ASA 5505 Isolated Networks with Site-to-Site VPN Access
I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.
Remote Site ASA 5505 Interfaces: Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway) AMI (Interface 1) (VLAN 742) - 10.40.31.129/25 SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30
I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.
ASA will need to have three IPsec tunnels: Tunnel 1 to SCADA Firewall Remote Site - 10.70.0.4/30 Subnet Central Site - 10.101.41.0/24 Subnet Tunnel 2 to Corporate Firewall Remote Site - 10.40.31.129/25 Subnet Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet Tunnel 3 to Partner Firewall Remote Site - 10.40.31.129/25 Subnet Partner Site Subnets
The ASA is running 9.1(5) and ASDM 7.1(6).
I've attached a diagram of what the connections look like between sites.
crypto map VPN 10 match address SCADA crypto map VPN 10 set peer 126.96.36.199 crypto map VPN 10 set ikev1 transform-set kerseyami crypto map VPN 10 set security-association lifetime seconds 86400
crypto map VPN 20 match address CORP crypto map VPN 20 set peer 188.8.131.52 crypto map VPN 20 set ikev1 transform-set kerseyami crypto map VPN 20 set security-association lifetime seconds 86400
crypto map VPN 30 match address PARTNER-FW crypto map VPN 30 set peer 184.108.40.206 crypto map VPN 30 set ikev1 transform-set kerseyami crypto map VPN 30 set security-association lifetime seconds 86400
access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0 access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0 access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW
Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.
You can use 3 interfaces in total with a Base License ASA5505.
The 3rd Vlan interface that you take into use is a DMZ Restricted type interface. If you check the output of "show version" you will see that your unit is licensed for 3 Vlans
What this actually means is that you can activate the 3rd interface but you will have to limit the interface so that users behind it wont be able to connect towards either of the 2 other Vlan interfaces. But I guess in your case this is not something that would cause problems as you are actually aiming to limit the traffic.
When you created the 3rd Vlan inteface try this
interface Vlan772 no forward interface vlan742
After you have configured the above command under the new Vlan interface you can then continue to configure the interface with the "nameif" , "security-level" and "ip address" configurations.
Notice that the above command only limits connectivity from behind this interface towards the one mentioned in the command. The other direction you will have to block with interface ACL.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :