HomeRichweb Firewall Administration ServicesRichweb sgw (Secure GateWay) firewallsIPSEC Config for OpenBSD to Cisco ASA 8.2.x

IPSEC Lan 2 Lan tunnel between Cisco IOS 12.3 to Cisco ASA 8.2.x

This tunnel uses a basic lan2lan ipsec tunnel (no gre or routing since the ASA does not have these features). We use sha for phase 1 and md5 for phase2 for a little extra speed.

The 3745 should be able to tunnel about 25 mbits/sec using IOS 12.3 with this config before cpu usage starts to climb to a point where you might want to look at a faster router.

 

IP Addressing:

a.b.c.194 = 3745 IOS v. 12.3 router at an enterprise LAN

x.y.z.1 = ASA 5510 firewall at a COLO

172.20.1.0/24 - COLO LAN

192.168.1.0 - Enterprise LAN

 

IOS router config:

! Phase 1 policy

crypto isakmp policy 12
 encr 3des
 hash sha
 authentication pre-share
 group 2
 lifetime 28800

! phase 2 policy

crypto ipsec transform-set phase_2_ts esp-3des esp-md5-hmac

! pre shared key

crypto isakmp key secretpass address a.b.c.194

crypto map vpn_map 5 ipsec-isakmp
 set peer x.y.z.1
 set transform-set phase_2_ts
 set pfs group2

 match address to_colo_lan

 

! The no-nat acl - we do not want lan 2 lan traffic to be natted:

ip access-list extended nonatacl
 deny   ip 192.168.1.0 0.0.0.255 172.20.1.0 0.0.0.255

 permit ip any any

 

! the route-map that will control natting:
route-map natmap permit 10

 match ip address nonatacl

 

! The acl that the route-map will use:

ip access-list extended to_colo_lan
 permit ip 192.168.1.0 0.0.0.255 172.20.1.0 0.0.0.255

 

This input acl is added to the upstream-facing interface (fast ethernet 0/0 in this case):

ip access-list extended inet_in

 ! permit esp and ike into our router from the ASA:
 permit esp host x.y.z.1 host a.b.c.154
 permit udp host x.y.z.1 host a.b.c.154 eq isakmp

! this line needed due to a 12.3 bug; ipsec lan2lan traffic should be invisible to the filter that

! was bound to the input interface. 
 permit ip 172.20.1.0 0.0.0.255 192.168.1.0 0.0.0.255

... other entries excluded ...

 

interface FastEthernet0/0
 description uplink to ISP
 ip address a.b.c.154 255.255.255.252
 ip access-group inet_in in
 ip nat outside
 load-interval 30
 speed 10
 full-duplex
 crypto map vpn_map

 

interface FastEthernet0/1
 description inside LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 load-interval 30
 duplex auto
 speed auto

! ip natting is controlled by a route-map that selects which flows can be natted outbound.

! inbound nats and port translations would be added with static nat statements as needed:

ip nat inside source route-map natmap interface FastEthernet0/0 overload

 

ASA Config:

 

interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.y.z.1 255.255.255.252

interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 172.20.1.1 255.255.255.0

 

access-list nonat extended permit ip 172.20.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list to_ent_lan extended permit ip 172.20.1.0 255.255.255.0 192.168.1.0 255.255.255.0

 

! phase 1:

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

! phase 2:

crypto ipsec transform-set phase_2_ts  esp-3des esp-md5-hmac

 

! crypto map:

crypto map vpn_map 30 match address to_ent_lan
crypto map vpn_map 30 set pfs
crypto map vpn_map 30 set peer a.b.c.194
crypto map vpn_map 30 set transform-set phase_2_ts

! pre-shared secret:

tunnel-group 24.75.134.154 type ipsec-l2l
tunnel-group 24.75.134.154 ipsec-attributes
 pre-shared-key secretpass

 

! bind the crypto map to the interface:

crypto map vpn_map interface outside