Hi, You can use 3 interfaces

Bryan Moorman · ‎08-05-2014

I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.

Remote Site ASA 5505 Interfaces:
Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway)
AMI (Interface 1) (VLAN 742) - 10.40.31.129/25
SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30

I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.

ASA will need to have three IPsec tunnels:
Tunnel 1 to SCADA Firewall
Remote Site - 10.70.0.4/30 Subnet
Central Site - 10.101.41.0/24 Subnet
Tunnel 2 to Corporate Firewall
Remote Site - 10.40.31.129/25 Subnet
Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet
Tunnel 3 to Partner Firewall
Remote Site - 10.40.31.129/25 Subnet
Partner Site Subnets

The ASA is running 9.1(5) and ASDM 7.1(6).

I've attached a diagram of what the connections look like between sites.

Jigar Dave · ‎08-05-2014

I reviewed your diagram attached and trying to give you as much as I can.

other gurus, pls correct me if I am missing anything.

if I remember correctly, with base license, you can set up vpn peers.

interface Ethernet0/0
nameif outside
security-level 0
ip address public ip, subnet mask

int e0/1
nameif AMI
security-level 100
ip add 10.40.31.129 255.255.255.128

int e0/2
nameif SCADA
security-level 10
ip add 10.70.0.5 255.255.255.252

route outside 0.0.0.0 0.0.0.0 public IP

tunnel-group 173.8.244.181 type ipsec-l2l
tunnel-group 173.8.244.181 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyScAdA

tunnel-group 173.8.244.189 type ipsec-l2l
tunnel-group 173.8.244.189 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyC0Rp

tunnel-group 148.80.252.60 type ipsec-l2l
tunnel-group 148.80.252.60 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEypArTN3R

crypto ikev1 enable outside -- enabling for outside interface

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5

crypto ipsec security-association lifetime seconds 86400

crypto ipsec ikev1 transform-set kerseyami esp-aes-256 esp-sha-hmac

crypto map VPN 10 match address SCADA
crypto map VPN 10 set peer 173.8.244.181
crypto map VPN 10 set ikev1 transform-set kerseyami
crypto map VPN 10 set security-association lifetime seconds 86400

crypto map VPN 20 match address CORP
crypto map VPN 20 set peer 173.8.244.189
crypto map VPN 20 set ikev1 transform-set kerseyami
crypto map VPN 20 set security-association lifetime seconds 86400

crypto map VPN 30 match address PARTNER-FW
crypto map VPN 30 set peer 148.80.252.60
crypto map VPN 30 set ikev1 transform-set kerseyami
crypto map VPN 30 set security-association lifetime seconds 86400

access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0
access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0
access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW

Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.

let us know how this works.

JD...

Bryan Moorman · ‎08-05-2014

Jigar,

Thanks. One follow-up question, when I try to do a third nameif, I get an error that my current license does not allow this. Guessing I need upgrade to a Security Plus license?

Jouni Forss · ‎08-05-2014

Hi,

You can use 3 interfaces in total with a Base License ASA5505.

The 3rd Vlan interface that you take into use is a DMZ Restricted type interface. If you check the output of "show version" you will see that your unit is licensed for 3 Vlans

What this actually means is that you can activate the 3rd interface but you will have to limit the interface so that users behind it wont be able to connect towards either of the 2 other Vlan interfaces. But I guess in your case this is not something that would cause problems as you are actually aiming to limit the traffic.

When you created the 3rd Vlan inteface try this

interface Vlan772
no forward interface vlan742

After you have configured the above command under the new Vlan interface you can then continue to configure the interface with the "nameif" , "security-level" and "ip address" configurations.

Notice that the above command only limits connectivity from behind this interface towards the one mentioned in the command. The other direction you will have to block with interface ACL.

- Jouni

Jigar Dave · ‎08-08-2014

Jouni is right.

but in addition to his explanation, what other thing you can do is, create sub interfaces on eth0/1 and combine AMI and SCADA vlans.

like this

interface eth0/1
description ** suited to you **
speed 100
duplex full
no nameif
no security-level
no ip address

interface eth0/1.10
vlan 10
nameif AMI
security-level 99
ip add 10.40.31.129 255.255.255.128
!
interface eth0/1.20
vlan 20
nameif SCADA
security-level 50
ip add 10.70.0.5 255.255.255.252

ASA 5505 Isolated Networks with Site-to-Site VPN Access

if I remember correctly, with base license, you can set up vpn peers.