Configuring a Cisco Firewall

Last updated: 2021-07-05 10:39:58

To connect your IDC to a Tencent Cloud VPC via IPsec VPN connection, you need to load the VPN configurations to the network device of your local IDC after configuring the VPN gateway on Tencent Cloud. This document provides an example on how to load the IPsec VPN configuration to a Cisco firewall.

Note:

  • This document is only for the configuration of an IKEv1 VPN.
  • Replace all the IPs, ports, and other parameters given in this document with your actual values for configurations.

Prerequisites

You have created a VPN connection in a Tencent Cloud VPC, and configured the VPN tunnel.

Data Collection

The following table describes the IPsec VPN configuration data.

Configuration Item Sample value
Network VPC Subnet CIDR block 10.1.1.0/24
Public IP of the VPN gateway 159.xx.xx.242
IDC Private CIDR block 172.16.0.0/16
Public IP of the gateway 120.xx.xx.76
IPsec VPN connection IKE Version IKEV1
ID verification methods Pre-shared key
PSK tencent@123
Encryption algorithm AES-128
Verification algorithm MD5
Negotiation model main
Local identifier IP Address: 120.xx.xx.76
Remote ID IP Address: 159.xx.xx.242
DH group DH2
IKE SA Lifetime 86400
IPsec Encryption algorithm AES-128
Verification algorithm MD5
Packet encapsulation Mode Tunnel
Security protocol ESP
PFS disable
IPsec SA Lifetime (in seconds) 3600 s
IPsec SA Lifetime (in KB) 1843200 KB
Firewall Interface Nameif outside

Directions

  1. Log in to the command-line interface of the firewall device.
    ssh -p admin@10.XX.XX.56        
    # Use the SSH command to log in to the configuration interface of the firewall.
    User Access Verification
    Username: admin
    Password: ***
    Type help or '?' for a list of available commands.
    # Enter the username and password to enter the user mode.
    ASA>
    ASA> enable
    Password:
    # Input “enable” and its password to enter the privileged EXEC mode in which you can view information only.
    ASA# conf t
    ASA(config ter)#
    # Input “config ter” to enter the global mode in which you can configure the firewall.
  2. Configure the firewall interface.
    In the global mode, configure the firewall interface that connects to Tencent Cloud.
    interface GigabitEthernet0/0
    nameif outside # Specify the security domain of the interface.
    security-level 0 # Specify the security domain level of the interface.
    ip address 120.XX.XX.76 255.255.255.252 # Configure the local public IP address of the VPN tunnel.
  3. Configure an ISAKMP policy.
    crypto ikev1 enable outside  # Enable IKE on the “outside” interface.
    crypto ikev1 policy 10 # Define the phase 1 negotiation policy for IKEv1. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 10 is used here.
    authentication pre-share # Set the authentication method to pre-shared keys.
    encryption AES-128 # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to “AES-128”.
    hash MD5 # Set the hash algorithm to “MD5” for the IKE policy. It defaults to “SHA”.
    group 2 # Use Diffie-Hellman group 2 for the IKE policy. It defaults to “group 2”.
    lifetime 86400 # Specify the SA lifetime. It defaults to “86400” seconds.
  4. Configure the pre-shared key.
    tunnel-group 159.XX.XX.242 type ipsec-l2l  # Create a point-to-point IPsec tunnel group.
    tunnel-group 159.XX.XX.242 ipsec-attributes # Configure the tunnel group attributes, and specify the pre-shared key.
    ikev1 pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
  5. Configure the IPsec security protocol.
    crypto ipsec ikev1 transform-set TS esp-aes esp-md5-hmac  # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
  6. Configure ACL.
    access-list INTERESTING extended permit ip 172.XX.XX.0 255.255.0.0 10.1.1.0 255.255.255.0  # Configure ACL to capture the data stream of the VPN tunnel.
  7. Configure an IPsec policy.
    crypto map CMAP 1 match address INTERESTING  # Use ACL to allow the packets that meet the source or destination IP range requirements of the ACL to flow in the VPN tunnel.
    crypto map CMAP 1 set peer 159.XX.XX.242 # Set the public IP address of the destination VPN to which the IPsec-protected traffic can be forwarded. The public IP address of the Tencent Cloud VPN is used here.
    crypto map CMAP 1 set ikev1 transform-set TS # Configure an IKEv1 protocol for the crypto map entry.
    crypto map CMAP 1 set security-association lifetime seconds 3600 # Configure a SA lifetime.
  8. Apply the IPsec policy.
    rypto map CMAP interface outside  # Apply the crypto map configured in the previous step to the “outside” interface.
  9. Configure static routes.
    route outside 10.1.1.0 255.255.255.0 159.XX.XX.242 1  # Route the data of the IP range to be encrypted and protected to the IPsec tunnel, and configure the destination public IP of the VPN tunnel as the next hop.
  10. Test the VPN connectivity.
    You can use the ping command to test the VPN connectivity.