06-02-2021 09:03 AM
Afternoon everyone,
I'm just posting here as I require some help. I'm attempting to create a secure connection between two seperate sites/networks. One a branch and one the HQ.
I have both networks fully functioning individually but I'm unsure as to how to create a secure connection between help, routing, firewall, Routing Protocolsthem. The current task I am working on is:
"Install and configure the firewall to provide the secure link between the two networks. You may use more than one firewall. They may be positioned where you think best to achieve the outcomes."
I am just a bit confused on how I would create this secure link using a firewall? Does anyone have any ideas? I will provide an image of my current design.
Any help appreciated.
06-04-2021 10:29 AM
Hi
You could try placing a firewall connected to AKCBranchRouter and another one connected to AKCHQRouter and create a VPN tunnel between them. Since I don't see you indicated if there's restrictions or not let's imagine do you a point to point connection between the 2 firewalls so the configuration on them to run a VPN tunnel would looks like this:
AKCBranchFW
interface GigabitEthernet0/0
nameif POINT2POINT-AKCHQFW
security-level 25
ip address 10.10.5.1 255.255.255.252
interface GigabitEthernet0/1
nameif inside
ip address 192.168.2.x 255.255.255.0
Configure ACL to identify the traffic that you want to pass through the tunnel
object network INSIDE-NET
subnet 192.168.2.0 255.255.255.0
exit
object network REMOTE-NET
subnet 192.168.1.0 255.255.255.0
exit
access-list CRY-ACL extended permit ip object-group INSIDE-NET object-group REMOTE-NET
Configure IKEv1 and enable policy on the interface
crypto ikev1 policy 1
hash sha
authentication pre-share
group 5
lifetime 86400
encryption aes-256
exit
crypto ikev1 enable POINT2POINT-AKCHQFW
Configure transform set for IKEv1 or
crypto ipsec ikev1 transform-set Our-TSET esp-aes esp-sha-hmac
Tunnel group configuration
group-policy Group-A internal
group-policy Group-A attributes
vpn-tunnel-protocol ikev1
exit
tunnel-group 10.10.5.2 type ipsec-l2l
tunnel-group 10.10.5.2 general-attributes
default-group-policy Group-A
exit
tunnel-group 10.10.5.2 ipsec-attributes
ikev1 pre-shared-key cisco123
exit
Configure crypto map
crypto map CRY-MAP 1 match address CRY-ACL
crypto map CRY-MAP 1 set peer 10.10.5.2
crypto map CRY-MAP 1 set ikev1 transform-set Our-TSET
crypto map CRY-MAP interface POINT2POINT-AKCHQFW
AKCHQFW
interface GigabitEthernet0/0
nameif POINT2POINT-AKCBranchFW
security-level 25
ip address 10.10.5.2 255.255.255.252
interface GigabitEthernet0/1
nameif inside
ip address 192.168.1.x 255.255.255.0
Configure ACL to identify the traffic that you want to pass through the tunnel
object network INSIDE-NET
subnet 192.168.1.0 255.255.255.0
exit
object network REMOTE-NET
subnet 192.168.2.0 255.255.255.0
exit
access-list CRY-ACL extended permit ip object-group INSIDE-NET object-group REMOTE-NET
Configure IKEv1 and enable policy on the interface
crypto ikev1 policy 1
hash sha
authentication pre-share
group 5
lifetime 86400
encryption aes-256
exit
crypto ikev1 enable POINT2POINT-AKCBranchFW
Configure transform set for IKEv1
crypto ipsec ikev1 transform-set Our-TSET esp-aes esp-sha-hmac
Tunnel group configuration
group-policy Group-A internal
group-policy Group-A attributes
vpn-tunnel-protocol ikev1
exit
tunnel-group 10.10.5.1 type ipsec-l2l
tunnel-group 10.10.5.1 general-attributes
default-group-policy Group-A
exit
tunnel-group 10.10.5.1 ipsec-attributes
ikev1 pre-shared-key cisco123
exit
Configure crypto map
crypto map CRY-MAP 1 match address CRY-ACL
crypto map CRY-MAP 1 set peer 10.10.5.1
crypto map CRY-MAP 1 set ikev1 transform-set Our-TSET
crypto map CRY-MAP interface POINT2POINT-AKCBranchFW
Let me know if you run into issues after that.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide