Welcome back to this series where we cover CCNA Security topics using Cisco Packet Tracer in our labs. In the last lab, we looked at NAT and ACLs. In this lab, we will consider two types of VPN on the Cisco ASA – IPsec site-to-site VPN and Clientless SSL VPN.
Note: Because of the limitations of Packet Tracer, we will have to roll back from the configuration in our last lab to the configuration in our second lab. The limitation is that we cannot configure an NAT exemption on the ASA 5505 included in Packet Tracer and this will affect our VPN configuration since we configured PAT in the previous lab.
The lab setup we will be using in this article is as shown below:
Two files are attached to this article:
cisco_asa_vpn_init.pkt: The devices in this Packet Tracer file have basic IP address settings and should be used as your starting point if you want to follow along with the tasks in this lab.
cisco_asa_vpn_final.pkt: This Packet Tracer file contains the lab setup configured to meet the lab tasks.
The tasks for this lab are as follows:
Configure a site-to-site VPN between ASA0 and ASA1 to protect TCP/ICMP traffic between subnet 10.0.0.0/24 and 192.168.1.0/24. For IKE phase 1, use a pre-shared key of “cisco123”, encryption of AES, SHA hash, and Diffie-Hellman group 2. For IKE phase 2, use “ESP-AES-192” and “ESP-SHA-HMAC” in the transform set.
Confirm that traffic between Inside0_User and Inside1_User is encrypted using the VPN tunnel.
Enable clientless SSL VPN (WebVPN) on the outside interface of ASA0. When a user logs into the WebVPN, there should be a bookmark link called “Packet Tracer Web Page” pointing to https://172.16.10.100. Create a user on ASA0 called “sslvpnuser” with password “sslvpn123”. Also create a group policy that contains the URL you created and attach this group policy to the “sslvpnuser” username.
Task 1: Site-to-Site VPN
You can go over this article on the Intense School site that discusses the components of VPN on the Cisco ASA. Even though the ASA on Packet Tracer supports only a limited set of features for VPN, it supports just enough to configure basic site-to-site VPN.
Note: In most real-life scenarios, you will have NAT configuration for internal users to connect to the Internet just like we had in the previous lab. If you then want to configure VPN, you will need to exempt the VPN traffic from NAT. The commands to configure NAT exemption are not available on Packet Tracer 6.2 so we will just rely on routing.
Something else to keep in mind is that on real ASAs, the sysopt connection permit-vpn command is configured by default and it allows VPN traffic to automatically bypass ACL checks. However, with the ASA on Packet Tracer, VPN traffic does not automatically bypass ACL checks and must be manually allowed.
The configuration on ASA0 is as follows:
access-list VPN_TRAFFIC extended permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list VPN_TRAFFIC extended permit icmp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 ! access-list ALLOW_VPN_TRAFFIC extended permit tcp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list ALLOW_VPN_TRAFFIC extended permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 ! access-group ALLOW_VPN_TRAFFIC out interface inside ! crypto ikev1 policy 10 encr aes authentication pre-share group 2 ! crypto ikev1 enable outside ! crypto ipsec ikev1 transform-set TRANS_SET esp-aes esp-sha-hmac ! crypto map CRYP_MAP 10 match address VPN_TRAFFIC crypto map CRYP_MAP 10 set peer 184.108.40.206 crypto map CRYP_MAP 10 set security-association lifetime seconds 7200 crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET crypto map CRYP_MAP interface outside ! tunnel-group 220.127.116.11 type ipsec-l2l tunnel-group 18.104.22.168 ipsec-attributes ikev1 pre-shared-key cisco123 !
The configuration on ASA1 is a mirror of the one on ASA0:
access-list VPN_TRAFFIC extended permit tcp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list VPN_TRAFFIC extended permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 ! access-list ALLOW_VPN_TRAFFIC extended permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list ALLOW_VPN_TRAFFIC extended permit icmp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 ! access-group ALLOW_VPN_TRAFFIC out interface inside ! crypto ikev1 policy 10 encr aes authentication pre-share group 2 ! crypto ikev1 enable outside ! crypto ipsec ikev1 transform-set TRANS_SET esp-aes esp-sha-hmac ! crypto map CRYP_MAP 10 match address VPN_TRAFFIC crypto map CRYP_MAP 10 set peer 192.0.2.1 crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET crypto map CRYP_MAP interface outside ! tunnel-group 192.0.2.1 type ipsec-l2l tunnel-group 192.0.2.1 ipsec-attributes ikev1 pre-shared-key cisco123 !
Note: Packet Tracer may give you a warning message that the crypto map is incomplete. Ignore it. Also, you may get a warning about the tunnel-group name you have chosen; on a real device, this should only show if you configure a named tunnel-group and not an IP address.
Task 2: Site-to-Site Verification
Before initiating traffic between the two protected networks, we can first check the ISAKMP SAs which should be empty:
Now, we can initiate traffic from any of the inside user devices. The easiest traffic to test with is ICMP traffic so let’s go with that:
Now if we check the ISAKMP SA on one of the ASAs, we should see an SA between this ASA and the other one:
To confirm that the traffic is indeed being encrypted using the VPN tunnel, we need to check the IPsec SAs using the show crypto ipsec sa command:
Note: I found many issues with the VPN configuration on the Cisco ASA in Packet Tracer 6.2. It’s quite unstable and you may have to remove a crypto map from an interface and re-add it for the VPN to come up. Also, the stats displayed in the IPsec SA should show both encrypted and decrypted traffic increasing for each type of traffic (ICMP/TCP). What I noticed is that the encrypted ICMP traffic is showing under the correct SA but the return traffic (decrypted) is showing under the SA for TCP traffic as shown below:
Task 3: Clientless SSL VPN
Clientless SSL VPN is a variant of SSL VPN where users can connect directly from a web browser without requiring a VPN client.
For this task, we need to first create bookmarks from the ASA’s Config tab as shown below:
We can then go ahead with the configuration on the ASA:
webvpn enable outside ! group-policy WEBVPN_POLICY internal group-policy WEBVPN_POLICY attributes vpn-tunnel-protocol ssl-clientless webvpn url-list value “Packet Tracer Web Page” ! username sslvpnuser password sslvpn123 username sslvpnuser attributes vpn-group-policy WEBVPN_POLICY !
To test this configuration, we will connect to https://192.0.2.1/ from the VPN_User laptop. An authorization box will pop up so we can enter the user credentials:
If the user is successfully authenticated, he/she will be presented with the SSL VPN home page where any URL links we have configured will be displayed:
If we click on the “Packet Tracer Web Page” link, the contents of that webpage will be displayed on the same home page:
Note: Keep in mind that Packet Tracer is a simulation tool and the way clientless SSL VPN works and looks (authentication, portal, etc.) on a real ASA is different. However, the basic concepts are the same.
Side note: In the blueprint for the exam, the candidate is supposed to know how to configure clientless SSL VPN using the ASDM and not the command line so fear not.
This brings us to the end of this lab where we have configured site-to-site and clientless SSL VPN on the Cisco ASA. I hope you have found this lab insightful.
References and Further Reading
VPN ON THE CISCO ASA – Introduction: http://resources.intenseschool.com/vpn-on-the-cisco-asa-introduction/
Packet Tracer lab 17 – Site to site IPSEC VPN with ASA 5505: http://www.packettracernetwork.com/labs/lab17-asa-ipsec-vpn.html
Packet Tracer lab 16: Clientless SSL VPN: http://www.packettracernetwork.com/labs/lab16-asa-webvpn.html