Solved: Using pre-share keys as

Steve Coady · ‎12-28-2015

Hello

A business partner (BP) has some special requirements for VPN. Per the (BP), the vpn config on my Cisco ASA (825) should have the following:

(BP) remote gateway should be set to 0.0.0.0 - This is what I am concerned about.
Could any adverse issue arise on the ASA for other tunnels or routing by setting the crypto map peer and the tunnel-group to 0.0.0.0 for this specific tunnel?

My side of the tunnel needs to be set for passive IKE (answer only). No trouble with this.

Thank you for any expert guidance provided on this issue.

sMc

Diego Lopez · ‎12-28-2015

Hello,

In case that they are requesting that you accept any public IP as the peer because their IP is dynamic you need to configure a dynamic to static site to site tunnel in this way you can accept their connection to your ASA.

You will need to use the default tunnel group and setup the pre-share key there, it should not affect the other tunnels because if the other tunnel are static you have created a more specific tunnels for that particular peer

Here is a document that will explain this dynamic to static site to site configuration using ASDM and CLI

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

View solution in original post

Diego Lopez · ‎12-28-2015

Hello,

In case that they are requesting that you accept any public IP as the peer because their IP is dynamic you need to configure a dynamic to static site to site tunnel in this way you can accept their connection to your ASA.

You will need to use the default tunnel group and setup the pre-share key there, it should not affect the other tunnels because if the other tunnel are static you have created a more specific tunnels for that particular peer

Here is a document that will explain this dynamic to static site to site configuration using ASDM and CLI

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

Steve Coady · ‎12-29-2015

Diego

Thank you for the response.

We currently have a Dynamic crypto map in place , crypto map VPN 65535 ipsec-isakmp dynamic DYNAMIC.

In the ASDM it has a priority of 65535.10.

What show commands can i run to verify this dynamic statement is not already being used for another instance?

I see where any static entries I have made always are above this dynamic statement

Should I create another Dynamic instance and define it as 65535.20

Does it matter where these Dynamic statements fall in the list of crypto maps?

sMc

Diego Lopez · ‎12-29-2015

You don't need to create a new dynamic map you can reuse that one for all the dynamic ips in case you're getting other peers with it.

The dynamic map should be the last crypto map to avoid problems with the static ones.

Steve Coady · ‎12-29-2015

Diego

On a scale of 1 to 10 (riskiest) how risky is this type of implementation?

Based on what I am reading anyone who gets this pre-shared key could use this tunnel into my network!

sMc

Diego Lopez · ‎12-29-2015

Using pre-share keys as authentication method will always represent a higher risk even for the static tunnels you can reduce the risk by configuring a strong enough password with considerable amount of characters and symbols.

If you don't feel comfortable using pre-share keys for this particular implementation you can use certificate authentication, this will increase the security for this tunnel. Only the peers with the certificate will be able to authenticate against your ASA to establish a secure VPN tunnel.

Here is a documentation that you can check to implement certificate authentication:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html#asa1

VPN tunnel special requirements