Thursday, December 3, 2009

Configuring OSPF on Cisco ASA Firewall over IPsec VPN Tunnel

ASA Local:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (bypass NAT)
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (define interesting traffic)
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2 (define interesting traffic)
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0

router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 40.40.40.2 interface outside
log-adj-changes

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco

ASA Remote:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (bypass NAT)
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (define interesting traffic)
access-list crypto extended permit ospf interface outside host 30.30.30.1 (define interesting traffic)

mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0

router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 30.30.30.1 interface outside
log-adj-changes

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco

Show commands to verify:

ASA#show crypto isakmp sa
ASA#show crypto ipsec sa
ASA#show ospf neighbor
ASA#show ip route

2 comments:

  1. Thanks for the post and great tips..even I also think that hard work is the most important aspect of getting success.. top 10 vpn reviews

    ReplyDelete
  2. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business. VPN working with Netflix

    ReplyDelete