3.0 EASY VPN (IOS-ASA)Task: Configure EASY VPN in NEM mode where ASA is the Server and R2 is the remote client in NEM Mode. Only Traffic originating from 2.2.2.2 and going to 1.1.1.1 should be encrypted.
Basic Configurations:
- Configure IP Addresses on all devices as shown above
- R1 has a default route pointing to ASA
- R2 has default route pointing to the Internet
- ASA has a static route to the 30.1.52.0/24 network
- Internet has a static route to 10.1.110.0/24 network
EZ VPN server configuration on ASA:
Step 1: Access List
- ASA1(config)# access-list ENCRYPT_TRAFFIC permit 1.1.1.1 255.255.255.255
Step 2: Group Policy
- ASA1(config)# group policy EZ-POLICY internal
- ASA1(config)# group policy EZ-POLICY attributes
- ASA1(config-group-policy)# split-tunnel-policy tunnelspecified // This word 'tunnelspecified' tells that only the traffic specied in the next line command 'split-tunnel-network-list' will get encrypted
- ASA1(config-group-policy)# split-tunnel-network-list value ENCRYPT_TRAFFIC
- ASA1(config-group-policy)# nem enable // Enable support for NEM client
Step 3: ISAKMP Policy and Enable ISAKMP
- ASA1(config)# isakmp enable OUTSIDE // ASA specific command to identify which interface uses ISAKMP
- ASA1(config)# crypto isakmp policy 10
- ASA1(config-isakmp)# authentication pre-share
- ASA1(config-isakmp)# encryption 3des
- ASA1(config-isakmp)# hash sha
- ASA1(config-isakmp)# group 2
Step 4: Tunnel Group
- ASA1(config)# tunnel-group BRANCH type remote-access
- ASA1(config)# tunnel-group BRANCH general-attributes
- ASA1(config-tunnel-general)# default-group-policy EZ-POLICY
- ASA1(config)# tunnel-group BRANCH ipsec-attributes
- ASA1(config-tunnel-ipsec)# pre-shared-key cisco123
- ASA1(config-tunnel-ipsec)# isakmp ikev1-use-authentication none // If you do not want 'XAUTH' or Phase 1.5 authentication. If this command is not used, do not forget to create a username and password for XAUTH.
Step 5: IPSec Transform Set
- ASA1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
Step 6: Dynamic Map and Static Map
- ASA1(config)# crypto dyanamic-map DMAP 10 set transform-set TSET
- ASA1(config)# crypto map CMAP 10 ipsec-isakmp dynamic DMAP
- ASA1(config)# crypto map CMAP interface OUTSIDE
Client Configurations:
Step 1: Crypto IPSec Client- R2(config)# crypto ipsec client ezvpn HQ
- R2(config-crypto-ezvpn)# connect auto
- R2(config-crypto-ezvpn)# group BRANCH key cisco123
- R2(config-crypto-ezvpn)# mode network-extension
- R2(config-crypto-ezvpn)# peer 20.1.105.10
Step 2: Define the Inside and Outside - R2(config)# int lo 0
- R2(config-if)# crypto ipsec client ezvpn inside
- R2(config)# int f0/0
- R2(config-if)# crypto ipsec client ezvpn outside
At this point R2 will download all the configurations from ASA. But we will not be able to ping from R2's loop back to R1's loopback. This is because ASA does not know the route to 1.1.1.1 and 2.2.2.2
- ASA(config)# route INSIDE 1.1.1.1 255.255.255.255 10.1.110.1
- ASA(config)# route OUTSIDE 2.2.2.2 255.255.255.255 20.1.105.5
Verifications:
R2#ping 1.1.1.1 so lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
68/96/180 ms
R2#ping 11.1.1.1 so lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
UUUUU
Success rate is 0 percent (0/5)
R2#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
20.1.105.10 30.1.52.2 QM_IDLE 1014 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto ip sa
interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 30.1.52.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 20.1.105.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.1.52.2, remote crypto endpt.: 20.1.105.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x9F19CC(
10426828)
*******************OUTPUT OMITTED************************
R2#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : HQ
Inside interface list: Loopback0
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Disallowed
Split Tunnel List: 1
Address : 1.1.1.1
Mask : 255.255.255.255
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 20.1.105.10
EASY VPN ASA & Router Config Comparison.JPG
.html.resources/EASY%20VPN%20ASA%20&%20Router%20Config%20Comparison.JPG)