntax

Static (source zone, destination zone) <translated IP> <original IP>

If the traffic goes from inside to outside then-

Static (inside, outside) <translated IP> <original IP>

NAT control, NAT overload, and Static PAT

3. NAT control

When the NAT is enabled then inside host must match the NAT rule to access outside network.
But in some special cases we don’t need NAT to perform, in such case we can bypass NAT for
such host or disable NAT completely.

We can bypass NAT by following ways:-

a) NAT Exemption:-

Its bidirectional i.e. it allows both translated and remote host can initiate connection. We must
use NAT exemption for connection through all interfaces ie its not limited to specific interface.
Here we are are using real source and destination address. It doesn’t consider port in the access
list and it also doesn’t support connection setting such as Maximum TCP connection.

Syntax

First define the access-list

Access-list nonat permit IP host xx.xx.xx.xx host xx.xx.xx.xx

Nat (inside) 0 access-list nonat

b) Identity NAT:-

It is similar to dynamic NAT but we can’t limit translation for one host ie we must have to use
identity NAT for all the interfaces. Even though here the mapped address is the same as the real
IP, we can’t initiate a connection from outside to inside even though access-list is applied. We
can apply this to any host or network.

Syntax
Nat (inside) 0 <network address/host IP><subnet mask>

c) Static Identity NAT

Its 1 to 1 translation means it allows an interface to be appearing in the real address. We can also
apply static identity NAT in one interface and regular NAT in other interfaces.

Syntax

Static (zone, zone) <host IP> <host IP> (here both IP are same)

E.g.:-

Static (inside, outside) 10.22.22.1 10.22.22.1

4. NAT overload (PAT)

PAT can overcome what are the limitations dynamic NAT facing i.e. in dynamic NAT the
mapped IP pool can be out of available IP if the traffic is higher than expected. Here PAT
translates multiple real addresses to a single mapped address, so there is no shortage of ip in the
pool. ASA translates real IP and source port to a mapped address and a unique source port above
1024eg:- 100.1.1.1:1025 and 100.1.1.1:1026. Source port always differs from each connection.
So the mapped address always becomes unique. Users on the outside network can’t initiate
connection to inside with this mapped address.

Syntax

Global (outside) <pool id> interface

5. Static PAT

Static PAT is almost similar to static NAT but the difference is its lets you to use the protocol
(TCP/UDP) and the port for real and mapped address. The advantage of this feature is that we
can use the same mapped IP for many real IP with different port which is not possible in static
NAT.

For example- if we want to provide single IP to access SMTP,HTTP and FTP even though these
are all different servers on the network. Through static PAT we can define all three servers with
same mapped IP but different ports.

Syntax

For example SMTP server IP is :- 10.1.1.1

FTP server IP is: - 10.1.1.2

 HTTP server IP is: - 10.1.1.3

Mapped IP:- 192.168.1.1

Static (inside, outside) tcp 192.168.1.1 smtp 10.1.1.1 smtp netmask 255.255.255.255

Static (inside, outside) tcp 192.168.1.1 ftp 10.1.1.2 ftp netmask 255.255.255.255

Static (inside, outside) tcp 192.168.1.1 http 10.1.1.3 http netmask 255.255.255.255

NAT with ASA, ASA Security Context

NAT with ASA

The topology is similar to the previous one except we added few loopback on all three
routers.
Task 1:- ASA should translate all internal including DMZ networks to outside using a
pool 192.20.20.151 – 192.20.20.200. Use backup translation as PAT.

ASA:-

Global (outside) 1 192.20.20.151-192.120.20.200

Global (outside) 1 interface

Nat (inside) 1 10.11.11.0 255.255.255.0

Nat (inside) 1 10.10.10.0 255.255.255.0

Nat (DMZ) 1 192.10.10.0 255.255.255.0

Nat (DMZ) 1 192.168.33.0 255.255.255.0

Task 2:- Do static NAT on R1’s Loopback 0 to 192.20.20.66 to outside network

ASA:-

Static (inside, outside) 192.20.20.66 11.11.11.11

Task 3:- Configure on ASA such that whenever it receives packet destined for port 25
to the outside, it should be redirect towards 192.10.10.10.If a packet destined for
port 23 to outside interface it should be redirect to 192.10.10.11.

ASA:-

Static (DMZ, outside) tcp interface 25 192.10.10.10

Static (DMZ, outside) tcp interface 23 192.10.10.11

Note: - We have to configure static or default route for all unknown network on ASA
and all the routers for total communication.

ASA Security Context

Security context is a virtual firewall methodology that enables a single firewall
partitioned into multiple standalone firewalls. We can configure independent entities
to every firewall individually which is including own configuration, routing table,
policies, interfaces etc. It has so many advantages:-

 Through this we can save cost for buying additional firewalls.

 We can increase security in an organization
 Instead of managing multiple physical firewalls we can integrate the same
features in one firewall.

In multiple context mode ASA can be divided into three types:-

1. System Context
2. Admin Context
3. Logical Context

System Context

Unlike other context it doesn’t have any layer 2 or 3 interfaces or any network
settings. It mainly used for defining attributes of other security context. Here we can
define following attributes for each context

 Context name
 Interface allocation
 To define banner
 To define mode i.e. either single or multiple mode
 To set failover parameters

Note: - System context configuration saves in NVRAM of the ASA and configuration of
the ASA firewall saves in flash memory.

2. Admin Context

It is as like regular context except that the user has to log into its context then that
user has system administration right and can access system context and logical
context. The admin context must be created before creating other contexts.

Note: - When ASA is converted from single mode to multiple mode, all the network
related configuration is saved as admin context. We can’t change the name admin
context.

3. Logical Context
It similar to having multiple standalone firewalls. It has its own set of security
features such as NAT, Access list, routing, interfaces etc.

Key differences between Single and Multiple mode:-

Feature Single Mode Multiple Mode

1. Interface All physical interfaces Only allocated interfaces
2. Routing
3. Failover Support dynamic protocol Doesn’t support dynamic protocol

Doesn’t support active-active Support active-active failover

failover
1. VPN
Support VPN
Doesn’t support VPN

1. QOS
2. Addressing Support QOS
Doesn’t support QOS
Doesn’t support overlapping of
networks Support overlapping of networks
between networks

Note: - To check how many context it supports, the command is:-

ASA# show version | include security context

Security Context on ASA Firewall

Task 1:- Configure ASA for multiple contexts. Make e0/0 shared interface and split e0/1 into 3
sub interface.

ASA:-

Mode multiple

Interface e0/0

No shutdown

Interface e0/1

No shutdown

Interface e0/1.2

Interface e0/1.3

Interface e0/1.4

Task 2:- Configure two contexts on ASA as ASA-C1 and ASA-C2.Configure them with
configuration file ASAC1.cfg and ASAC2.cfg. Allocate interface according to the diagram
above.
ASA:-

Context ASA-C1

Allocate-interface e0/0

Allocate-interface e0/1.2

Allocate-interface e0/1.4

Config-url ASAC1.cfg

Exit

Context ASA-C2

Allocate-interface e0/0

Allocate-interface e0/1.3

Config-url ASAC2.cfg

Task 3:- Configure interfaces in Context 1 and Context C2 as the diagram

ASA:-

Changeto context ASA-C1

Interface e0/0

Nameif outside

Ip address 192.1.100.11 255.255.255.0

Exit

Interface e0/1.2

Nameif Inside

Ip address 10.22.22.11 255.255.255.0

Exit
Interface e0/1.4

Nameif DMZ

Security-level 50

Ip address 10.44.44.11 255.255.255.0

Changeto context ASA-C2

Interface e0/0

Nameif outside

Ip address 192.1.100.21 255.255.255.0

Exit

Ip address e0/1.3

Nameif inside

Ip address 10.22.22.21 255.255.255.0

Task 4:-Configure ASA-C1 to allow inside network to access outside network using dynamic
NAT with a pool 192.1.100.51 – 192.1.100.69.Bachup with PAT using ip address
192.1.100.70.R2 should be seen as 192.1.100.2.

ASA:-

Changeto Context ASA-C1

Nat-control

Exit

Global (outside) 1 192.1.100.51-192.1.100.69

Global (outside) 1 192.1.100.70

Exit

Nat (inside) 1 10.22.22.0 255.255.255.0

Static (inside, outside) 192.1.100.2 10.22.22.2

Task 5:- Configure ASA-C2 to allow inside network to access outside network using dynamic
pool with a pool 192.1.100.71-192.1.100.8.Backup with PAT using ip address

192.1.100.90.R3 should be seen as 192.1.100.3.

ASA:-

Changeto context ASA-C2

Global (outside) 1 192.1.100.71-192.1.100.89

Global (outside) 1 192.1.100.90

Exit

Nat (inside) 1 10.22.22.0 255.255.255.0

Exit

Static (inside, outside) 192.1.100.3 10.22.22.3

Task 6:-Configure Static route on ASA-C1 and ASA-C2 to R2 and R3 network. Configure a
default route on ASA-C1 and ASA-C2 towards R1.

ASA:-

Changeto context ASA-C1

Route inside 10.2.2.0 255.255.255.0 10.22.22.2

Route outside 0 0 192.1.100.1

Exit

Changeto context ASA-C2

Route inside 10.3.3.0 255.255.255.0 10.22.22.3

Route outside 0 0 192.1.100.1

ASA Failover

ASA Active/Standby Failover

It is a redundancy feature of ASA firewall. For the failover configuration we

need two exactly the same ASA connected each other through a dedicated
failover link. There are few requirements for this failover:-

1. Both ASA should be same hardware model

2. Same software version
3. Same numbers of interfaces and interface types
4. Same number of flash (primary may have higher memory compare to
secondary but never less)
5. Same DRAM
6. Same operating mode

The reasons for failover

1. ASA power down or off, reboot.

2. Link is down for more than 30 seconds.
3. Failover active or failover command issued on ASA firewall

There are two types of failovers

1. Stateless(regular) Failover

 Client application must reconnect itself

 Stateful information never pass to the standby unit
 Provide redundancy via cable based failover

2. Stateful Failover
o All the failover information for each connection information is
passed to failover
o End user no need to reconnect
o State data include global data pool information or states,
connection, translation, PAT etc is passed.
o Provided by lan base failover

Whenever failover occurs the following stateful information are passed to

standby unit,
 1. NAT translation table
2. TCP connection states
3. UDP connection states
4. The ARP table
5. Layer 2 bridge table (when running in transparent mode)
6. HTTP connection states (if HTTP replication is enable)
7. IPsec and ISAKMP
8. GTP (GPRS tunneling protocol) and PDP (Packet Data Protocol)- voice
inspection
9. SIP signaling

The information those not pass to standby unit

1. The user authentication table (Uauth)

2. The routing table
3. Multicast traffic information
4. State information for security service cards
5. DHCP servers address lease
6. Stateful failover for phone proxy
7. HTTP connection table unless HTTP replication is enable

Failover Restrictions (unsupported)

1. DHCP client
2. PPPoE (Point to point protocol over Ethernet)
3. IPv6

Failover interface testing

1. Link up and down test

2. Network activity test
3. ARP test
4. Broadcast ping test

There are basically two types of failover configuration, Active/Active and

Active/Standby failover. The difference between them is that in active/active
failover must run on multiple context mode and both ASA can run traffic (C1
is ASA1 and C2 in ASA2).In active/standby failover only one ASA pass traffic
while other waits in standby state. Both failover configuration support
stateful or stateless failover.

Note: - Failover hello messages are generated on the failover link in every
15 seconds by default.
Transparent Firewall
Transparent Firewall

Transparent firewall works on layer 2 and not considered as hop. It often

calls as bump in the wire. It deals with mac lookup and forwarding is done
through destination mac address. It’s outside and inside interface exists in
the same network. We can induct a transparent firewall easily into an
existing network because of its layer 2 characteristic.

Some of the features of transparent firewall

1. Each interface is a broadcast domain.

2. ASA performing secure transparent bridging between two broadcast
domains in form of VLA
3. No routing protocol to troubleshoot
4. In common mode is going to see route lookup. In transparent mode it
going to see media access lookup.
5. It supports – mac application talk, IPX traffic, MPLS traffic, BPDU
traffic,
o ARP inspection (most popular transparent inspection)

Unsupported features of transparent firewall

1. Dynamic DNS
2. HDCP relay
3. Dynamic routing protocol
4. Multicast ip routing
5. QOS (no investigation on layer 3)
6. VPN termination
7. Before 8.2 it doesn’t support

Transparent Firewall guideline

1. Management ip address required on same subnet

2. Inside/outside only pass traffic
3. Each connection network on same subnet
4. Default gateway will be router on the other side of ASA

Note: A management ip address is required for the traffic to pass through

ASA. This ip is assign to entire device. This ip also uses as the source
address for the packet originating from ASA such as AAA communication.
Task 1:

Configure ASA as a transparent firewall.

ASA (config)# firewall transparent

Task 2:

Configure e0/0 as outside with security level 0 and e0/1 as inside with
security level 100.

ASA:

Interface e0/0

Nameif outside
No shutdown

Exit

Interface e0/1

Nameif inside

No shutdown

Task 3:

Assign ASA ip address 10.22.22.22.10/24 and default gateway as

10.22.22.2

ASA:

Ip address 10.22.22.10 255.255.255.0

Exit

Route outside 0 0 10.22.22.2

Task 4:

RIP is running on R1 and R2 . Configure ASA to allow communication

between R1 and R2.

ASA:

Access-list outside permit udp host 10.22.22.2 host 224.0.0.9 eq rip

Access-list inside permit udp host 10.22.22.1 host 224.0.0.9 eq rip

Exit

Access-group outside in interface outside

Access-group inside in interface inside

Note: rip is udp , 224.0.0.9 is multicast address for rip. We are creating this
access-list to permit rip.

Task 5:

Configure ASA such a way that it examines all the arp packets. It should
forward all the packets those exist in the arp table otherwise it should drop.

ASA:

Arp-inspection outside enable no-flood

VPN (Virtual Private Network)

VPN is the perfect solution for secure communication over insecure network i.e. internet. VPN is
generally implemented for the organization to organization or organization to individual rather
than between individuals. It eventually takes the place of leased line. There are so many
advantages are available in VPN.

1. Compare to leased line this is very cheap

One of a way to deduct cost is to eliminate the need of having expensive long distance leased
line. For VPN to work we just need an internet connection. In other way it also reduces the cost
long distance telephone charges.

2. Easy setup for additional branch office connection

3. More flexible
4. Scalability
5. Performance
6. Simple management
7. High availability

There is limitation too i.e. internet dependency. We have to fully dependent on internet.

There are so many important topics involve in VPN. We will discuss every topic in the following
discussion.

IPSec:

It use to encrypt data using encryption algorithm

4 core IPsec services:

1. Confidentiality

It means encrypt the data. No one can read that data ie it provide data privacy via encryption
techniques.

2. Data integrity

It provides data assurance via hashing technique.

3. Authentication

It provides data origin authentication using digital signature or certificate.

4. Anti-replay

Make sure that every packet is unique not duplicated.

Confidentiality through encryption:

1. Scrambling data into unreadable cipher text

2. Both side need transform rule (it based on algorithm + key)

(To encrypt/decrypt, key and algorithm must match)

There are mainly two type’s encryption/decryption keys:

1. Symmetric key:

Here both sender and receiver use the same key for encryption and decryption. The sender uses
the key to encrypt the plain text to cipher text and receiver uses that same key to decrypt the
cipher text to plain text. That key should be kept secretly because if anyone knows that key then
he can easily decrypt. One of the advantages is that it doesn’t consume much computing power.
Example - DES (data encryption standard), 3DES, AES (advance encryption standard), Blowfish
etc.

2. Asymmetric key:

Here we are dealing with two keys. One key for encrypt the plain text and other for decrypt the
cipher text. Encryption key is sometime called public key because it given to everyone who want
to send encrypted data. On the other hand decryption key is called private key because it kept
secretly. Compare to symmetric key asymmetric key is more secure. Examples of asymmetric
key are RSA, DSA etc.
Data Integrity | Hash | Data Integrity |

Protect data from interception and possible modification. Hashing guarantees message integrity.
Transmitted hash should match the receiving hash value. Example HMAC (hash message
authentication code) - MD5, HMAC-SHA.

Hash:

It mainly used to provide a digital footprint of any type of data to ensure that the information has
not been altered during transmission.

1. It’s a one way mathematically generated unique number from sequence of text by
applying a mathematical formula.
2. The unique number is calculated based on original plain text data.
3. The original message can’t be reconstructed using this unique number even the
knowledge of algorithm.
4. The unique number is acts like a finger print of the message.

Data Encryption Function:

1. Data encryption process is used of an algorithmic process using secret key to transfer
plain text into cipher text. In order to prevent anyone except the intended recipient from
accessing the information.
2. Encryption is the process to convert information to make unreadable to unauthorized user.
3. Encryption provides means of secure communication over insecure medium.
4. It provides data confidentiality and privacy.

Encryption algorithm use today:

DES - Created by IBM. 56 bit key.

3DES - uses three DES keys on each block data to create 168 bit keys

AES – newer and more efficient algorithm. 128,192,256 bit keys.

RSA – used for “MISC” encryption. 512,768,1024 bit or larger.

DH – used commonly on VPN connection to allow secure transfer of shared secret key and
helps generate shared secret key. 768 bit key.

5 Phases of IPSec:

1. Define interesting traffic.

2. IKE phase 1
Creates the first tunnel, which protects later ISAKMP negotiation message.

1. IKE phase 2

Creates the tunnel that protects data.

2. Transfer data

1. Tear down tunnel.

IPSec has two methods of propagating data across network:

1. Tunnel Mode

This mode protects data in network to network or site to site scenario (use in lan to lan VPN). It’s
the default mode on Cisco routers. Here the original source and destination IP and along with the
data is encrypted with an ESP header and a new ip header is added. The new IP header has the
source and destination IP from the tunnel interfaces.

|<------Encrypted----------à

Data | Original IP header | ESP header | New IP header

1. 2. Transparent Mode

This mode protects data in host to host or end to end scenario (using remote access VPN). Here
only data is encrypted and original IP header is added in front of ESP header.

|<-Encrypted->|

Data | ESP header | Original IP header

There are two types of Tunnel negotiation modes:

1. 1. Main Mode:

This mode uses total of 6 messages between initiator and responder during tunnel negotiation.
This mode is more secure than aggressive mode because it provides Dos protection. But we can’t
use this in VPN which uses NAT because it uses the IP address as part of exchange for
identification.

2. Aggressive Mode:

This mode uses total of 3 messages which results elimination uses of IP address for
identification. This mode is very useful in client to gateway tunnel because the client IP is known
ahead of time. We can use this mode where Nat is configured.

Later on we will discuss various flavors of VPN.

Site to Site VPN

Site to Site VPN using IPSec tunnel is a way to perform secure transmission
of data between two sites. The tunnel is created via internet using various
encryption algorithms. Here we are going to discuss how to create site to
site VPN using IPSec protocol.

Here we are using static ip on both sides. In case of if we are using dynamic
ip then connection initiation should be stated from the client side because
only the client side knows about the destination ip. Another solution is GRE
(Generic Routing Encapsulation) tunnel with IPSec. Remember GRE is a
tunneling protocol where as IPSec protocol. IPSec doesn’t support multicast
so we can’t use in a network which uses any dynamic routing protocol i.e.
EIGRP, OSPF, and RIP etc. But GRE support multicast, so it’s the perfect
solution for such situation. In this article we are going to discuss only IPSec
not GRE.

 ISAKMP (Internet Security Association key Management Protocol) and

IPSec is required to build and protect tunnel.
 ISAKMP aka IKE (Internet Key Exchange) is the negation protocol that
allows hosts to agree how to negotiate SA (Security Association)

SA(Security Association): SA is required to protect data, one per direction

and protocol. It’s a process of security policy and key to a data flow. Both
IKE and IPSec use SAs and SAs are independent of one another. IKE
negotiates and establishes SA on behalf of IPSec. IPSec SA is unidirectional
i.e. if a tunnel supports ESP then we need two SAs for each direction. IKE SA
is bidirectional.
There are two phases in ISAKMP negotiation-

Phase 1:

Creates the first tunnel, through which it protects later ISAKMP negotiation
messages.

Phase 2:

Here it creates tunnel that protects data.

There are basically two steps to go ahead

1. Configure ISAKMP(phase 1)
2. Configure IPSec (phase 2,access control list, crypto map)

Crypto map: It selects data flows that need security. It also defines the
policy for these flows and peer that need to receive. It applied to an
interface.

The head office has the network of 10.10.10.0/24 network. Brach office 2
and Branch office 3 has networks 20.20.20.0/24 and 30.30.30.0/24
respectively.
Goal: To achieve full connectivity between head office to the both branch
offices.

ISAKMP phase 1

1. ISAKMP phase 1

R1

Crypto isakmp policy 1

Encryption 3des

Hash md5

Authentication pre-share

Group 2

Lifetime 50000

Description:

3des – encryption method to be use for phase 1

Md5 – hash algorithm

Pre-share – authentication method

Group 2 – Diffie-Hellman group. It’s a method of exchanging cryptographic

keys.

50000 – Session key lifetime. It’s either in kilobits or seconds.

Note: ISAKMP phase 1 policy is defined globally. If we have two different

remote sites and we configured two different ISAKMP phase 1 policies i.e.
one for each sites. Then if router tries to negotiate VPN tunnel with each site
then it sends all two policies and accepts the first match. Since we are
creating only one policy here so it will send this to both sites.

2. Define pre shared key

R1

Crypto isakmp key cisco address 0.0.0.0 0.0.0.0

Here pre shared key is cisco. Here we are defining remote ip is 0.0.0.0
because the remote peer have dynamic ip address and ensures it will try to
negotiates and establish VPN tunnel with any router that request it.

3. Configure IPSec

Here we have following steps

a) Create access control list

b) Create transform-set (ISAKMP phase 2 policy)

c) Create dynamic crypto map

d) Apply this crypto map to interface

a) In the example above we want first tunnel that will allow traffic from
head office 10.10.10.0/24 to remote site 20.20.20.0/24 and second VPN
tunnel between 10.10.10.0/24 to remote site 30.30.30.0/24.these are two
different tunnels so we need to create two different access list.

Access-list VPN1 permit ip 10.10.10.0 0.0.0.255 20.20.20.0

0.0.0.255

Access-list VPN2 permit ip 10.10.10.0 0.0.0.255 30.30.30.0

0.0.0.255

b) This transform set is to protect our data. We named our transform set
as TS.

Crypto ipsec transform-set TS esp-3des esp-md5-hmac

Here esp-3des – encryption method

Md5 – hashing algorithm

c) Here we connects previously configured ISAKMP and IPSec
configuration together. We need to have one crypto map for each remote
sites ie here we need two crypto maps.

First we create a crypto map named CM which will be use later on in the
public interface of our head office router and connect it with dynamic crypto
map named ho-vpn.

Crypto map CM ipsec-isakmp dynamic ho-vpn

Now we create two crypto maps

Crypto dynamic-map ho-vpn 10

Set transform-set TS

Match address VPN1

Exit

Crypto dynamic-map h0-vpn 11

Set transform-set TS

Match address VPN2

Note: Here no 10 and 11 indicates instance number. If we want to add

additional remote sites, just we need to add more dynamic maps.

d) interface fa0/1

Crypto map CM

Note: As soon as we apply crypto map on the interface we will receive a

message – ISAKMP is ON. Here we had completed our head office
configuration and next step is to configure our remote branch offices.

Configure Remote Site Router

2. Configure Remote Site Router

Our remote site router uses dynamic ip address

R2:

Crypto isakmp policy 1

Encryption 3des

Hash md5

Authentication pre-share

Group 2

Lifetime 50000

Exit

Crypto isakmp key cisco address 192.168.10.1

Exit

Access-list AL permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

Exit

Crypto ipsec transform-set TS esp-3des esp-md5-hmac

Exit

Crypto map RS 10 ipsec-isakmp

Set peer 192.168.10.1

Set transform-set TS

Match address AL

Exit

Interface f0/1

Crypto map RS

R3:

Crypto isakmp policy 1

Encryption 3des

Hash md5

Authentication pre-share

Group 2

Lifetime 50000

Exit

Crypto isakmp key cisco address 192.168.10.1

Exit

Access-list AL permit ip 30.30.30.0 0.0.0.255 10.10.10.0 0.0.0.255

Exit

Crypto ipsectransform-set TS esp-3des esp-md5-hmac

Exit

Crypto map RS 10 ipsec-isakmp

Set peer 192.168.10.1

Set transform-set TS

Match address AL

Exit

Interface f0/1

Crypto map RS

Here we have completed our configuration and VPN tunnel is ready to bring up.
Remember here in site to site VPN with dynamic remote public ip can be brought up
by the remote site. We can check that by pinging 10.10.10.1 form R2 and R3.