(I'll try to fix formatting after I post this. I suck at Reddit formatting) * I recently picked up a Cisco Firepower 2130 appliance to replace my aging Cisco ASAs. I was excited over the new platform and ready to dive in head first into what was the "future". My hopes and dreams were quickly destroyed when I realized the new OS is not ready for production use. To make sure..I fired off some questions to Cisco TAC * * Does the Firepower 2130 support route-based VPNs? ----> Not yet
-
Does 6.2.2. support BGP? Can I do BGP with a policy-based or route-based vpn configuration? ----> 6.2.2 supports BGP as a protocol but not over policy based VPN.
-
If these features are not supported (route-based vpn and BGP) are they on a future road-map. If so, what is the timeframe for implementation? ----> These features are not in place for the next release and I cannot see these in roadmap for couple of future releases. Right now it is difficult to get a timeframe for this particular VPN feature. *
-
Is it possible to configure TACACS management access on a firepower 2130 with 6.2.2. code? ----> Not yet. It is on the roadmap, but not committed to any particular release. *
-
If the feature set is limited in 6.2.2 code would moving to the ASA code support these features? ----> Yes. *
-
What is the longterm roadmap for ASA support on the firepower 2130 appliance. Will support for ASA code eventually go away in favor of the FTD/FXOS native code? ----> They have recently launched the support for ASA on FP2100s. It will be just like using a normal ASA just the hardware is different so it should not have much issues or bugs. The goal is to eventually migrate to FTD image as it is a combination of ASA and Sourcefire images which gives us next generation firewalls, but the support for ASA will still be there for long time. *
-
And finally, do you have any configuration examples of building a VPN from Microsoft Azure route-based VPN to Cisco Firepower 2130 FTD 6.2.2 series of code? ----> Not supported yet
*
So I went ahead and wiped my Firepower 2130 and put on Cisco ASA code. The process wasn't that bad. You follow an online document, wipe the box, load the new code via TFTP and you're on your way. I did run into some issues with licensing. The Firepower appliance uses SmartLicensing but when you convert to ASA code it requires 2 additional licenses to be added to your smartlicense. You need *
-
Firepower 2100 ASA Standard
-
Firepower 2k Series ASA strong encryption
*
Without these license features (strong encryption) the ASDM manager will not launch. So make sure you get these licenses setup online and you configure your ASA to use SmartLicense before attempting to use ASDM.
*How do you setup Smart License on ASA? I followed the online tutorial for ASAv smart licensing setup to get things working (ooh and set your DNS on the appliance so it can look-up URLS to hit the smartlicense web sites).
So lets get back to what we came here for.. Route-Based VPN with Azure! *
-
After looking around online and piecing code from different blogs here is the configuration I came up with that works with Azure VPN and BGP. Hopefully this helps someone.
*
-
license smart
-
feature tier standard
-
feature strong-encryption
-
names
-
!
-
interface Ethernet1/1
-
nameif outside
-
security-level 0
-
ip address 199.x.x.x 255.255.255.0
-
!
-
interface Ethernet1/2
-
nameif inside
-
security-level 100
-
ip address 10.30.1.x 255.255.255.0
-
!
-
interface Tunnel1
-
nameif VPN-AZURE-USEAST2
-
ip address 192.168.1.1 255.255.255.0
-
tunnel source interface outside
-
tunnel destination 52.x.x.x
-
tunnel mode ipsec ipv4
-
tunnel protection ipsec profile AZURE_PROFILE
-
!
-
router bgp 10001
-
bgp log-neighbor-changes
-
bgp graceful-restart
-
address-family ipv4 unicast
-
neighbor 10.50.0.254 remote-as 10000
-
neighbor 10.50.0.254 description Azure VPN Gateway BGP Address
-
neighbor 10.50.0.254 ebgp-multihop 255
-
neighbor 10.50.0.254 activate
-
neighbor 10.50.0.254 next-hop-self
-
network 10.0.0.0
-
network 172.16.0.0 mask 255.248.0.0
-
network 192.168.1.0
-
no auto-summary
-
no synchronization
-
exit-address-family
-
!
-
route outside 0.0.0.0 0.0.0.0 199.x.x.1 1
-
route inside 10.0.0.0 255.0.0.0 10.30.1.1 1
-
route VPN-AZURE-USEAST2 10.50.0.254 255.255.255.255 52.x.x.x 1
-
route inside 172.16.0.0 255.248.0.0 10.30.1.1 1
-
crypto ipsec ikev2 ipsec-proposal AZURE_PROP
-
protocol esp encryption aes-256
-
protocol esp integrity sha-1
-
crypto ipsec profile AZURE_PROFILE
-
set ikev2 ipsec-proposal AZURE_PROP
-
set pfs group24
-
set security-association lifetime kilobytes 102400000
-
set security-association lifetime seconds 27000
-
crypto ikev2 policy 1
-
encryption aes-256
-
integrity sha
-
group 5 2
-
prf sha
-
lifetime seconds 86400
-
crypto ikev2 policy 3
-
encryption aes-256
-
integrity sha
-
group 2
-
prf sha
-
lifetime seconds 28000
-
crypto ikev2 policy 10
-
encryption aes-192
-
integrity sha
-
group 5 2
-
prf sha
-
lifetime seconds 86400
-
crypto ikev2 policy 20
-
encryption aes
-
integrity sha
-
group 5 2
-
prf sha
-
lifetime seconds 86400
-
crypto ikev2 policy 30
-
encryption 3des
-
integrity sha
-
group 5 2
-
prf sha
-
lifetime seconds 86400
-
crypto ikev2 policy 40
-
encryption des
-
integrity sha
-
group 5 2
-
prf sha
-
lifetime seconds 86400
-
crypto ikev2 enable outside
-
group-policy SITE_AZURE_USEAST2 internal
-
group-policy SITE_AZURE_USEAST2 attributes
-
vpn-tunnel-protocol ikev2
-
tunnel-group 52.x.x.x type ipsec-l2l
-
tunnel-group 52.x.x.x general-attributes
-
default-group-policy SITE_AZURE_USEAST2
-
tunnel-group 52.x.x.x ipsec-attributes
-
ikev1 pre-shared-key YOUR-PSK-HERE
-
ikev2 remote-authentication pre-shared-key YOUR-PSK-HERE
-
ikev2 local-authentication pre-shared-key YOUR-PSK-HERE
*
You can create your Azure VPN via Script but this time around I created it via the GUI so I don't have any examples. * * I setup a VPN3 gateway, pointed it to a VNET (10.50.0.0/16) * It created the Gatetway Subnet for me (10.50.0.0/24) and placed the VPN gateway into 10.50.0.254. * I activated BGP and created an ASN (For Example: 10000). I wrote down the public IP it presented to me, and I also wrote down the BGP Peer IP (*you'll need this for the ASA configuration).
* I then setup a connection my VPN gateway. Setup BGP inside of that connection with my ASA BGP ASN (Example: 10001 - has to be different from the Azure BGP ASN).
* On my Cisco Firepower I set the tunnel interface to 192.168.1.1. On the Azure side of the connection the 192.168.1.1 was my BGP peer IP. I don't use 192.168's in my data center so this network only lives on the ASA. It's only purpose is to exchange routes with Azure. * Then the final thing that got it all to work was to enable BGP on the Azure connection. There is this little button to click on the connection that says Enable BGP. But you can only enable this button once BGP is configured on your connection.
*
At this point you should be able to ping from the ASA to the Azure VPN gateway IP (10.50.0.254 in this example).
* NOTE: On your ASA you will need a route to the Azure VPN gateway IP (10.50.0.254). This route will point to the Azure VPN gateway public IP.
*
Lessons Learned:
* Make sure you enable ebgp-multihop in your BGP configuration
Links Used * http://ift.tt/2ArKWC8
-
http://ift.tt/2p6C4Pv #Right before part 3 you will notice the section that says "Ensure Multihop option for eBGP is enabled on your device
Hopefully this helps -Motavar
No comments:
Post a Comment