Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Isolated Networks with Site-to-Site VPN Access

I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.

Remote Site ASA 5505 Interfaces:
Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway)
AMI (Interface 1) (VLAN 742) - 10.40.31.129/25 
SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30 

I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.

 

ASA will need to have three IPsec tunnels:
Tunnel 1 to SCADA Firewall
Remote Site - 10.70.0.4/30 Subnet
Central Site - 10.101.41.0/24 Subnet
Tunnel 2 to Corporate Firewall
Remote Site - 10.40.31.129/25 Subnet
Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet
Tunnel 3 to Partner Firewall
Remote Site - 10.40.31.129/25 Subnet
Partner Site Subnets

The ASA is running 9.1(5) and ASDM 7.1(6).  

I've attached a diagram of what the connections look like between sites.

4 REPLIES
New Member

I reviewed your diagram

I reviewed your diagram attached and trying to give you as much as I can.

other gurus, pls correct me if I am missing anything.

if I remember correctly, with base license, you can set up vpn peers.

interface Ethernet0/0
nameif outside
security-level 0
ip address public ip, subnet mask

int e0/1
nameif AMI
security-level 100
ip add 10.40.31.129 255.255.255.128

int e0/2
nameif SCADA
security-level 10
ip add 10.70.0.5 255.255.255.252

route outside 0.0.0.0 0.0.0.0 public IP

tunnel-group 173.8.244.181 type ipsec-l2l
tunnel-group 173.8.244.181 ipsec-attributes
 ikev1 pre-shared-key Pr3$h@r3DkEyScAdA

tunnel-group 173.8.244.189 type ipsec-l2l
tunnel-group 173.8.244.189 ipsec-attributes
 ikev1 pre-shared-key Pr3$h@r3DkEyC0Rp

tunnel-group 148.80.252.60 type ipsec-l2l
tunnel-group 148.80.252.60 ipsec-attributes
 ikev1 pre-shared-key Pr3$h@r3DkEypArTN3R


crypto ikev1 enable outside -- enabling for outside interface

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5

crypto ipsec security-association lifetime seconds 86400

crypto ipsec ikev1 transform-set kerseyami esp-aes-256 esp-sha-hmac

crypto map VPN 10 match address SCADA
crypto map VPN 10 set peer  173.8.244.181
crypto map VPN 10 set ikev1 transform-set kerseyami
crypto map VPN 10 set security-association lifetime seconds 86400

crypto map VPN 20 match address CORP
crypto map VPN 20 set peer  173.8.244.189
crypto map VPN 20 set ikev1 transform-set kerseyami
crypto map VPN 20 set security-association lifetime seconds 86400

crypto map VPN 30 match address PARTNER-FW
crypto map VPN 30 set peer 148.80.252.60   
crypto map VPN 30 set ikev1 transform-set kerseyami
crypto map VPN 30 set security-association lifetime seconds 86400

access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0
access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0
access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW

 

 

Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.

let us know how this works.

JD...

 

New Member

Jigar,Thanks.  One follow-up

Jigar,


Thanks.  One follow-up question, when I try to do a third nameif, I get an error that my current license does not allow this.  Guessing I need upgrade to a Security Plus license?

Super Bronze

Hi, You can use 3 interfaces

Hi,

 

You can use 3 interfaces in total with a Base License ASA5505.

 

The 3rd Vlan interface that you take into use is a DMZ Restricted type interface. If you check the output of "show version" you will see that your unit is licensed for 3 Vlans

 

What this actually means is that you can activate the 3rd interface but you will have to limit the interface so that users behind it wont be able to connect towards either of the 2 other Vlan interfaces. But I guess in your case this is not something that would cause problems as you are actually aiming to limit the traffic.

 

When you created the 3rd Vlan inteface try this

 

interface Vlan772
 no forward interface vlan742

 

After you have configured the above command under the new Vlan interface you can then continue to configure the interface with the "nameif" , "security-level" and "ip address" configurations.

 

Notice that the above command only limits connectivity from behind this interface towards the one mentioned in the command. The other direction you will have to block with interface ACL.

 

- Jouni

New Member

Jouni is right.but in

Jouni is right.

but in addition to his explanation, what other thing you can do is, create sub interfaces on eth0/1 and combine AMI and SCADA vlans.

like this

 

interface eth0/1
 description ** suited to you **
 speed 100   
 duplex full  
 no nameif    
 no security-level
 no ip address

interface eth0/1.10
 vlan 10       
 nameif AMI
 security-level 99
 ip add 10.40.31.129 255.255.255.128 
!             
interface eth0/1.20
 vlan 20
 nameif SCADA
 security-level 50
ip add 10.70.0.5 255.255.255.252

 

206
Views
0
Helpful
4
Replies
CreatePlease login to create content