Site-to-Site VPN between FRITZ!Box and Cisco ASA

This article shows you how to configure a Site-to-Site VPN tunnel between an AVM FRITZ!Box and a Cisco ASA Firewall. The configuration was successfully tested on a FRITZ!Box 7170 with Firmware 29.04.87 and an ASA5520 with Software 8.2.5. Let’s have a look at the network topology:

VPN Topology

The FRITZ!Box has the external address 1.1.1.1, the internal subnet is 192.168.100.0/24. The Cisco ASA site provides the net 10.68.0.0/24 to the inside and the address 2.2.2.2 on the outside interface. I assume that the FRITZ!Box as well as the Cisco ASA have a working configuration including Internet-Access and are “VPN-Ready”.

Let’s start with the Cisco ASA Configuration. First of all we have to define an ACL which describes the VPN traffic.

access-list outside_cryptomap_FRITZBox extended permit ip
 any 192.168.100.0 255.255.255.0

Note: I want the FRITZ!Box to route all RfC1918-Nets through the tunnel, not only the 10.68.0.0/24 subnet. I couldn’t find a way to define more than one IPSec-SAs in phase 2 on the FRITZ!Box site, so I used any in the ACL. If somebody knows another solution on the FRITZ!Box, feel free to let me know it ;).
If you want to have the 10.68.0.0/24 subnet only as encryption domain, your ACL on the ASA will look like this:

access-list outside_cryptomap_FRITZBox extended permit ip
 10.68.0.0 255.255.255.0 192.168.100.0 255.255.255.0

The next step is to define the phase 1 parameters and to activate IPSec on the outside interface. We use AES256, SHA1 and DH Group2.

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

crypto isakmp enable outside

Finally, define the phase 2 parameters (ESP256, SHA1, PFS with DH group 2) and bind them to the outside_map 50, including the ACL we defined earlier. After that define a tunnel-group and set the pre shared key.

crypto ipsec transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto map outside_map 50 match address outside_cryptomap_FRITZBox
crypto map outside_map 50 set pfs
crypto map outside_map 50 set peer 1.1.1.1
crypto map outside_map 50 set transform-set ESP-AES256-SHA1
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map interface outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key supersecret

Now let’s go on with the FRITZ!Box configuration. I used the FRITZ!Box VPN Software to create the base configuration files. I had to change some values to get the Tunnel working. First of all, I activate the keepalive function on the FRITZ!Box to keep the tunnel up:

always_renew = yes;

Then set the ip addresses of both sides.

remoteip = 2.2.2.2;
localid {
  ipaddr = 1.1.1.1;
}
remoteid {
  ipaddr = 2.2.2.2;
}

Set the phase 1 parameters.

mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "supersecret";

Set the phase 2 parameters.

phase2localid {
  ipnet {
    ipaddr = 192.168.100.0;
    mask = 255.255.255.0;
  }
}
phase2remoteid {
  ipnet {
    ipaddr = 0.0.0.0;
    mask = 0.0.0.0;
  }
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";

Allow all traffic through the tunnel (filtering is done on the ASA site).

accesslist = "permit ip any any";

That’s all. Import your config file on the FRITZ!Box and the tunnel should come up.

Your final ASA configuration should look like that:

access-list outside_cryptomap_FRITZBox extended permit ip
 any 192.168.100.0 255.255.255.0
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp enable outside
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto map outside_map 50 match address outside_cryptomap_FRITZBox
crypto map outside_map 50 set pfs
crypto map outside_map 50 set peer 1.1.1.1
crypto map outside_map 50 set transform-set ESP-AES256-SHA1
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map interface outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key supersecret

And here’s the FRITZ!Box configuration file:

vpncfg {
  connections {
    enabled = yes;
    conn_type = conntype_lan;
    name = "tunnel-to-asa";
    always_renew = yes;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;
    localip = 0.0.0.0;
    local_virtualip = 0.0.0.0;
    remoteip = 2.2.2.2;
    remote_virtualip = 0.0.0.0;
    localid {
      ipaddr = 1.1.1.1;
    }
    remoteid {
      ipaddr = 2.2.2.2;
    }
    mode = phase1_mode_idp;
    phase1ss = "all/all/all";
    keytype = connkeytype_pre_shared;
    key = "supersecret";
    cert_do_server_auth = no;
    use_nat_t = yes;
    use_xauth = no;
    use_cfgmode = no;
    phase2localid {
      ipnet {
        ipaddr = 192.168.100.0;
        mask = 255.255.255.0;
      }
    }
    phase2remoteid {
      ipnet {
        ipaddr = 0.0.0.0;
        mask = 0.0.0.0;
      }
    }
    phase2ss = "esp-all-all/ah-none/comp-all/pfs";
    accesslist = "permit ip any any";
  }
  ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                      "udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF
Dieser Beitrag wurde unter Cisco Security, IT Security abgelegt und mit , , , verschlagwortet. Setze ein Lesezeichen auf den Permalink.

Die Kommentarfunktion ist geschlossen.