Firewall VPN Configuration for Client Access
You can configure Cisco ASA Firewalls to terminate client VPNs, thus allowing users to securely access corporate resources.
Used with IKE, dynamic crypto maps can ease IPsec configuration and are recommended for use in networks where the peers are not always predetermined. You use dynamic crypto maps for VPN clients (such as mobile users) and routers that obtain dynamically assigned IP addresses.
Dynamic crypto maps can be used only to negotiate SAs with remote peers that initiate the connection. They cannot be used to initiate connections to a remote peer. With a dynamic crypto map entry, if outbound traffic matches a permit statement in an access list and the corresponding security association is not yet established, the ASA firewall drops the traffic.
A dynamic crypto map entry is essentially a crypto map entry that does not have all the parameters configured. The dynamic crypto map acts as a policy template where the missing parameters are later dynamically configured (as the result of an IPsec negotiation) to match a peer’s requirements. This allows peers to exchange IPsec traffic with the ASA firewall, even if the ASA firewall does not have a crypto map entry specifically configured to meet all the peer’s requirements. Dynamic crypto maps are found for use by VPN clients on PCs.
If the ASA firewall accepts the peer’s request at the point that it installs the new IPsec security associations, it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the ASA firewall performs normal processing, using this temporary crypto map entry as a normal entry, and even requests new security associations if the current ones are expiring (based on the policy specified in the temporary crypto map entry). When the flow expires (that is, all the corresponding security associations expire), the temporary crypto map entry is removed.
Like regular static crypto map entries, dynamic crypto map entries are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic-map-name, but each with a different dynamic-seq-num. If this is configured, the data flow identity proposed by the IPsec peer should fall within a permit statement for this crypto access list. If this is not configured, the ASA firewall accepts any data flow identity proposed by the peer.
You can add one or more dynamic crypto map sets into a crypto map set via crypto map entries that reference the dynamic crypto map sets. You should set the crypto map entries that reference dynamic maps to be the lowest priority entries in a crypto map set. (That is, use the highest sequence numbers.)
Note
Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPsec protected.
The procedure for using a crypto dynamic map entry is the same as the basic configuration described in the “Basic IPsec Configuration” section, except instead of creating a static crypto map entry, you create a crypto dynamic map entry. You can also combine static and dynamic map entries within a single crypto map set.
Step 1: Define Interesting Traffic
The VPN device recognizes interesting traffic as defined in the ACL that needs to be sent via the VPN tunnel:
access-list VPN_NAME remark ACL DEFINES VPN ACCESS
access-list VPN_NAME extended permit ip source destination
Step 2: IKE Phase 1[udp port 500]
VPN device negotiates an IKE security policy and establishes a secure tunnel using five parameters as defined in the ISAKMP policy statements. These statements are also processed from the lowest ID number to the highest; processing stops when both VPN endpoints agree on the five parameters. The following HAGLE mnemonic might help you remember the five parameters needed here:
Hash: md5 or sha-1 used for data integrity, ensures not altered
Authentication: pre-share or rsa-sig Provides origin authentication
Group (DH): 1 [768 bit] or 2 [1024 bit]
Lifetime: 86,400 secs
Encryption: des [default], 3des, AES
With these in mind, consider the following:
!
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
!
Step 3: IKE Phase 2
IKE negotiates IPsec SA parameters to encrypt traffic:
tunnel-group PEER_IP type ipsec-L2L
tunnel-group PEER_IP ipsec-attributes
pre-shared-key password
!
crypto map CRYPTO-MAP_NAME ID# set transform-set XFORMSET-AES-MD5
crypto map CRYPTO-MAP_NAME ID# set security-association lifetime seconds 86400
crypto map CRYPTO-MAP_NAME ID# match address ACL-NAME
crypto map CRYPTO-MAP_NAME ID# set peer PEER_IP
Step 4: Data Transfer
IPsec uses two protocols to function securely:
• Encapsulating Security Payload (ESP)[ip protocol 50] to provide data encryption (confidentiality)
• Authentication Header (AH)[ip protocol 51] to provide origin authentication
The protocol field in the packet’s IP header will be 50 (ESP) or 51 (AH) to indicate the next protocol to be found in the packet.
Step 5: Tunnel Termination
IPsec tunnels are typically terminated when the SA times out after a specified number of seconds has elapsed (or bytes transmitted). When the SA terminates, the ASA discards the keys and creates new ones if needed. New SAs are usually established before the terminating SAs expire so that a given flow continues uninterrupted.