Thursday, December 3, 2009

Configuring OSPF on Cisco ASA Firewall over IPsec VPN Tunnel

ASA Local:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (bypass NAT)
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 (define interesting traffic)
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2 (define interesting traffic)
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0

router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 40.40.40.2 interface outside
log-adj-changes

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco

ASA Remote:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0
ospf network point-to-point non-broadcast (required to allow unicast of OSPF over IPsec tunnel)
ospf message-digest-key 10 md5 cisco (optional)

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface (allows traffic to enter and exit the same interface)
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (bypass NAT)
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 (define interesting traffic)
access-list crypto extended permit ospf interface outside host 30.30.30.1 (define interesting traffic)

mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
arp timeout 14400
global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0

router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
neighbor 30.30.30.1 interface outside
log-adj-changes

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco

Show commands to verify:

ASA#show crypto isakmp sa
ASA#show crypto ipsec sa
ASA#show ospf neighbor
ASA#show ip route

15 comments:

  1. Thanks for the post and great tips..even I also think that hard work is the most important aspect of getting success.. top 10 vpn reviews

    ReplyDelete
  2. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business. VPN working with Netflix

    ReplyDelete
  3. The information you have posted is very useful. The sites you have referred was good. Thanks for sharing... Cheap VPN

    ReplyDelete
  4. You have made some decent points there. I looked on the internet for more information about the issue and found most people will go along with your views on this web site. diebestenvpn

    ReplyDelete
  5. You have a great sense of writing I must say. Your post has those facts which are not accessible from anywhere else. It’s my humble request to u please keep writing such remarkable articles https://prywatnoscwsieci.pl

    ReplyDelete
  6. I couldn't find any knowledge on this matter prior to.Also operate a site and if you are ever interested in doing some. https://diadiktiokaiasfalia.com/

    ReplyDelete
  7. Thank you very much for this great post. I read that Post and got it fine and informative. Please share more like that. www.lemigliorivpn.com

    ReplyDelete
  8. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you.  allertaprivacy

    ReplyDelete
  9. I am glad to locate your recognized method for composing the post. Presently you make it simple for me to comprehend and actualize the idea. Much obliged to you for the post.  privacyenbescherming

    ReplyDelete
  10. Great article with excellent idea!Thank you for such a valuable article. I really appreciate for this great information.. privatnostonline

    ReplyDelete
  11. just what most individuals' desire. However, most of which have no idea of the inner thoughts and multi-step means of purchasing a fresh home https://internetprivatsphare.ch

    ReplyDelete
  12. There are a lot of blogs and articles out there on this topic, but you have acquired another side of the subject. This is reliable content thank you for sharing it. visit site

    ReplyDelete
  13. Its an incredible joy perusing your post.Its brimming with data I am searching for and I want to post a remark that "The substance of your post is marvelous" Great work. diebestenvpn.ch

    ReplyDelete
  14. A debt of gratitude is in order for the significant data and experiences you have so given here... privacyonline

    ReplyDelete
  15. Intriguing post. I Have Been pondering about this issue, so much obliged for posting. Really cool post.It "s truly extremely pleasant and Useful post.Thanks vpnveteran

    ReplyDelete