Cert_NTP: (We need this router to have the correct time since it is going to be the NTP server)
In this lab, 3 devices will be using RSA-Signatures - R2, R3 and ASA1. All these devices will need to use the NTP Server to set the time.
AT R2 and R3:
AT ASA1:
At this point, ASA1 and R2 will successfully communicate with NTP Server and will be on the way to synchronizing, but R3 will have trouble communicating with NTP server due it being on the OUTSIDE interface of ASA2. NTP communicated on UDP port 123. We will have to open an ACL for the same.
AT this point, NTP configurations are all over! The clocks may not have yet synchronized because NTP takes a lot of time to synchronize. As a hack use the following command on all the 3 device to set the current time (with appropriate date and time):
Certificate Configurations:
Since we are using RSA-Sig in this lab, we will make a Certificate Authority server to issue new certificates. In this example, Cert_NTP will be configured.
Certificate Server
At this point, it will ask for a Password and re confirm the same.
Certificate Client (R2 and R3)
Again we will have trouble with ASA. Since the certificate communication between Client and server happens over http, the http connection initiated from R3 will be blocked by ASA. So please use the following command to open port 80.
Certificate Client (ASA)
At this point, we must have the certificates on all the device and ready to configure VPN!
VPN Configuration R2 and ASA
Interesting Traffic: 1.1.1.1 <—> 2.2.2.2
On R2: (Regular VPN Config)
On ASA:
Rememeber for VPN the 2 critical protocol/ports are ESP and UDP 500. Now if we initiate traffic from Loopback of R2 to Loopback of R1, UDP is inspected and hence will return back. ESP will go from R2 to ASA1, but will not return back. Hence we have to open an ACL for coming from DMZ to INSIDE.
But since we need to be able to initiate traffic from R1’s loopback too, we have to create an ACL for UDP 500
VPN Configuration R3 and ASA
Interesting Traffic: 1.1.1.1 <—> 3.3.3.3
Router and ASA configurations are the same except for the the different IP Address according to this setup. But in this case if we were to initiate traffic from R3 to R1, we have to create ACL for both ESP and ISAKMP (UDP 500) from OUTSIDE to DMZ. We make use of the same ACL OUT_IN used previously.
But even from DMZ to OUT will be blocked due to the explicit deny of the ACL ‘DMZ_IN’. So let us add to that ACL
At this point, the VPN between R2 and R1 and R3 and R1 will be successful!!!
HairPinning
Hairpinning is the method of using tunnels from R2 to ASA and R3 to ASA, to communicate between R2 and R3 Loopbacks~! We have to add one Crypto ACL’s in R2 and R3. We have to add 2 crypto ACL to ASA as mentioned below:
In ASA be careful to update the existing ACLs such that the new ASA of the same number has a different source but same destination (as given below)!
At this point if you try pinging from the loopback of R2 to loopback of R3, it will create SAs, but the ping will not happen!!! This is due to the fact that ASA’s will not by default let SAME SECURITY LEVEL TRAFFIC! Use the following command: