Background
We have multiple IPSEC Site-to-Site VPN tunnels within our company. The purpose of the VPN tunnels is to connect specific applications which are allocated within other companies. In production environments it is highly discouraged to change and test configurations. Because the Business these days does not accept any downtime.
Because of this i have chosen to emulate and learn the concepts of Site-to-Site IPSEC tunnels within a Lab environment.
Cisco ASA firewalls are expensive. For this reason I have chosen to emulate the software in GNS3.
GNS3 is free to download.
For more information follow this link: http://www.gns3.net/
Preparation in GNS3
Before we start with configuring the is a lot of preparation that needs to be done.
Step 1: What are the requirements? In this case a site-2-site IPSEC VPN. So we need 2 sites, 2 different networks, 2 firewalls in which 1 is a ASA.
Step 2: Design a Topology.
Topology 1
The used addresses aren’t used in any way in production. 🙂
Step 3: Prepare GNS to use Cisco ASA images.
(I am not going to provide the images. Only describe what my configuration is.)
My settings within GNS3 are:
First go to: edit, preferences
Click on QEMU, ASA tab.
Qemu Settings 1
You need to have the ASA images otherwise it will not work. Locate and select them within the ASA Specific Settings. (initrd and kernel)
To make things really easy I have prepared a notepad with all the settings.
Simply copy paste it into GNS.
Link: Qemu_Config_GNS3
When done click on Save.
Step 4: Create at least 2 loopback adapters within your client. I use windows 7.
I have made a seperate manual which can be found here.
Step 5: After the loopback interfaces are added it is time to create a new “Template” project:
Why do you need a template?
Reason 1: Because otherwise you need to upload and configure the asdm image over and over again if you make a new project. If you do not use asdm forget about reason 1.
Reason 2: Because the default ASA image has no license features enabled you have to activate the features by activation-keys. Import the serials to have a asa with full functions. Think of Failover,VPN-DES/3DES, unlimited hosts, etc.
Motivation why using a template
Because of the 2 reasons I have chosen to take a standard ASA image import ASDM image and import the activation-key. Save the project as template so when I wanted to test something with an ASA appliance all the options are available.
Start GNS3 as administror otherwise loopback interface errors may occur.
Add 2 ASA Firewalls, 2 Switches, 1 router(with 2 interfaces named Internet) and 2 Clients into the Topology.
Connect the devices as shown in the following diagram:
Topology 2
When connecting to the clients you first need to add the loopback interfaces created earlier.
Rightclick on the computer and click on C1.
Node configurator 1
The available nics will be showed. Select the loopback interface and click Add.
When connecting the ethernet cable a new option will be available to connect to the loopback interface.
Step 6: Boot the ASA images and apply a Basic Config.
I have created basic configuration document for asa:
After the basic configuration you should be able to ping to loopback.
Step 7: Add asdm image (if necessary)
Now after the basic config is added you can ping the ASA from the desktop succesfully.
Before ASDM will work you need to upload the image to the ASA in GNS3.
I use TFTPD32 as tftpd server. Start it and have a asdm image available:
now from the cli I run the following command on ASA1:
copy tftp://192.168.12.1/asdm-713.bin flash:/asdm-713.bin
now from the cli I run the following command on ASA2:
copy tftp://172.16.24.1/asdm-713.bin flash:/asdm-713.bin
Next configure the ASDM image for usage on both:
asdm image flash:\asdm-713.bin
Verify: sh asdm image
Step 8: Add Activation License Key on ASA
ASA1# conf t
ASA1(config)# activation-key *****
ASA1(config)# activation-key *****
ASA1(config)# wr mem
after reboot from asa you can verify if the license is applied.
sh version
Step 9: Now that the inside of the networks is working we need to configure the outside of both ASA’s and the internet router.
Copy within the file after the # till the next # and simple paste it on the device.
Always save the config. (wr mem)
Step 10: Verify connection
ping from ASA1 to the ASA2 Outside IP address (24.17.23.12). You should get replies.
ping from ASA2 to the ASA1 Outside IP address (11.1.2.1). You should get replies.
Do not go to the phase 2 if the verification process doesn’t work.