Emulate a IPSEC Site-to-Site tunnel with Cisco ASA 5520 in GNS3 Preparation Phase 2

Now that we have finished phase 1 it is time to look at phase 2.

In phase 2 we will configure a site-to-site vpn tunnel throughout the ASDM wizard. I know it is better by cli. But i am new to Site-to-Site VPN and before you can understand the concept you need to start with the easy way. In phase 3 we will manual configure a ipsec site-to-site tunnel and give tips about what is required to be the same on both sides and what can be different.

Step 1: Create the local and remote subnet on both ASA’s

Config ASA1:

object network Local_Networks_VPN_To_Amsterdam

subnet 192.168.12.0 255.255.255.0

object network Remote_Networks_VPN_To_Heerlen

subnet 172.16.24.0 255.255.255.0

Config ASA2:

object network Local_Networks_VPN_To_Amsterdam

subnet 172.16.24.0 255.255.255.0

object network Remote_Networks_VPN_To_Heerlen

subnet 192.168.12.0 255.255.255.0

Step 2: Configure ASA1 and ASA2 to be a IPSEC Tunnel.

Look at this document for a step-by step guide on how it is created.

Step 3: Open a ping from site A to B

Very Important!

This is required. If no traffic is submitted the tunnel will stay down.

Why does something needs to be up when there is no traffic for the remote site?

Step 3 is also encluded in the guide with step 2.

 

Configure a span port on a catalyst 3560

To create a span port on a cisco 3560 “swouter” the following preparations:

1. Connect the host/server/ip phone is connected to a port on the switch

2. Connect the wireshark client to another port on the switch. (this will be the destination port.

3. Connect the uplink for the client to the switch (if not already configured.)

to configure the switch:

monitor 1 source interface fastethernet 0/1

monitor 1 destination interface fastethernet 0/2

install wireshark and configure the filter to display only the host. (ip host)

 

Create Bootable USB Stick

If you really need speed to install a couple of Windows Server 2008 boxes I recommend placing the installation files on a high-speed USB Stick.

 

Hard drives are usually connected to one Host device and USB channels are connected to another host device chip on your motherboard. Installing from an USB device therefor won’t hog the host devices for your hard drives (like when using an image) and won’t lag like a normal DVD player would do while spinning up and spinning down. When you choose to use an USB flash drive (called an USB stick around here) instead of an USB hard disk (slower)  you can achieve lightning speeds. To make your bootable USB device, simply type the following commands on a system with the image mounted or physical DVD copy in the drive and the USB device plugged in:

1. Open diskpart through cmd.

diskpart

2. DISKPART> list disk

3. Select the USB device from the list and substitute the disk number below             when necessary.

4.Execute the following commands.. 

DISKPART> select disk 1
DISKPART> clean
DISKPART> create partition primary
DISKPART> select partition 1
DISKPART> active
DISKPART> format fs=fat32
** it is also possible to quickformat the disk. Through explorer rightclick the device select format and mark quickformat,followed by apply. It will go even faster.**
DISKPART> assign
DISKPART> exit

5. Run in an command prompt the following: xcopy X:\*.* /s/e/f Y:\
where X:\ is your mounted image or physical DVD and Y:\ is your USB  device.

Now all you need to do is plug the device into your target box’ USB slot and boot it.    (The target system will need to have USB slots and be able to boot from USB devices)

When you send information to the Internet, it might be possible for other

When you send information to the Internet, it might be possible for others to see that information

Users keep recieving the rather annoying message

When you send information to the Internet, it might be possible for other
sto see that information

This message can be prevented via a Group policy setting or a registry poke.

Group Policy
To control the sending of non encypted traffic in IE use the policy setting under
Computer config\Windows components\Internet Explorer\Internet control Panel\Security Page\Internet zone\Submit non-encypted form data

If you make sure it is twice enabled.

Example:

Group-policy Submit non-encrypted form data

Registry Poke
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\x

Key : 1601 Type :REG_DWORD Value : 0

Where x is the relevant Site Zone
3 = Being Internet

The 1601 value equates to the setting “Miscellaneous: Submit non-encrypted form data”