Cisco

Cisco ASA: Site-to-Site VPN Configuration Example

Posted on by looke

With this article I want to show some basic configuration example on how to establish a site-to-site VPN using Cisco ASAs. Even though it is more comfortable to configure this kind of stuff using the ASDM GUI, i thought it was a pretty good exercise to try to setup everything on the console.

Goal

  • Monitoring asaSiteA via SNMP and ICMP Ping from hosts hostSiteB-SNMP and hostSiteB-Ping
  • Sending asaSiteA Syslogs to hostSiteB-Syslog
  • Relaying DNS queries sent to asaSiteA to hostSiteB-DNS
  • Allow access to a webservice hosted on hostSiteB-WWW from netSiteA
  • All traffic between netSiteA and netSiteB has to be tunneled

Network Diagram


 +-----------------------+          +---------------------------------+
 | netSiteA              |          | netSiteB                        |
 |-----------------------|          |---------------------------------|
 |             +--------+|          |+--------+     +----------------+|
 |             |asaSiteA|<---------->|asaSiteB+--+--+hostSiteB-SNMP  ||
 |             +--------+|          |+--------+  |  +----------------+|
 +-----------------------+          |            |--+hostSiteB-WWW   ||
                                    |            |  +----------------+|
 +---------------------------+      |            |--+hostSiteB-Syslog||
 | Network Entities          |      |            |  +----------------+|
 |---------------------------|      |            |--+hostSiteB-DNS   ||
 |netSiteA: 10.0.1.0/24      |      |            |  +----------------+|
 |netSiteB: 10.0.2.0/24      |      |            +--+hostSiteB-Ping  ||
 |                           |      |               +----------------+|
 |asaSiteA-int:  10.0.1.1    |      +---------------------------------+
 |asaSiteA-ext: 10.0.10.1    |
 |                           |
 |asaSiteB-int:  10.0.2.1    |
 |asaSiteB-ext: 10.0.20.1    |
 |                           |
 |hostSiteB-Syslog: 10.0.2.10|
 |hostSiteB-SNMP:   10.0.2.11|
 |hostSiteB-Ping:   10.0.2.12|
 |hostSiteB-DNS:    10.0.2.13|
 |hostSiteB-WWW:    10.0.2.14|
 +---------------------------+

Config of asaSiteA (only relevant parts)


! Object definitions
name asaSiteA-int 10.0.1.1
name asaSiteA-ext 10.0.10.1
name asaSiteB-ext 10.0.20.1

object network netSiteA
 subnet 10.0.1.0 255.255.255.0

object network netSiteB
 subnet 10.0.2.0 255.255.255.0

object network hostSiteB-Syslog
 host 10.0.2.10

object network hostSiteB-SNMP
 host 10.0.2.11

object network hostSiteB-Ping
 host 10.0.2.12

object network hostSiteB-DNS
 host 10.0.2.13

object network hostSiteB-WWW
 host 10.0.2.14

object service dns
 service udp destination eq domain
 description dns

! Interface settings
interface Ethernet0/0
 nameif int
 security-level 100
 ip address asaSiteA-int 255.255.255.0

interface Ethernet0/1
 nameif ext
 security-level 0
 ip address asaSiteA-ext 255.255.255.0

! Traffic that gets encrypted and sent through VPN
access-list acl_crypt remark Crypt_IP_netSiteA_to_netSiteB
access-list acl_crypt extended permit ip object netSiteA object netSiteB

! ACE for interface "ext"
access-list acl_ext_in remark Allow_ICMP_hostSiteB-Ping_to_netSiteA
access-list acl_ext_in extended permit icmp object hostSiteB-Ping object netSiteA log
access-list acl_ext_in remark Allow_SNMP_hostSiteB-SNMP_to_netSiteA
access-list acl_ext_in extended permit udp object hostSiteB-SNMP object netSiteA eq snmp log
access-list acl_ext_in remark Default_Deny
access-list acl_ext_in extended deny ip any any log

! ACE for interface "int" -> allow all outbound IP traffic to netSiteB
access-list acl_int_in remark Allow_IP_netSiteA_to_netSiteB
access-list acl_int_in extended permit ip object netSiteA object netSiteB log
access-list acl_int_in remark Default_Deny
access-list acl_int_in extended deny ip any any log

! Mapping ACEs to interfaces
access-group acl_ext_in in interface ext
access-group acl_int_in in interface int

! Setting up VPN parameters
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map ext_map 100 match address acl_crypt
crypto map ext_map 100 set pfs group5
crypto map ext_map 100 set peer asaSiteB-ext
crypto map ext_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map ext_map interface ext
crypto ikev1 enable ext
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

! Setting up VPN tunnels
tunnel-group asaSiteB-ext type ipsec-l2l
tunnel-group asaSiteB-ext general-attributes
 default-group-policy Policy_L2L
tunnel-group asaSiteB-ext ipsec-attributes
 ikev1 pre-shared-key 1234

! Allow management access (i.e. SNMP) from interface int
management-access int

! Enable syslog logging to SiteB
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm notifications
logging host int hostSiteB-Syslog
logging permit-hostdown

! Enable SNMP
snmp-server group authPriv v3 priv
snmp-server user snmpuser authPriv v3 encrypted auth md5 xxx priv des xxx
snmp-server host inside hostSiteB-SNMP poll version 3 snmpuser

! Relay/NAT DNS queries against asaSiteA to hostSiteB-DNS
nat (int,ext) source static any any destination static interface hostSiteB-DNS service dns dns

Config of asaSiteB (only relevant parts)


! Object definitions
name asaSiteB-int 10.0.2.1
name asaSiteB-ext 10.0.20.1

object network netSiteA
 subnet 10.0.1.0 255.255.255.0

object network netSiteB
 subnet 10.0.2.0 255.255.255.0

object network hostSiteB-Syslog
 host 10.0.2.10

object network hostSiteB-SNMP
 host 10.0.2.11

object network hostSiteB-Ping
 host 10.0.2.12

object network hostSiteB-DNS
 host 10.0.2.13

object network hostSiteB-WWW
 host 10.0.2.14

! Interface settings
interface Ethernet0/0
 nameif int
 security-level 100
 ip address asaSiteB-int 255.255.255.0

interface Ethernet0/1
 nameif ext
 security-level 0
 ip address asaSiteB-ext 255.255.255.0

! Traffic that gets encrypted and sent through VPN
access-list acl_crypt remark Crypt_IP_netSiteB_to_netSiteA
access-list acl_crypt extended permit ip object netSiteB object netSiteA

! ACE for interface "ext"
access-list acl_ext_in remark Allow_Syslog_asaSiteA-int_to_hostSiteB-Syslog
access-list acl_ext_in extended permit udp object asaSiteA-int object hostSiteB-Syslog eq syslog log
access-list acl_ext_in remark Allow_SNMP_asaSiteA-int_to_hostSiteB-Syslog
access-list acl_ext_in extended permit udp object asaSiteA-int object hostSiteB-SNMP eq snmp log
access-list acl_ext_in remark Allow_DNS_netSiteA_to_hostSiteB-DNS
access-list acl_ext_in extended permit udp object netSiteA object hostSiteB-DNS eq dns log
access-list acl_ext_in remark Allow_WWW_netSiteA_to_hostSiteB-WWW
access-list acl_ext_in extended permit tcp object netSiteA object hostSiteB-WWW eq www log
access-list acl_ext_in remark Default_Deny
access-list acl_ext_in extended deny ip any any log

! ACE for interface "int" -> allow all outbound IP traffic to netSiteA
access-list acl_int_in remark Allow_IP_netSiteB_to_netSiteA
access-list acl_int_in extended permit ip object netSiteB object netSiteA log
access-list acl_int_in remark Default_Deny
access-list acl_int_in extended deny ip any any log

! Mapping ACEs to interfaces
access-group acl_ext_in in interface ext
access-group acl_int_in in interface int

! Setting up VPN parameters
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map ext_map 100 match address acl_crypt
crypto map ext_map 100 set pfs group5
crypto map ext_map 100 set peer asaSiteA-ext
crypto map ext_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map ext_map interface ext
crypto ikev1 enable ext
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

! Setting up VPN tunnels
tunnel-group asaSiteA-ext type ipsec-l2l
tunnel-group asaSiteA-ext general-attributes
 default-group-policy Policy_L2L
tunnel-group asaSiteA-ext ipsec-attributes
 ikev1 pre-shared-key 1234

! Allow management access (i.e. SNMP) from interface int
management-access int

! Enable syslog logging to SiteB
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm notifications
logging host int hostSiteB-Syslog
logging permit-hostdown

! Enable SNMP
snmp-server group authPriv v3 priv
snmp-server user snmpuser authPriv v3 encrypted auth md5 xxx priv des xxx
snmp-server host inside hostSiteB-SNMP poll version 3 snmpuser

Remarks
Unfortunately, I could not test this setup 1:1 but it was derived from an actually running configuration I recently had to setup. If you think, something seems wrong, please drop me a comment.

Further Reference
Cisco ASA Config Guide
asciiflow – an online tool to draw ASCII network plans

IronPort ESA LDAP Accept Query – Disabled AD Accounts

Posted on by looke

I recently had the possibility to work on a project where I had to setup and implement an E-Mail gateway using Cisco IronPort Email Security Appliances (ESA) and stumbled over an interesting issue.

If you verify the recipient on incoming mails via an internal ActiveDirectory (only accept mails for people who have a E-Mail address associated to their account in ActiveDirectory), you might find this useful:

To avoid the ESAs from accepting mail for disabled accounts, you have to use a custom accept-query:


(&(|(mail={a})(proxyAddresses=smtp:{a}))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This query takes into account, that the ActiveDirectory marks disabled accounts by setting the userAccountControl flag to 0x0002 (decimal 2).

As a comparison, this is the default accept-query:


(|(mail={a})(proxyAddresses=smtp:{a}))

Links
http://support.microsoft.com/kb/305144
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832%28v=vs.85%29.aspx