Emulate a IPSEC Site-to-Site tunnel with Cisco ASA 5520 in GNS3 Preparation Phase 1

Background

We have multiple IPSEC Site-to-Site VPN tunnels within our company. The purpose of the VPN tunnels is to connect specific applications which are allocated within other companies. In production environments it is highly discouraged to change and test configurations. Because the Business these days does not accept any downtime.

Because of this i have chosen to emulate and learn the concepts of Site-to-Site IPSEC tunnels within a Lab environment.

Cisco ASA firewalls are expensive. For this reason I have chosen to emulate the software in GNS3.

GNS3 is free to download.
For more information follow this link: http://www.gns3.net/

Preparation in GNS3

Before we start with configuring the is a lot of preparation that needs to be done.

Step 1: What are the requirements? In this case a site-2-site IPSEC VPN. So we need 2 sites, 2 different networks, 2 firewalls in which 1 is a ASA.

Step 2: Design a Topology.

Topology

Topology 1

The used addresses aren’t used in any way in production. 🙂

Step 3: Prepare GNS to use Cisco ASA images.

(I am not going to provide the images. Only describe what my configuration is.)

My settings within GNS3 are:

First go to: edit, preferences

Click on QEMU, ASA tab.

Qemu_Settings

Qemu Settings 1

You need to have the ASA images otherwise it will not work. Locate and select them within the ASA Specific Settings. (initrd and kernel)

To make things really easy I have prepared a notepad with all the settings.

Simply copy paste it into GNS.

Link: Qemu_Config_GNS3

When done click on Save.

Step 4: Create at least 2 loopback adapters within your client. I use windows 7.

I have made a seperate manual which can be found here.

 Step 5: After the loopback interfaces are added it is time to create a new “Template” project:

Why do you need a template?

Reason 1: Because otherwise you need to upload and configure the asdm image over and over again if you make a new project. If you do not use asdm forget about reason 1.

Reason 2: Because the default ASA image has no license features enabled you have to activate the features by activation-keys. Import the serials to have a asa with full functions. Think of Failover,VPN-DES/3DES, unlimited hosts, etc.

Motivation why using a template

Because of the 2 reasons I have chosen to take a standard ASA image import ASDM image and import the activation-key. Save the project as template so when I wanted to test something with an ASA appliance all the options are available.

Start GNS3 as administror otherwise loopback interface errors may occur.

Add 2 ASA Firewalls, 2 Switches, 1 router(with 2 interfaces named Internet)  and  2 Clients into the Topology.

Connect the devices as shown in the following diagram:

topology2

Topology 2

When connecting to the clients you first need to add the loopback interfaces created earlier.

Rightclick on the computer and click on C1.

nodeconfig

Node configurator 1

The available nics will be showed. Select the loopback interface and click Add.

When connecting the ethernet cable a new option will be available to connect to the loopback interface.

Step 6: Boot the ASA images and apply a Basic Config.

I have created basic configuration document for asa:

base_config asa

base_config asa2

After the basic configuration you should be able to ping to loopback.

Step 7: Add asdm image (if necessary)

Now after the basic config is added you can ping the ASA from the desktop succesfully.

Before ASDM will work you need to upload the image to the ASA in GNS3.

I use TFTPD32 as tftpd server. Start it and have a asdm image available:

asdm_image

now from the cli I run the following command on ASA1:

copy tftp://192.168.12.1/asdm-713.bin flash:/asdm-713.bin

now from the cli I run the following command on ASA2:

copy tftp://172.16.24.1/asdm-713.bin flash:/asdm-713.bin

Next configure the ASDM image for usage on both:

asdm image flash:\asdm-713.bin

Verify: sh asdm image

asdmimage

Step 8: Add Activation License Key on ASA

ASA1# conf t
ASA1(config)# activation-key *****

ASA1(config)# activation-key *****

ASA1(config)# wr mem

after reboot from asa you can verify if the license is applied.

sh version

License

Step 9: Now that the inside of the networks is working we need to configure the outside of both ASA’s and the internet router.

Copy within the file after the # till the next # and simple paste it on the device.

config outside

Always save the config. (wr mem)

Step 10: Verify connection

ping from ASA1 to the ASA2 Outside IP address (24.17.23.12). You should get replies.

ping from ASA2 to the ASA1 Outside IP address (11.1.2.1). You should get replies.

Do not go to the phase 2 if the verification process doesn’t work.

Phase 2 can be found here.

 

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

*