This guide provides step by step instructions for creating a VPN between A Checkpoint and a Cisco ASA. Please be advised that this guide assumes that none of the necessary objects or configuration currently exists.
Checkpoint VPN settings
1A. Define supported VPN parameters. Modify the local gateway object (local firewall object). Select VPN on the left. Select the VPN settings supported by the gateway. For example, if this firewall can contain VPNs that use MD5 and SHA1, both boxes should be checked. Also select the Pre-shared Secret box.
1B. Next select the Advanced button. Select the DH and rekey settings supported by this gateway. Click OK and then OK on the Traditional Mode Ike Properties screen.
1C. Create a local network object. Right click on Network Objects and select New. Create a new network object for the local network that will participate in the VPN. Click OK
1D. Create a local group object. Right click on Group and select New. Create a new group and add the network created above. Click OK
1E. Define the local encryption domain. Open your local gateway object (specified in step 1A) and select Topology. Under VPN Domain, select Manually Defined and select the group object created above. Click OK
1F. Create a remote peer object. Right click on Interoperable Objects and select New. Create a new Interoperable object for the remote peer (the VPN device on the remote side of the tunnel). Enter the IP address on the peer. Click OK
1G. Select VPN>Traditional Mode
1H. Define Phase 1 settings. Select the Phase 1 settings for this tunnel (for example 3des, sha1). Select Pre-Shared Secret and click the Edit Secrets button.
1I. Enter the pre-shared key that will be used for this tunnel. Click OK
1J. Select the Advanced button. Enter the DH group and rekey settings for Phase 1 and 2. Note most VPNs only support group 1,2, and 5. Group 2 is the most common. Aggressive mode is less secure and is not supported. Click OK
1K. Define the remote network. Create a remote network object. To do so, right click on Network and select New. This object should contain the remote network that will participate in the tunnel. Click Ok
1L. Define the remote group. Create a remote group object. Right click on Group and select New. Add the remote network to this group. Click OK
1M. Specify the remote encryption domain. Edit the Interoperable object created in step 1F. Select Topology. Under VPN Domain select Manually Defined and select the group object created in step 1L.
1N. Create an access rule that allows the local network to communicate with the remote network. Under the Action column choose Encrypt.
1O. Define the Phase 2 settings. Double click on the Encrypt icon and select Edit. Select the Phase 2 settings and select the Interoperable object created in step 1F as the Allowed Gateway.
1P. Create an access rule that allows the remote peer to communicate with the local gateway. This should be placed above the stealth rule (the rule that denies all traffic to the firewall). This rule should allow IKE and ESP.
1Q. Create NAT rules that prevent traffic within the VPN tunnel from being translated. One rule should specify the local group created in step 1D as the source and the remote group created in step 1L as the destination. The source and destination should be reversed in the second rule. All other options should remain at their defaults.
ASA VPN settings
2A. Enable VPN terminations on the outside interface.
lab1(config)# crypto isakmp enable outside
2B. Create a transform set (phase 2 settings). This should match the settings defined in step 1O above.
lab1(config)# crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
2C. Define Phase 1 settings. Unlike Checkpoint, these settings can be shared across multiple VPNs. Therefore if these settings already exist, it may not be necessary to create it. This should match step 1H and 1J above.
If there are existing isakmp policies that do not match your desired settings, use the next available policy #.
lab1(config)# crypto isakmp policy 10
lab1(config-isakmp-policy)# authentication pre-share
lab1(config-isakmp-policy)# encryption 3des
lab1(config-isakmp-policy)# hash sha
lab1(config-isakmp-policy)# group 2
lab1(config-isakmp-policy)# lifetime 86400
lab1(config-isakmp-policy)#exit
2D. Define the local network(s) group. This should match the remote network defined in step 1K above.
lab1(config)# object-group network Local-encrypt
lab1(config-network)# network 172.16.20.0 255.255.255.0
lab1(config-network)# ex
lab1(config)#
2E. Define the remote network(s) group. This should match the local network defined in step 1C above.
lab1(config)# object-group network Remote-encrypt
lab1(config-network)# network 192.168.1.0 255.255.255.0
lab1(config-network)# ex
lab1(config)#
2F. Create an access list that allows traffic from your local network (step 2D) and remote network (step 2E). The access-list name (“remote_vpn” in this example) can be named anything that signifies this tunnel. It is not recommend to use port filtering (for example, allowing only HTTP traffic) as Cisco firewalls do not do a good job of VPN port filtering.
lab1(config)# access-list remote_vpn permit ip object-group Local-encrypt object-group Remote-encrypt
2G. Create a crypto map that ties the Phase 2 settings to the remote peer. The “match address” statement should contain the name of the access-list created in step 2F. The Peer address should match the IP address of the Checkpoint firewall. The transform set will contain the name of the set defined in step 2B. The lifetime should match the Phase 2 lifetime in step 1J.
lab1(config)# crypto map mymap 10 match address remote_vpn
lab1(config)# crypto map mymap 10 set peer 192.168.1.254
lab1(config)# crypto map mymap 10 set transform 3des-sha
lab1(config)# crypto map mymap 10 set security-association lifetime seconds 3600
2H. Define the tunnel type and set the pre-shared key. The pre-shared key should match the key specified in step 1I.
lab1(config)# tunnel-group 192.168.1.254 type ipsec-l2l
lab1(config)# tunnel-group 192.168.1.254 ipsec-attributes
lab1(config-tunnel-ipsec)# pre-shared-key abc123
lab1(config-tunnel-ipsec)# exit
2I. Make sure that the traffic in the VPN is not natted. There are several ways to define nat translations. In the below example, an access list is created and is added to the Nat 0 statement (Nat 0 is not translated) on the inside interface (assuming the local network is behind the inside interface).
lab1(config)# access-list nonat permit ip object-group Local-encrypt object-group Remote-encrypt
lab1(config)# nat (inside) 0 access-list nonat
2J. Define the crypto map that will be used for all VPNs on this firewall. The name of the crypto map should match the name of the map defined in step 2G (“mymap” in the example above). Also specify the interface that will terminate the VPN.
lab1(config)# crypto map mymap interface outside
Posts
Hi Jerome
ReplyDeleteThanks, nice Guideline!
Does it also work if the ASA has a dynamic IP?
Cheers,
Andy
Thanks
ReplyDeletehelped lot!!!!1
-Karthik
Awesome!!!
ReplyDeleteThanks a lot ..... :)
add command crypto map mymap 30 set nat-t-disable
ReplyDeleteelviejito thanks for the comment. That command is indeed typically a necessity when managing an ASA on a home network sitting behind a DSL. I guess my expectation here is that this is the typical setup on an enterprise class network with some sort of WAN link that does not use Nat-t. There are many other parameters I omitted in an effort not ot over complicate the process.
ReplyDeleteThank again
hi please let me know how to configure phase1 rekey 1440 and phase 2 rekey 3600 on ASA.
ReplyDelete