Cisco Asav

  

  1. Cisco Asav Eol
  2. Cisco Asav Gns3
  3. Cisco Asav Pn

With the Cisco® Adaptive Security Virtual Appliance (ASAv), you have the flexibility to choose the performance you need for your business. ASAv is the virtualized option of our popular ASA solution and offers security in traditional physical data centers and private and public clouds. For example, ASAv performance test labs use as minimum the following: Cisco Unified Computing System™ (Cisco UCS®) C series M4 server with the Intel® Xeon® CPU E5-2690v4 processors running at 2.6GHz. ASAv supports ESXi version 6.0, 6.5, and 6.7.

Short for IP Security, IPSec is an Internet Engineering Taskforce (IETF) standard suite of protocols between 2 communication points across an IP network that provide data authentication, integrity, and confidentiality. It is supported by different vendors. OpenSSL can still be preferred over IPSec.

We are going to configure an IPSec VPN between a Cisco ASA and a pfSense Firewall. Cisco ASA is a Cisco proprietary firewall that provides VPN/Firewall solutions to small, medium and large enterprises. The pfSense Firewall on the other hand is a free and open source distribution of FreeBSD customized for use as a firewall and router. pfSense is lightweight and can be installed on a PC with two NICs. You can get a copy of your pfSense from here. At the time of this writing, the latest version is v2.4.4.

In this lab, we will configure a Site-to-Site IPSec VPN between a Cisco ASAv and a pfSense Firewall.

Prerequisites

  • Cisco ASAv with configured interfaces, ASDM as well as other basic configurations.
  • pfSense Firewall, WAN and LAN configured interfaces.
  • IP Addressing and ensure connectivity between the ASAv appliance and pfSense.
  • Basic routing configuration on the Cisco L3 router for internet access.

Build the topology on EVE-NG

I have built the topology on my EVE-NG lab and configured the two firewalls.

  • Cisco ASAv
  • 2 x Cisco Multi-layer switch images (you can still use a layer 2 switch image. It’s not very necessary to use L3)
  • pfSense Firewall
  • Internet Router. Cisco L3 image.
  • A Cloud image (management(Cloud0)) that will connect both Site A and Site B to the internet through our Internet Router.

We are going to have two Sites. Site A and Site B that are going to be connected to an internet router which will provide some routing to the internet.

In our next step, we will set up a site-to-site ipsec vpn between the two sites that use different firewall solutions from two giant vendors.

Set up site-to-site IPSec implementation

There are two phases in IPSec implementation. Phase 1 and Phase 2.
ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.
We will begin by configuring the our ASAv with the phase I and phase II attributes.

IPSec ISAKMP Phase I

IPSec Phase II

That’s it from our ASAv side of things. Lets jump to our pfSense firewall on Site B

Phase I

Login in to the pfSense web configurator and navigate to VPN > IPsec

IPsec page

Click on Add P1 on the Tunnels tab which we are going to add our Phase I attributes as below.



Leave the rest as is and save your changes. Once done you should have Phase I set up as below

Phase II

Click on Show Phase 2 Entries button and click on Add P2 to add our phase 2 attributes

Next configure your IPSec phase 2 attributes as below.

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration.


Our IPSec configuration is complete on both ends. To very this we are going to check the vpn connection status on the pfsense firewall as well as on the show ipsec status on the ASA firewall. To do that, on the pfsense menu, go to Status > Ipsec and click on Connect VPN button. Connection should be established.

If you followed keenly on the configuration, you should get an established connection from the pfsense above as well as the ASAv firewall below

In our ASAv firewall, we can issue the below command to confirm our ipsec status

That marks the end of our lab: Configuring Site-to-Site IPsec VPN between Cisco ASAv and pfSense Firewall.

Short for IP Security, IPSec is an Internet Engineering Taskforce (IETF) standard suite of protocols between 2 communication points across an IP network that provide data authentication, integrity, and confidentiality. It is supported by different vendors. OpenSSL can still be preferred over IPSec.

We are going to configure an IPSec VPN between a Cisco ASA and a pfSense Firewall. Cisco ASA is a Cisco proprietary firewall that provides VPN/Firewall solutions to small, medium and large enterprises. The pfSense Firewall on the other hand is a free and open source distribution of FreeBSD customized for use as a firewall and router. pfSense is lightweight and can be installed on a PC with two NICs. You can get a copy of your pfSense from here. At the time of this writing, the latest version is v2.4.4.

In this lab, we will configure a Site-to-Site IPSec VPN between a Cisco ASAv and a pfSense Firewall.

Prerequisites

  • Cisco ASAv with configured interfaces, ASDM as well as other basic configurations.
  • pfSense Firewall, WAN and LAN configured interfaces.
  • IP Addressing and ensure connectivity between the ASAv appliance and pfSense.
  • Basic routing configuration on the Cisco L3 router for internet access.

Build the topology on EVE-NG

I have built the topology on my EVE-NG lab and configured the two firewalls.

  • Cisco ASAv
  • 2 x Cisco Multi-layer switch images (you can still use a layer 2 switch image. It’s not very necessary to use L3)
  • pfSense Firewall
  • Internet Router. Cisco L3 image.
  • A Cloud image (management(Cloud0)) that will connect both Site A and Site B to the internet through our Internet Router.

We are going to have two Sites. Site A and Site B that are going to be connected to an internet router which will provide some routing to the internet.

In our next step, we will set up a site-to-site ipsec vpn between the two sites that use different firewall solutions from two giant vendors.

Set up site-to-site IPSec implementation

There are two phases in IPSec implementation. Phase 1 and Phase 2.
ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.
We will begin by configuring the our ASAv with the phase I and phase II attributes.

IPSec ISAKMP Phase I

IPSec Phase II

That’s it from our ASAv side of things. Lets jump to our pfSense firewall on Site B

Phase I

Login in to the pfSense web configurator and navigate to VPN > IPsec

IPsec page

Click on Add P1 on the Tunnels tab which we are going to add our Phase I attributes as below.


Cisco


Leave the rest as is and save your changes. Once done you should have Phase I set up as below

Phase II

Click on Show Phase 2 Entries button and click on Add P2 to add our phase 2 attributes

Next configure your IPSec phase 2 attributes as below.

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration.


Our IPSec configuration is complete on both ends. To very this we are going to check the vpn connection status on the pfsense firewall as well as on the show ipsec status on the ASA firewall. To do that, on the pfsense menu, go to Status > Ipsec and click on Connect VPN button. Connection should be established.

Cisco Asav Eol

Cisco Asav

Cisco Asav Gns3

If you followed keenly on the configuration, you should get an established connection from the pfsense above as well as the ASAv firewall below

Cisco Asav Pn

In our ASAv firewall, we can issue the below command to confirm our ipsec status

That marks the end of our lab: Configuring Site-to-Site IPsec VPN between Cisco ASAv and pfSense Firewall.