tencent cloud

Feedback

Configuring a Cisco Firewall

Last updated: 2022-09-15 18:52:02

    To connect your IDC to a Tencent Cloud VPC via IPsec VPN connection, you need to configure the VPN on the gateway device of your local IDC after configuring the VPN gateway on Tencent Cloud. This document introduces how to configure the VPN on a Cisco firewall of the local IDC.

    Note:

    • This document introduces the common configurations of Cisco ASA firewalls.
    • Replace all the IPs, ports, and other parameters given in this document with your actual values for configurations.

    Prerequisites

    You have created a VPN connection as instructed in Creating VPN Gateways in a Tencent Cloud VPC, and configured the VPN tunnel as instructed in Creating VPN tunnel.

    Data Preparations

    The following table describes the IPsec VPN configuration data.

    Configuration item Sample value
    Network VPC information Subnet CIDR block 10.1.1.0/24
    Public IP of the VPN gateway 159.xx.xx.242
    IDC information Private CIDR block 172.16.0.0/16
    Public IP of the gateway 120.xx.xx.76
    IPsec VPN connection IKE Version IKEV1
    Identity verification method Pre-shared key
    PSK tencent@123
    Encryption agorithm AES-128
    Authentication algorithm MD5
    Negotiation mode main
    Local ID IP address: 120.xx.xx.76
    Remote ID IP address: 159.xx.xx.242
    DH group DH2
    IKE SA lifetime 86400
    IPsec Encryption algorithm AES-128
    Authentication algorithm MD5
    Packet encapsulation mode Tunnel
    Security protocol ESP
    PFS disable
    IPsec SA lifetime (in seconds) 3600 s
    IPsec SA lifetime (in KB) 1843200 KB
    Firewall Interface Nameif outside

    Directions

    1. Log in to the command-line interface of the firewall device.
      ssh -p admin@10.XX.XX.56        
      # Use the SSH command to log in to the configuration interface of the firewall.
      User Access Verification
      Username: admin
      Password: ****
      Type help or '?' for a list of available commands.
      # Enter the username and password to enter the user mode.
      ASA>
      ASA> en
      Password:
      # Input “enable” and its password to enter the privileged EXEC mode in which you can view information only.
      ASA# conf t
      ASA(config)#
      # Input "config ter" to enter the global mode in which you can configure the firewall.
    2. Configure the firewall interface.
      In the global mode, configure the firewall interface that connects to Tencent Cloud.
      interface GigabitEthernet0/0
      nameif outside # Specify the security domain of the interface.
      security-level 0 # Specify the security domain level of the interface.
      ip address 120.XX.XX.76 255.255.255.252 # Configure the local public IP address of the VPN tunnel.
    3. Configure an ISAKMP policy.
      crypto ikev1 enable outside  # Enable IKE on the "outside" interface.
      crypto ikev1 policy 10 # Define the phase 1 negotiation policy for IKEv1. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 10 is used here.
      authentication pre-share # Set the authentication method to authentication via pre-shared keys.
      encryption AES-128 # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".
      hash MD5 # Set the hash algorithm to “MD5” for the IKE policy. It defaults to "SHA".
      group 2 # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".
      lifetime 86400 # Specify the SA lifetime. It defaults to "86400" seconds.
    4. Configure the pre-shared key.
      tunnel-group 159.XX.XX.242 type ipsec-l2l  # Create a point-to-point IPsec tunnel group.
      tunnel-group 159.XX.XX.242 ipsec-attributes # Configure the tunnel group attributes, and specify the pre-shared key.
      ikev1 pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
    5. Configure the IPsec security protocol.
      crypto ipsec ikev1 transform-set TS esp-aes esp-md5-hmac  # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
    6. Configure ACL.
      access-list INTERESTING extended permit ip 172.XX.XX.0 255.255.0.0 10.1.1.0 255.255.255.0  # Configure ACL to capture the data stream of the VPN tunnel.
    7. Configure an IPsec policy.
      crypto map CMAP 1 match address INTERESTING  # Use ACL to allow the packets that meet the source or destination IP range requirements of the ACL to flow in the VPN tunnel.
      crypto map CMAP 1 set peer 159.XX.XX.242 # Set the public IP address of the destination VPN to which the IPsec-protected traffic can be forwarded. The public IP address of the Tencent Cloud VPN is used here.
      crypto map CMAP 1 set ikev1 transform-set TS # Configure an IKEv1 protocol for the crypto map entry.
      crypto map CMAP 1 set security-association lifetime seconds 3600 # Configure a SA lifetime.
    8. Apply the IPsec policy.
      rypto map CMAP interface outside  # Apply the crypto map configured in the previous step to the "outside" interface.
    9. Configure static routes.
      route outside 10.1.1.0 255.255.255.0 159.XX.XX.242 1  # Route the data of the IP range to be encrypted and protected to the IPsec tunnel, and configure the destination public IP of the VPN tunnel as the next hop.
    10. Test the VPN connectivity.
      You can use the ping command to test the VPN connectivity.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support