SmartNode 1K VPN using ISAKMP on Cisco ASA
Posted by Zsolt Erdei, Last modified by Daniel Lizaola on 19 December 2017 01:39 PM

To enable SmartNode to connect using ISAKMP VPN to a Cisco ASA here is a template.

The goal of this configuration was to create a secure tunnel ( now only for voice ) via VPN.

Topology:

<SBC> - <Cisco ASA> - =VPN= -<SmartNode>

The network 10.100.1.1/32 is defined as a loopback because it is used only as an interface for Voice, however a small change ( having /24 and assign it to the LAN interface ) can make this setup useful also to provide secured network connectivity to the network.

SmartNode Configuration, please find the explanation after the important configuration lines, the network which is used: 10.100.1.1/24 ( in this config /32, as we use it only for VoIP ):

======================================================================================================================= 

profile acl VPNOut
permit 1 ah any any
permit 2 esp any any
permit 3 ip host 10.100.1.1 10.0.0.0 0.0.0.255 ipsec-policy VPN-IKE
permit 4 ip any any

profile acl VPNIn
permit 1 esp any any
permit 2 ah any any
permit 3 ip 10.0.0.0 0.0.0.31 host 10.100.1.1
permit 4 ip any any

profile ipsec-transform AES-256
esp-encryption 3des-cbc 192
esp-authentication hmac-md5-96
key-lifetime-seconds 86400
key-lifetime-kilobyte 4608000
# Usage of these lifetime parameters are recommended some Cisco webpage 


profile isakmp-transform AES-256
encryption aes-cbc 256
authentication-algorithm md5
key-lifetime-seconds 7200
# Usage of these lifetime parameters are recommended some Cisco webpage 


profile ipsec-policy-isakmp VPN-IKE
authentication-method pre-shared-key <PRE_SHARED_SECRET>
peer <CISCO_ASA_IP> interface <IP_INTERFACE_ON_SMARTNODE_TO_BE_USED>
# Specification of the local inetrface can be omitted, however can be recommended in some installations

mode tunnel
diffie-hellman-group group2
protected-network host 10.100.1.1 subnet 10.0.0.0 255.255.255.0 permanent-tunnel
# Usage of protected network is mandatory as this is going to be verified in the crypto access list
use profile ipsec-transform 1 AES-256

use profile isakmp-transform 1 AES-256

context ip

interface WAN
ipaddress <IP_ADDRESS> <NETMASK>
use profile acl VPNIn in
use profile acl VPNOut out
use profile napt NAPT_WAN
tcp adjust-mss rx mtu
tcp adjust-mss tx mtu
rtp-encryption
# Without enabling RTP encryption the RTP is not going to be transmitted, so there is no audio

interface IF_VPN
ipaddress 10.100.1.1 255.255.255.255
loopback
# Having a loopback ensures not to allow an external usage of the interface

tcp adjust-mss rx mtu
tcp adjust-mss tx mtu

context ip router
source-address-map 10.0.0.0 255.0.0.0 IF_VPN
# This is mandatory. Without this the SmartNode will use the IP address of the WAN port to generate local packets ( like ping, to test the connection )

context sip-gateway SIP_VPN

interface VVN
bind interface IF_VPN context router port 5060

context sip-gateway SIP_VPN
bind location-service LS_VVN
no shutdown

Cisco ASA Configuration:
=======================================================================================================================

access-list test1 extended permit ip 10.0.0.0 255.255.255.0 host 10.100.1.1
access-list remote_test1 extended permit ip host 10.100.1.1 10.0.0.0 255.255.255.0

crypto isakmp enable outside
crypto isakmp identity address

crypto map outside_map interface outside
crypto ipsec transform-set TestRule esp-3des esp-md5-hmac
crypto map outside_map 10 match address test1
crypto map outside_map 10 set peer <IP_ADDRESS_OF_THE_SMARTNODE>
crypto map outside_map 10 set transform-set Rule
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 3600

tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> type ipsec-l2l
tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> general-attributes
default-group-policy l2l_TestRule
tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> ipsec-attributes
pre-shared-key <PRE_SHARED_KEY>

group-policy l2l_TestRule internal
group-policy l2l_TestRule attributes

vpn-filter value remote_test1
vpn-tunnel-protocol IPSec 



(8746 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).