Friday, December 4, 2009

Configuring QoS for VoIP Traffic on Cisco ASA VPN Tunnels

Based on DSCP:

priority-queue outside
queue-limit 2048
tx-ring-limit 256
!
class-map Voice
match dscp ef
class-map Data
match tunnel-group 10.1.2.1
match flow ip destination-address

policy-map Voicepolicy
class Voice
priority
class Data
police output 200000 37500

service-policy Voicepolicy interface outside


Based on ACL:

access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq h323
access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq sip
access-list 100 extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 2000

access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq h323
access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq sip
access-list 105 extended permit tcp 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0 eq 2000

access-group 100 in interface outside

class-map Voice-OUT
match access-list 105
class-map Voice-IN
match access-list 100

inspect h323 h225
inspect h323 ras
inspect skinny
inspect sip

policy-map Voicepolicy
class Voice-IN
class Voice-OUT
priority

service-policy Voicepolicy interface outside

Show commands to verify:

show running-config policy-map
show service-policy interface outside

For more information:

Configuring a Site to Site VPN between two Cisco ASA Firewalls

Local ASA:
access-list vpn_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.2
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 IPSec-attributes
pre-shared-key testkey


Remote ASA:
access-list vpn_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.1
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key testkey

Show commands to verify:

show crypto isakmp sa
show crypto ipsec sa

Thursday, December 3, 2009

Configuring NTP on Cisco ASA Firewall

List of NIST Internet Time Servers:

ntp server ip-address [key number] [source if-name] [prefer]
ntp server 64.90.182.55 source outside

Configuring Advanced Syslog on Cisco ASA Firewall

In this example I want to change the default severity level at which user login messages get logged.

Step 1: Find the syslog message ID for when a user logs in:

hostname(config)#show log | include admin
Dec 03 2009 17:32:35: %ASA-6-605005: Login permitted from 192.168.202.51/3507 to inside:192.168.2.20/ssh for user "admin"

Step 2: Find the current logging level for message ID 605005:

hostname(config)#show logging message 605005
syslog 605005: default-level informational (enabled)

Step 3: Change the logging level for message ID 605005 to warnings level:

hostname(config)#logging message 605005 level warnings

Step 4: Verify the new logging level for message ID 605005:

hostname(config)#show logging message 605005
syslog 605005: default-level informational, current-level warnings (enabled)

Configuring OSPF on Cisco ASA Firewall over IPsec VPN Tunnel

ASA Local:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (bypass NAT)
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (define interesting traffic)
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2 (define interesting traffic)
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0

router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 40.40.40.2 interface outside
log-adj-changes

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco

ASA Remote:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (bypass NAT)
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (define interesting traffic)
access-list crypto extended permit ospf interface outside host 30.30.30.1 (define interesting traffic)

mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0

router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 30.30.30.1 interface outside
log-adj-changes

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco

Show commands to verify:

ASA#show crypto isakmp sa
ASA#show crypto ipsec sa
ASA#show ospf neighbor
ASA#show ip route