Skip to content

NCD – Cisco Adaptive Security Appliance (ASA) Example VPN Configuration

← NCD – Networking

The following diagrams identify example VPN settings at the Navisite Cloud Director (NCD) Create/Edit VPN page, and map them to their corresponding values in the Cisco® Adaptive Security Appliance (ASA) example configuration, below.




Cisco Adaptive Security Appliance (ASA) VPN Configuration Elements

The following sections detail elements of the Cisco Adaptive Security Appliance (ASA) configuration displayed above, and provide additional information for use when configuring your VPN connection.

Object Group – Cisco ASA Device VLAN Subnet Network Information

This object-group defines the network information for the VLAN subnet on your Cisco ASA device.

object-group network [YOUR_LOCAL_VLAN_SUBNET]

     network-object [VLAN_NET_IP] [VLAN_NET_MASK]

Object Group – Navisite Cloud Director VLAN Subnet Network Information (Diagram Element 2)

This object-group defines the network information for the VLAN subnet in your NCD environment.

object-group network [YOUR_REMOTE_NCD_VLAN_SUBNET]

     network-object [VLAN_NET_IP] [VLAN_NET_MASK]

Access List

The access-list identifies traffic from the local and remote VLANs as requiring encryption.

access-list ipsec-[YOUR_VPN_NAME] extended permit ip

     object-group [YOUR_LOCAL_VLAN_SUBNET]

     object-group [YOUR_REMOTE_NCD_VLAN_SUBNET]

Route Setup

This route command allows traffic bound for the remote NCD subnet to be routed externally.

route outside [YOUR_REMOTE_NCD_VLAN_SUBNET] [YOUR_REMOTE_NCD_VLAN_MASK]

     [ASA_EXTERNAL_IP] 1

Maximum Transmission Unit (MTU) Size (Diagram Element 5)

The mtu command sets the Maximum Transmission Unit (MTU), or largest allowable packet size, on the interface used to host the VLAN subnet on your CISCO ASA device (e.g., Ethernet0/1.123, or the nameif defined on Ethernet0/1.123).

mtu [NAMEIF_ORIINTERFACE_ID] 1500

Encryption – Crypto Transform Set (Diagram Element 3)

The crypto ipsec transform-set defines a combination of security protocols and algorithms for the VPN connection. The following example displays a transform set for 3des encryption and the sha 1 hmac hash set. In order to connect with NCD, encryption can be set to 3des, aes, or aes-256 . The hash set must be esp-sha-hmac.

crypto ipsec transform-set [TRANSFORM_SET_NAME] esp-3des esp-sha-hmac

IPSec Security Association (SA) Lifetime

The ipsec security-association lifetime value must be set to 28800 seconds (8 hours).

crypto ipsec security-association lifetime

     seconds 28800

VPN Crypto Map (Diagram Element 1)

Configure the VPN crypto map as follows:
  • Set the match address to the previously specified access-list

  • Enable perfect forward secrecy (pfs)

  • Specify the public IP address of the peer site

  • Set the transform-set to the previously defined ipsec transform-set

  • Set the security-association (SA) lifetime to 3600 seconds (1 hour)

  • Bind the crypto map to the outside interface of the ASA device

crypto map CMAP_outside 20 match address ipsec-[YOUR_VPN_NAME]

crypto map CMAP_outside 20 set pfs

crypto map CMAP_outside 20 set peer [PEER_SITE_PUBLIC_IP]

crypto map CMAP_outside 20 set transform-set [TRANSFORM_SET_NAME]

crypto map CMAP_outside 20 set security-association lifetime seconds 3600

crypto map CMAP_outside interface [ASA_DEVICE_OUTSIDE_INTERFACE]

ISAKMP

Configure the ISAKMP policy as follows:
  • Configure the IP address of the host ASA as phase 2 ID

  • Enable ISAKMP negotiation on the outside interface

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

     authentication pre-share

     encryption 3des

     hash sha

     group 2

     lifetime 28800

VPN Tunnel Setup (Diagram Elements 1 & 4)

Configure the VPN tunnel as follows:
  • Configure the ipsec tunnel using ipsec-121 (for a VPN over the public internet)

  • Configure the tunnel with a pre-shared key – it is recommended that you use the pre-shared key generated by NCD.

tunnel-group [PEER_SITE_PUBLIC_IP] type ipsec-l2l

tunnel-group [PEER_SITE_PUBLIC_IP] ipsec-attributes

     pre-shared-key [PRE_SHARED_KEY_PASSWORD]

Verifying the Connection

Once the VPN connection to NCD has been established, it can be verified as follows:
  • From the ASA device, issue the following commands to check the status of the VPN tunnel connection:

    • show vpn-sessiondb

      • an active IPsec LAN-to-LAN session should be displayed

      • active IKE and IPsec tunnels should be displayed

    • show crypto isakmp

      • an IKE peer for the NCD public IP should be displayed with a state of MM_ACTIVE

    • show crypto ipsec stats

      • inbound and outbound encryption values that change when pinging between the NCD and ASA firewall should be displayed
Once the VPN connection is verified, you should also be able to create Virtual Machines (VMs) in each environment and ping between them.


Feedback and Knowledge Base

(thinking…)