Re: Need help securing a connection between two sites + firewall

JebusXI · ‎06-02-2021

Afternoon everyone,

I'm just posting here as I require some help. I'm attempting to create a secure connection between two seperate sites/networks. One a branch and one the HQ.

I have both networks fully functioning individually but I'm unsure as to how to create a secure connection between help, routing, firewall, Routing Protocolsthem. The current task I am working on is:

"Install and configure the firewall to provide the secure link between the two networks. You may use more than one firewall. They may be positioned where you think best to achieve the outcomes."

I am just a bit confused on how I would create this secure link using a firewall? Does anyone have any ideas? I will provide an image of my current design.

Any help appreciated.

marioiram · ‎06-04-2021

Hi

You could try placing a firewall connected to AKCBranchRouter and another one connected to AKCHQRouter and create a VPN tunnel between them. Since I don't see you indicated if there's restrictions or not let's imagine do you a point to point connection between the 2 firewalls so the configuration on them to run a VPN tunnel would looks like this:

AKCBranchFW

interface GigabitEthernet0/0
nameif POINT2POINT-AKCHQFW
security-level 25
ip address 10.10.5.1 255.255.255.252

interface GigabitEthernet0/1
nameif inside
ip address 192.168.2.x 255.255.255.0

Configure ACL to identify the traffic that you want to pass through the tunnel
object network INSIDE-NET
subnet 192.168.2.0 255.255.255.0
exit

object network REMOTE-NET
subnet 192.168.1.0 255.255.255.0
exit

access-list CRY-ACL extended permit ip object-group INSIDE-NET object-group REMOTE-NET

Configure IKEv1 and enable policy on the interface
crypto ikev1 policy 1
hash sha
authentication pre-share
group 5
lifetime 86400
encryption aes-256
exit

crypto ikev1 enable POINT2POINT-AKCHQFW

Configure transform set for IKEv1 or
crypto ipsec ikev1 transform-set Our-TSET esp-aes esp-sha-hmac

Tunnel group configuration
group-policy Group-A internal
group-policy Group-A attributes
vpn-tunnel-protocol ikev1
exit

tunnel-group 10.10.5.2 type ipsec-l2l
tunnel-group 10.10.5.2 general-attributes
default-group-policy Group-A
exit

tunnel-group 10.10.5.2 ipsec-attributes
ikev1 pre-shared-key cisco123
exit

Configure crypto map
crypto map CRY-MAP 1 match address CRY-ACL
crypto map CRY-MAP 1 set peer 10.10.5.2
crypto map CRY-MAP 1 set ikev1 transform-set Our-TSET
crypto map CRY-MAP interface POINT2POINT-AKCHQFW

AKCHQFW

interface GigabitEthernet0/0
nameif POINT2POINT-AKCBranchFW
security-level 25
ip address 10.10.5.2 255.255.255.252

interface GigabitEthernet0/1
nameif inside
ip address 192.168.1.x 255.255.255.0
Configure ACL to identify the traffic that you want to pass through the tunnel
object network INSIDE-NET
subnet 192.168.1.0 255.255.255.0
exit

object network REMOTE-NET
subnet 192.168.2.0 255.255.255.0
exit

access-list CRY-ACL extended permit ip object-group INSIDE-NET object-group REMOTE-NET

Configure IKEv1 and enable policy on the interface
crypto ikev1 policy 1
hash sha
authentication pre-share
group 5
lifetime 86400
encryption aes-256
exit

crypto ikev1 enable POINT2POINT-AKCBranchFW

Configure transform set for IKEv1
crypto ipsec ikev1 transform-set Our-TSET esp-aes esp-sha-hmac

Tunnel group configuration
group-policy Group-A internal
group-policy Group-A attributes
vpn-tunnel-protocol ikev1
exit

tunnel-group 10.10.5.1 type ipsec-l2l
tunnel-group 10.10.5.1 general-attributes
default-group-policy Group-A
exit

tunnel-group 10.10.5.1 ipsec-attributes
ikev1 pre-shared-key cisco123
exit

Configure crypto map
crypto map CRY-MAP 1 match address CRY-ACL
crypto map CRY-MAP 1 set peer 10.10.5.1
crypto map CRY-MAP 1 set ikev1 transform-set Our-TSET
crypto map CRY-MAP interface POINT2POINT-AKCBranchFW

Let me know if you run into issues after that.

Thanks.