cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway Cloud Service: IPSec Configuration - Cisco ASA 5505/5506

 

Introduction

This document describes an example configuration of the Cisco ASA 5506 device running Cisco Adaptive Security Appliance version 9.6. The configuration should work with other Cisco ASA versions and appliances running similar OSs. Key capabilities are IPSec Gateway to Gateway VPN supporting IKEv2 or IKEv1 and destination port based NATing for any destination IP (0.0.0.0/0).

All configuration assumes that the firewall is already set up for basic routing:

  • GigabitEthernet1/1 is configured as an outside/WAN interface
  • GigabitEthernet1/2 is configured as an inside/LAN interface
  • McAfee Web Gateway Cloud Service (McAfee WGCS) is configured with a pre-shared secret, your external public IP, and the local subnet where client web traffic is sourced.

The configurations below have failover with IKEv1 and just a single active tunnel for IKEv2. Cisco documentation says IKEv2 does not support redundant tunnels and you will get an error message if you try to configure multiple peer addresses. Please contact Cisco if clarification is needed.

Basic Steps

  1. Configure IKE
  2. Configure Traffic Selection
  3. Configure IPSec
  4. Configure Network Address Translation

IKEv2

Configure IKE

ISAKMP encryption policy for key exchange should be configured first. Policy 20 is used below but it could be any policy number that isn’t already used. Enable IKEv2 on outside interface:

crypto ikev2 policy 20
   encryption aes
   integrity sha256
   group 5 2
   prf sha256
   lifetime seconds 28800
crypto ikev2 enable outside

Supported ikev2 parameters

Encryption: aes, aes-192, aes-256
Integrity: sha256, sha384, sha512
Diffie-Hellman (DH) Group: 2, 5, 16, 14
PRF: aes, aes-192, aes-256

Set group policy:

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
   vpn-tunnel-protocol ikev2

Set tunnel group attributes:

tunnel-group 185.125.225.1 type ipsec-l2l
tunnel-group 185.125.225.1 general-attributes
   default-group-policy GroupPolicy1
tunnel-group 185.125.225.1 ipsec-attributes
   ikev2 remote-authentication pre-shared-key *****
   ikev2 local-authentication pre-shared-key *****
tunnel-group 161.69.123.1 type ipsec-l2l
tunnel-group 161.69.123.1 general-attributes
   default-group-policy GroupPolicy1
tunnel-group 161.69.123.1 ipsec-attributes
   ikev2 remote-authentication pre-shared-key *****
   ikev2 local-authentication pre-shared-key *****

***** replace with your pre-shared key
185.125.225.1 replace with ip received from firewall local resolving 1.network.c<customerid>.saasprotection.com
161.69.123.1 replace with ip received from firewall local resolving
2.network.c<customerid>.saasprotection.com

Configure Traffic Selection

Below shows the local subnet allowed to use tunnel as 192.168.0.0/16. (Any_Inside extended access list label) and destination any which is predefined

object network obj_any
   subnet 0.0.0.0 0.0.0.0
object network any_inside
   subnet 192.168.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip object any_inside object obj_any

Configure IPSec

Configure the encryption and authentication for IPSec. The proposal is AES-SHA-256 which is defined here. Multiple proposals can be created. The proposals can be used in the crypto-map, named outside_map3 in this example. The map is then assigned to the outside interface.

crypto ipsec ikev2 ipsec-proposal AES-SHA-256
protocol esp encryption aes
protocol esp integrity sha-256

Supported values:

Encryption: aes, aes-256, aes-512
Integrity: sha-256, sha-384, sha-512
Diffie-Hellman (DH) Group: 2, 5, 16, 14

The proposals can be used in the crypto-map named here outside_map3. The map is then assigned to the outside interface. Note that only one peer is specified as Cisco documentation indicates that multiple peers are not supported with IKEv2. If you need redundancy please use IKEv1 or contact Cisco support for clarification.

crypto map outside_map3 2 match address outside_cryptomap
crypto map outside_map3 2 set pfs 
crypto map outside_map3 2 set peer 185.125.225.1 
crypto map outside_map3 2 set ikev2 ipsec-proposal AES-SHA-256 
crypto map outside_map3 2 set ikev2 pre-shared-key *****
crypto map outside_map3 2 set security-association lifetime seconds 3600
crypto map outside_map3 interface outside

***** replace with your pre-shared key
185.125.225.1 replace with ip received from firewall local resolving
1.network.c<customerid>.saasprotection.com

Configure Network Address Translation

First define service objects for HTTP and HTTPS

object service http
   service tcp destination eq www 
object service https
   service tcp destination eq https

Once the services are defined we set up static nat from inside to outside that leaves the original source address so that it will match the access list in the crypto-map on the outside interface.

nat (inside,outside) source static any any service http http
nat (inside,outside) source static any any service https https

There should already be a default rule to dynamically nat to the outside interface address. Something like:

object network obj_any
   nat (any,outside) dynamic interface

Once the above configuration changes are applied the tunnel should be created.

From a client connected through the inside interface, attempt to browse the internet. If whatsmyip.com is accessed, the returned address should look similar to the configured peer address.

Troubleshooting

Status can be verified from the command line with the commands:

show crypto isakmp sa
show crypto Ipsec stats

IKEv1

Configure IKE

ISAKMP encryption policy for key exchange should be configured first. Policy 20 is used below but it could be any policy number that isn’t already used. Enable IKEv2 on outside interface:

crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 5
   lifetime 28800
crypto ikev1 enable outside

Supported IKEv1 parameters

Authentication: pre-share
Encryption: aes, aes-192, aes-256
Hash: sha, sha256, sha384, sha512
Diffie-Hellman (DH) Group: 2, 5, 16, 14

Set group policy:

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
   vpn-tunnel-protocol ikev1

Set tunnel group attributes:

tunnel-group 185.125.225.1 type ipsec-l2l
tunnel-group 185.125.225.1 general-attributes
   default-group-policy GroupPolicy1
tunnel-group 185.125.225.1 ipsec-attributes
   ikev1 pre-shared-key *****
tunnel-group 161.69.123.1 type ipsec-l2l
tunnel-group 161.69.123.1 general-attributes
   default-group-policy GroupPolicy1
tunnel-group 161.69.123.1 ipsec-attributes
   ikev1 pre-shared-key *****


***** replace with your pre-shared key
185.125.225.1 replace with ip received from firewall local resolving
1.network.c<customerid>.saasprotection.com
161.69.123.1 replace with ip received from firewall local resolving
2.network.c<customerid>.saasprotection.com

Configure Traffic Selection

Below shows the local subnet allowed to use tunnel as 192.168.0.0/16. (Any_Inside extended access list label) and destination any which is predefined

object network obj_any
   subnet 0.0.0.0 0.0.0.0
object network any_inside
   subnet 192.168.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip object any_inside object obj_any

Configure IPSec

Configure the encryption and authentication for IPSec. The proposal is AES-SHA-256 which is defined here. Multiple proposals can be created. The proposals can be used in the crypto-map, named outside_map3 in this example. The map is then assigned to the outside interface.

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

Supported values:

Encryption: esp-aes, esp-aes-192, esp-aes-256, esp-aes-512
Integrity: esp-sha-hmac, esp-sha256-hmac, esp-sha384-hmac, esp-sha512-hmac
Diffie-Hellman (DH) Group: 2, 5, 16, 14

The proposals can be used in the crypto-map named here outside_map3 with priority 2. The map is then assigned to the outside interface.

crypto map outside_map3 2 match address outside_cryptomap
crypto map outside_map3 2 set pfs 
crypto map outside_map3 2 set peer 185.125.225.1 161.69.123.1 
crypto map outside_map3 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map3 2 set security-association lifetime seconds 3600
crypto map outside_map3 interface outside

185.125.225.1 replace with ip received from firewall local resolving
1.network.c<customerid>.saasprotection.com
161.69.123.1 replace with ip received from firewall local resolving
2.network.c<customerid>.saasprotection.com

Configure Network Address Translation

First define service objects for HTTP and HTTPS

object service http
   service tcp destination eq www 
object service https
   service tcp destination eq https

Once the services are defined we set up static nat from inside to outside that leaves the original source address so that it will match the access list in the crypto-map on the outside interface

nat (inside,outside) source static any any service http http
nat (inside,outside) source static any any service https https

There should already be a default rule to dynamically nat to the outside interface address. Something like:

object network obj_any
   nat (any,outside) dynamic interface


Once the above configuration changes are applied the tunnel should be created.

From a client connected through the inside interface, attempt to browse the internet. If whatsmyip.com is accessed, the returned address should look similar to the configured peer address.

Troubleshooting

Status can be verified from the command line with the commands:

show crypto isakmp sa
show crypto Ipsec stats

Using ASDM

IKEv2

  • Create Connection Profile
  • Go to Configuration > Site-to-Site VPN > Connection Profiles
  • Enable IKE v2 access on the outside interface
  • Add a connection profile
  • Put the IP address obtained from locally resolving 1.network.c<customerid>.saasprotection.com into the Peer IP Address field
  • For Local Network put in the address range to match what you configured in WGCS. In this example Any_Inside is the object for 192.168.0.0/16
  • For Remote Network use any
  • The Group Policy Name can be left as is
  • If only IKE v2 is desired, deselect IKE v1
  • Set the Local Pre-shared Key and Remote Peer Pre-shared Key to match what you set in WGCS
  • SHA1 is not supported by WGCS for the integrity algorithm, so at least one compatible
  • Encryption Algorithm will need to be added and chosen
  • Click on Manage next to IKE Policy and then add a new policy using SHA256 or higher and a Lifetime of 28800 seconds.

image6.png

  • Click OK. Click OK.
  • Click on Select next to IPsec Proposal then click on Add to create a new proposal.
  • Name the proposal and add appropriate encryption and hash algorithms.

image7.png

  • Click OK.
  • Assign the newly created algorithm to the list (the other algorithms can be removed)

image8.png

  • Click OK
  • Select Advanced > Crypto Map Entry and change the Security Association Lifetime time to 1:0:0
  • Click OK
  • Go to Configuration > Site-to-Site VPN > Advanced > Crypto Maps
  • Edit the Crypto Map to Enable Perfect Forwarding Secrecy

image9.png

  • Click OK
  • Go to Configuration > Firewall > NAT Rules
  • Add a static, unidirectional rule, source interface inside, destination interface outside service http (it will likely need to be added, destination port 80) 

image3.png

 

  • Click yes, and then ok at the warning. 
  • Click OK. Click OK. Then click Yes at the warning
  • If https filtering is desired, use the same process to add another static, unidirectional rule, source interface inside, destination interface outside service https (it will likely need to be added, destination port 443)
  • Apply the changes.
  • From a client connected through the inside interface, attempt to browse the internet. If whatsmyip.com is accessed, the returned address should look similar to the configured peer address.
  • Tunnel status can be verified by going to Monitoring > VPN

image10.png

IKEv1

  • Create Connection Profile
  • Go to Configuration > Site-to-Site VPN > Connection Profiles
  • Enable IKE v1 access on the outside interface
  • Add a connection profile
  • Put the IP address obtained from locally resolving 1.network.c<customerid>.saasprotection.com into the Peer IP Address field
  • For Local Network put in the address range to match what you configured in WGCS. In this example Any_Inside is the object for 192.168.0.0/16
  • For Remote Network use any
  • The Group Policy Name can be left as is
  • If only IKE v1 is desired, deselect IKE v2
  • Set the Pre-shared Key to match what you set in WGCS
  • Encryption algorithms can be left as is, or can be limited to one or more of the supported proposals (e.g. ESP-AES-128-SHA)

image1.png

  • Select Advanced > Crypto Map Entry and change the Security Association Lifetime time to 1:0:0
  • Click OK
  • Create a second Connection Profile as above using the same group policy and the IP obtained from 1.network.c<customerid>.saasprotection.com
  • Click OK (accept the overlap)
  • Go to Configuration > Site-to-Site VPN > Advanced > Crypto Maps
  • Delete the second Crypto Map
  • Edit the first Crypto Map
  • Put the IP address obtained from locally resolving 2.network.c<customerid>.saasprotection.com into the Peer IP Address field
  • Enable Perfect Forwarding Secrecy

image2.png

  • Click OK
  • Go to Configuration > Firewall > NAT Rules
  • Add a static, unidirectional rule, source interface inside, destination interface outside service http (it will likely need to be added, destination port 80) Click yes, and then ok at the Proxy ARP warning.

image3.png

 

 

  • If https filtering is desired, use the same process to add another static, unidirectional rule, source interface inside, destination interface outside service https (it will likely need to be added, destination port 443)
  • Go to Configuration > Site-to-Site VPN > Advanced > IKE Policies
  • Delete the policies that aren’t valid and change the Lifetime on the remaining policies to 28800

image4.png

  • Click OK
  • Apply the changes.
  • From a client connected through the inside interface, attempt to browse the internet. If whatsmyip.com is accessed, the returned address should look similar to the configured peer address.
  • Tunnel status can be verified by going to Monitoring > VPN

image5.png

 

 

Comments

If the public address configured in WGCS does not match the address of the outside interface of your firewall the above configuration will not work. This will be a problem if the firewall is behind a NAT as it would be in AWS or Azure. You will need to change the identity used by the firewall for the tunnel. This can be done from the command line with:

crypto isakmp identity key-id 1.2.3.4

Alternatively there is a setting for identity in ASDM Configuration > Site-to-Site VPN > Advanced > IKE Parameters

Use Identity Set to Peer Identity: Key ID Key ID String:  1.2.3.4

(Replace 1.2.3.4 with the public address configured in WGCS)

Contributors
Version history
Revision #:
2 of 2
Last update:
‎05-03-2018 12:12 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community