VPN Tunnel Configuration Guide on Cisco ASA

By | July 12, 2013

Configuring a VPN Tunnel via Command Line. Taken from Amazon using lower encryption Algorithms.  Anything beginning with ! is informational.

! You may need to populate these values throughout the config based on your setup:
! <outside_interface> – External interface of the ASA
! <outside_access_in> – Inbound ACL on the external interface
! <amzn_vpn_map> – Outside crypto map
! <vpc_subnet> and <vpc_subnet_mask> – VPC address range
! <local_subnet> and <local_subnet_mask> – Local subnet address range
! <sla_monitor_address> – Target address that is part of acl-amzn to run SLA monitoring

! ——————————————————————————–
! IPSec Tunnels
! ——————————————————————————–
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp identity address
crypto isakmp enable <outside_interface>
crypto isakmp policy 201
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha
exit
!
! The tunnel group sets the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key $$abcdefghijklmopqrstuvwxyz0987654321$$
!
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
isakmp keepalive threshold 10 retry 3
exit
!
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key $$abcdefghijklmopqrstuvwxyz0987654321$$
!
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
isakmp keepalive threshold 10 retry 3
exit

! ——————————————————————————–
! #2: Access List Configuration
!
! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.
! This is to allow VPN traffic into the device from the Amazon endpoints.
!
access-list <outside_access_in> extended permit ip host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX
access-list <outside_access_in> extended permit ip host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX
! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
! is done through the “crypto map” command.
!
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the “any” source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using “any” as the source, the VPN will function erratically.
! See section #4 regarding how to restrict the traffic going over the tunnel
!
!
access-list acl-amzn extended permit ip any <vpc_subnet> <vpc_subnet_mask>

!———————————————————————————
! #3: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
! The crypto map references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime. The mapping is created
! as #1, which may conflict with an existing crypto map using the same
! number. If so, we recommend changing the mapping number to avoid conflicts.
!
crypto map <amzn_vpn_map> 1 match address acl-amzn
crypto map <amzn_vpn_map> 1 set pfs group2
crypto map <amzn_vpn_map> 1 set peer XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
!
! Only set this if you do not already have an outside crypto map, and it is not applied:
!
crypto map <amzn_vpn_map> interface <outside_interface>
!
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! Set security association lifetime until it is renegotiated.
crypto ipsec security-association lifetime seconds 3600
!
! This option instructs the firewall to clear the “Don’t Fragment”
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear-df <outside_interface>
!
! This configures the gateway’s window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
!
! This option instructs the firewall to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption <outside_interface>
!
! This option causes the firewall to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
sysopt connection tcpmss 1387
!
! In order to keep the tunnel in an active state, the ASA needs to send traffic to the subnet
! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and
! keep the tunnel active. A possible destination for the ping is the VPC Gateway IP, which is the
! first IP address in one of your subnets.
! For example: a VPC with a CIDR range of 192.168.50.0/24 will have a gateway: 192.168.50.1.
!
! The monitor is created as #1, which may conflict with an existing monitor using the same
! number. If so, we recommend changing the sequence number to avoid conflicts.
!
sla monitor 1
type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface>
frequency 5
exit
sla monitor schedule 1 life forever start-time now
!
! The firewall must allow icmp packets to use “sla monitor”
icmp permit any <outside_interface>

!—————————————————————————————
! #4: VPN Filter
! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied.
! The first entry provides an example to include traffic between your VPC Address space and your office.
! You may need to run ‘clear crypto isakmp sa’, in order for the filter to take effect.
!
! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask>
access-list amzn-filter extended deny ip any any
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group XXX.XXX.XXX.XXX general-attributes
default-group-policy filter
exit
tunnel-group XXX.XXX.XXX.XXX general-attributes
default-group-policy filter
exit

!—————————————————————————————
! #5: NAT Exemption
! If you are performing NAT on the ASA you will have to add a nat exemption rule.
! This varies depending on how NAT is set up. It should be configured along the lines of:
! object network obj-SrcNet
! subnet 0.0.0.0 0.0.0.0
! object network obj-amzn
! subnet <vpc_subnet> <vpc_subnet_mask>
! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
! If using version 8.2 or older, the entry would need to look something like this:
! nat (inside) 0 access-list acl-amzn
! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
!
!—————————————————————————————