08-05-2014 02:01 PM - edited 03-11-2019 09:35 PM
I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.
Remote Site ASA 5505 Interfaces:
Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway)
AMI (Interface 1) (VLAN 742) - 10.40.31.129/25
SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30
I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.
ASA will need to have three IPsec tunnels:
Tunnel 1 to SCADA Firewall
Remote Site - 10.70.0.4/30 Subnet
Central Site - 10.101.41.0/24 Subnet
Tunnel 2 to Corporate Firewall
Remote Site - 10.40.31.129/25 Subnet
Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet
Tunnel 3 to Partner Firewall
Remote Site - 10.40.31.129/25 Subnet
Partner Site Subnets
The ASA is running 9.1(5) and ASDM 7.1(6).
I've attached a diagram of what the connections look like between sites.
08-05-2014 02:36 PM
I reviewed your diagram attached and trying to give you as much as I can.
other gurus, pls correct me if I am missing anything.
interface Ethernet0/0
nameif outside
security-level 0
ip address public ip, subnet mask
int e0/1
nameif AMI
security-level 100
ip add 10.40.31.129 255.255.255.128
int e0/2
nameif SCADA
security-level 10
ip add 10.70.0.5 255.255.255.252
route outside 0.0.0.0 0.0.0.0 public IP
tunnel-group 173.8.244.181 type ipsec-l2l
tunnel-group 173.8.244.181 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyScAdA
tunnel-group 173.8.244.189 type ipsec-l2l
tunnel-group 173.8.244.189 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyC0Rp
tunnel-group 148.80.252.60 type ipsec-l2l
tunnel-group 148.80.252.60 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEypArTN3R
crypto ikev1 enable outside -- enabling for outside interface
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 86400
crypto ipsec ikev1 transform-set kerseyami esp-aes-256 esp-sha-hmac
crypto map VPN 10 match address SCADA
crypto map VPN 10 set peer 173.8.244.181
crypto map VPN 10 set ikev1 transform-set kerseyami
crypto map VPN 10 set security-association lifetime seconds 86400
crypto map VPN 20 match address CORP
crypto map VPN 20 set peer 173.8.244.189
crypto map VPN 20 set ikev1 transform-set kerseyami
crypto map VPN 20 set security-association lifetime seconds 86400
crypto map VPN 30 match address PARTNER-FW
crypto map VPN 30 set peer 148.80.252.60
crypto map VPN 30 set ikev1 transform-set kerseyami
crypto map VPN 30 set security-association lifetime seconds 86400
access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0
access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0
access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW
Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.
let us know how this works.
JD...
08-05-2014 02:45 PM
Jigar,
Thanks. One follow-up question, when I try to do a third nameif, I get an error that my current license does not allow this. Guessing I need upgrade to a Security Plus license?
08-05-2014 02:57 PM
Hi,
You can use 3 interfaces in total with a Base License ASA5505.
The 3rd Vlan interface that you take into use is a DMZ Restricted type interface. If you check the output of "show version" you will see that your unit is licensed for 3 Vlans
What this actually means is that you can activate the 3rd interface but you will have to limit the interface so that users behind it wont be able to connect towards either of the 2 other Vlan interfaces. But I guess in your case this is not something that would cause problems as you are actually aiming to limit the traffic.
When you created the 3rd Vlan inteface try this
interface Vlan772
no forward interface vlan742
After you have configured the above command under the new Vlan interface you can then continue to configure the interface with the "nameif" , "security-level" and "ip address" configurations.
Notice that the above command only limits connectivity from behind this interface towards the one mentioned in the command. The other direction you will have to block with interface ACL.
- Jouni
08-08-2014 09:20 PM
Jouni is right.
but in addition to his explanation, what other thing you can do is, create sub interfaces on eth0/1 and combine AMI and SCADA vlans.
like this
interface eth0/1
description ** suited to you **
speed 100
duplex full
no nameif
no security-level
no ip address
interface eth0/1.10
vlan 10
nameif AMI
security-level 99
ip add 10.40.31.129 255.255.255.128
!
interface eth0/1.20
vlan 20
nameif SCADA
security-level 50
ip add 10.70.0.5 255.255.255.252
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide