To enable SmartNode to connect using ISAKMP VPN to a Cisco ASA here is a template.
The goal of this configuration was to create a secure tunnel ( now only for voice ) via VPN.
Topology:
<SBC> - <Cisco ASA> - =VPN= -<SmartNode>
The network 10.100.1.1/32 is defined as a loopback because it is used only as an interface for Voice, however a small change ( having /24 and assign it to the LAN interface ) can make this setup useful also to provide secured network connectivity to the network.
SmartNode Configuration, please find the explanation after the important configuration lines, the network which is used: 10.100.1.1/24 ( in this config /32, as we use it only for VoIP ):
=======================================================================================================================
profile acl VPNOut permit 1 ah any any permit 2 esp any any permit 3 ip host 10.100.1.1 10.0.0.0 0.0.0.255 ipsec-policy VPN-IKE permit 4 ip any any
profile acl VPNIn permit 1 esp any any permit 2 ah any any permit 3 ip 10.0.0.0 0.0.0.31 host 10.100.1.1 permit 4 ip any any
profile ipsec-transform AES-256 esp-encryption 3des-cbc 192 esp-authentication hmac-md5-96 key-lifetime-seconds 86400 key-lifetime-kilobyte 4608000 # Usage of these lifetime parameters are recommended some Cisco webpage
profile isakmp-transform AES-256 encryption aes-cbc 256 authentication-algorithm md5 key-lifetime-seconds 7200 # Usage of these lifetime parameters are recommended some Cisco webpage
profile ipsec-policy-isakmp VPN-IKE authentication-method pre-shared-key <PRE_SHARED_SECRET> peer <CISCO_ASA_IP> interface <IP_INTERFACE_ON_SMARTNODE_TO_BE_USED> # Specification of the local inetrface can be omitted, however can be recommended in some installations mode tunnel diffie-hellman-group group2 protected-network host 10.100.1.1 subnet 10.0.0.0 255.255.255.0 permanent-tunnel # Usage of protected network is mandatory as this is going to be verified in the crypto access list use profile ipsec-transform 1 AES-256 use profile isakmp-transform 1 AES-256
context ip
interface WAN ipaddress <IP_ADDRESS> <NETMASK> use profile acl VPNIn in use profile acl VPNOut out use profile napt NAPT_WAN tcp adjust-mss rx mtu tcp adjust-mss tx mtu rtp-encryption # Without enabling RTP encryption the RTP is not going to be transmitted, so there is no audio
interface IF_VPN ipaddress 10.100.1.1 255.255.255.255 loopback # Having a loopback ensures not to allow an external usage of the interface tcp adjust-mss rx mtu tcp adjust-mss tx mtu
context ip router source-address-map 10.0.0.0 255.0.0.0 IF_VPN # This is mandatory. Without this the SmartNode will use the IP address of the WAN port to generate local packets ( like ping, to test the connection )
context sip-gateway SIP_VPN
interface VVN bind interface IF_VPN context router port 5060
context sip-gateway SIP_VPN bind location-service LS_VVN no shutdown
Cisco ASA Configuration: =======================================================================================================================
access-list test1 extended permit ip 10.0.0.0 255.255.255.0 host 10.100.1.1 access-list remote_test1 extended permit ip host 10.100.1.1 10.0.0.0 255.255.255.0
crypto isakmp enable outside crypto isakmp identity address
crypto map outside_map interface outside crypto ipsec transform-set TestRule esp-3des esp-md5-hmac crypto map outside_map 10 match address test1 crypto map outside_map 10 set peer <IP_ADDRESS_OF_THE_SMARTNODE> crypto map outside_map 10 set transform-set Rule crypto isakmp policy 10 authentication pre-share encryption aes-256 hash md5 group 2 lifetime 3600
tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> type ipsec-l2l tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> general-attributes default-group-policy l2l_TestRule tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> ipsec-attributes pre-shared-key <PRE_SHARED_KEY>
group-policy l2l_TestRule internal group-policy l2l_TestRule attributes
vpn-filter value remote_test1 vpn-tunnel-protocol IPSec
|