Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Similar documents
Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

GregSowell.com. Mikrotik VPN

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

VPN Configuration Guide. Cisco ASA 5500 Series

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

IPsec VPN Application Guide REV:

Interoperability Guide

ISG50 Application Note Version 1.0 June, 2011

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Using IPsec VPN to provide communication between offices

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Lab Configure a PIX Firewall VPN

VPN. VPN For BIPAC 741/743GE

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuring Remote Access IPSec VPNs

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

REMOTE ACCESS VPN NETWORK DIAGRAM

Packet Tracer Configuring VPNs (Optional)

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Virtual Private Network (VPN)

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

Configure ISDN Backup and VPN Connection

LAN-Cell to Cisco Tunneling

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

How To Industrial Networking

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Cisco EXAM Implementing Cisco Secure Mobility Solutions (SIMOS) Buy Full Product.

Internet. SonicWALL IP SEV IP IP IP Network Mask

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

Scenario: Remote-Access VPN Configuration

Katana Client to Linksys VPN Gateway

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Configuring the PIX Firewall with PDM

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Introduction to Security and PIX Firewall

VPN SECURITY POLICIES

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

7. Configuring IPSec VPNs

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Windows XP VPN Client Example

Triple DES Encryption for IPSec

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

ZyWALL USG-Series. How to setup a Site-to-site VPN connection between two ZyWALL USG series.

Firewall Defaults and Some Basic Rules

VPN Tracker for Mac OS X

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

RF550VPN and RF560VPN

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

VPN Tracker for Mac OS X

Chapter 4 Virtual Private Networking

Firewall Troubleshooting

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Deploying IPSec VPN in the Enterprise

Cisco 1841 MyDigitalShield BYOG Integration Guide

C H A P T E R Management Cisco SAFE Reference Guide OL

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Configuring a VPN for Dynamic IP Address Connections

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

LAN-Cell 3 to Cisco ASA 5500 VPN Example

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Chapter 8 Virtual Private Networking

VPNC Interoperability Profile

Configuring L2TP over IPsec

VPN Configuration of ProSafe Client and Netgear ProSafe Router:

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

How to configure VPN function on TP-LINK Routers

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

Configuring a VPN between a Sidewinder G2 and a NetScreen

Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Connecting Remote Offices by Setting Up VPN Tunnels

Transcription:

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled) mode in front of a Cisco ASA firewall that is an endpoint for a site-to-site VPN tunnel. In firewall-enabled mode as a remote VPN endpoint with the Cisco ASA on the other end. This example combines both scenarios. That is, assume a corporate headquarters with an existing Cisco ASA device and a branch office in Michigan. To improve the network uptime and resilience, the company installs a Barracuda Link Balancer at both sites. At headquarters it is deployed in transparent (firewall-disabled) mode upstream of the Cisco ASA device. In Michigan, it is deployed in firewall-enabled mode. Both the Barracuda and the Cisco devices must have static WAN IP addresses in order to set up a VPN tunnel between them. Barracuda Labs has tested and validated the settings described in this document. All settings and screenshots contained in this document are taken from a Barracuda Link Balancer version 2.4.1, and a Cisco device running Cisco Adaptive Security Appliance Software version 8.2 and Cisco Device Manager version 6.2. Before You Begin Barracuda recommends using release version 2.4.1 or newer on the Barracuda Link Balancer. To update your Barracuda Link Balancer units, you can install the newest firmware from the ADVANCED > Firmware Updates page. For more information, see How to Update the Firmware. Before proceeding, please collect all information in the table below that is valid for your setup. The example values in the table are used in this article. Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 1 / 8

Corporate Headquarters (uses Cisco ASA) 1 Unused Public IP from ISP* 111.1.1.100/24 2 Local network behind Cisco ASA 192.168.1.0/24 3 Management IP of the Cisco ASA 10.11.23.33 4 Outside interface for VPN endpoint on Cisco ASA 111.1.1.100/24 5 Mgmt IP of Barracuda Link Balancer at Headquarters 10.11.23.157 6 Mgmt IP of Cisco ASA 10.11.23.33 Remote Site Michigan 7 Mgmt IP of Barracuda Link Balancer (Michigan branch) 10.11.23.165 8 Remote network 172.24.0.0/16 9 WAN IP for Barracuda Link Balancer for tunnel endpoint 109.1.1.1/24 * To avoid changing the existing configuration on the Cisco ASA, provision an additional public IP address from your ISP on the WAN port of the Barracuda Link Balancer and retain the WAN IP address on the Cisco ASA. If necessary, contact your ISP in order to obtain a new IP address. The network diagram below shows the headquarters on the left and the Michigan branch office on the right. The headquarters has an existing Cisco ASA firewall which forms an IPsec tunnel with a Barracuda Link Balancer at the branch office. A Barracuda Link Balancer is deployed at the headquarters in front of the Cisco ASA in transparent mode. In this mode, it does not terminate the VPN but just passes the VPN traffic through to the Cisco ASA. Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 2 / 8

Configuring Cisco ASA To configure an IPsec VPN on the Cisco device requires the following configuration steps: 1. 2. 3. Configure Interfaces and ACL for the Tunnel Configure Phase 1 Configure Phase 2 Step 1. Configure Interfaces and ACL for the Tunnel interface Ethernet0/0 description WAN Interface nameif Outside security-level 0 ip address 111.1.1.100 255.255.255.0 interface Ethernet0/1 description LAN Interface nameif Inside security-level 0 ip address 192.168.1.254 255.255.255.0 # this will be the tunnel endpoint This access list (MI_Tunnel) is used with the crypto map (MI_Map) to determine which traffic needs to be encrypted and sent across the tunnel: access-list MI_Tunnel extended permit ip 192.168.1.0 255.255.255.0 172.24.0.0 255.255.0.0 Step 2. Configure Phase 1 The following configuration commands define the Phase 1 policy parameters to be used. A policy is created with priority=1 used to negotiate the IKE SA. crypto isakmp policy 1 # Priority = 1 authentication pre-share # Use pre-shared keys encryption 3des # 3des is more secure for encryption than des hash md5 # use sha-1 for max protection (though less throughput) group 2 # group 2 provides adequate security; avoid group 1 lifetime 86400 Now, enable ISAKMP on the interface that terminates the VPN tunnel: crypto isakmp enable outside Step 3. Configure Phase 2 1. Define the transformation set for Phase 2. It will be used in the crypto map entry. crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 2. Define a crypto map and specify which traffic should be sent to the IPsec peer with the access list defined Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 3 / 8

3. 4. 5. 6. 7. above. crypto map MI_Map 1 match address MI_Tunnel Set the IPsec peer (remote endpoint) to the appropriate WAN port on the Barracuda Link Balancer: crypto map MI_Map 1 set peer 109.1.1.1 Configure the IPsec transform set ESP-3DES-MD5 to be used with the crypto map entry: crypto map MI_Map 1 set transform-set ESP-3DES-MD5 Specify the interface to be used with the settings defined in this configuration: crypto map MI_Map interface Outside Disable NAT-T and set the Phase 2 lifetime: crypto map MI_Map 1 set nat-t-disable crypto map MI_Map 1 set security-association lifetime seconds 3600 Create the tunnel group and assign the preshared key for authentication: tunnel-group 109.1.1.1 type ipsec-l2l tunnel-group 109.1.1.1 ipsec-attributes pre-shared-key my_secret_key # must be identical to the key on the remote peer ICMP must be enabled on the IP address of the Cisco device to allow the Barracuda Link Balancer at headquarters to perform health checks for the remote VPN endpoint. Configuring the Barracuda Link Balancer (at Corporate Headquarters) for VPN Passthrough To configure the Barracuda Link Balancer at headquarters, complete the following major steps: 1. 2. 3. Add Missing Applications Configure the IP / Application Routing Define Actions to be Taken To allow the VPN traffic to pass through, outbound routing rules for the following applications must be configured: ESP IKE NAT-T GRE PPTP AH GRE, PPTP, AH and NAT-T are not really required in this deployment. However, they are mentioned here for completeness, and are useful when you want to allow other tunnels to pass through the Barracuda Link Balancer. Step 1. Add Missing Applications IKE, GRE, and PPTP are included in the Predefined Applications by default. Navigate to POLICY > Applications > Custom Applications and create custom applications for ESP, AH, and NAT-T with the following settings: Application Settings Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 4 / 8

ESP AH NAT-T Application Name: ESP Protocol Type: ESP Application Name: AH Protocol Type: AH Application Name: NAT-T Protocol Type: UDP Port Number: 4500 Step 2. Create a New IP / Application Routing Rule Navigate to POLICY > Outbound Routing > IP/Application Routing and add a new rule with a unique Rule Name. Configure the following condition fields: Setting Source IP Address Source Netmask Application Destination IP Address Destination Netmask Link Balance Description The IP address (e.g. 111.1.1.100) being NAT d on the Cisco ASA The netmask (e.g. 255.255.255.255 if it is a single host, or, if it is a set of IP addresses, the subnet mask must reflect that accordingly). Create rules here for each protocol. The IP address of the VPN remote gateway (e.g. 114.1.1.21). The netmask (e.g. 255.255.255.255 if it is a single host, or, if it is a set of IP addresses, the subnet mask must reflect that accordingly). Select No and then select a Primary and a Backup link: Primary Link Select Default to direct the outgoing traffic to the WAN link on the same subnet. Alternatively, select a specific link from the list to bind traffic to that link. Backup Link Select None to drop traffic if the primary link is not available. Or, select a specific link from the list to bind traffic to that link. Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 5 / 8

NAT To maintain the original source IP address if there is no backup link, clear this check box. If there is a backup link, select the NAT check box and add Source Network Translation rules to retain the original source IP address(the NAT'd IP address on the firewall behind the Barracuda Link Balancer) for the five applications. The rules in the IP/Application Routing table are processed from top to bottom, in the order listed in the table. Only the first matching rule is executed. New rules are added to the bottom of the table. To change the order of rules, use the arrows on the right side of the table. Also, if you have a large number of tunnels with varying peer addresses, it might be more convenient to relax the Source and Destination fields and use only the Application field for rules. Configuring the Remote Barracuda Link Balancer (at Michigan) Create a new tunnel at the remote Barracuda Link Balancer (running in firewall-enabled mode) to connect with the Cisco ASA. Make sure that the Security Policies > Phase 1 and Phase 2 settings are identical to the Cisco settings. The following table provides the reference settings for adding the new VPN tunnel: Edit VPN Tunnel Security Policies Section IPsec Key Exchange Policy Phase 1 IPsec Key Exchange Policy Phase 2 Settings Enable NAT-Traversal: No Remote NAT-T IP: No IPsec Keying Mode: Shared Secret Shared Secret: my_secret_key Encryption: 3DES Authentication: MD5 DH Group: Group 2 Lifetime: 86400 Encryption: 3DES Authentication: MD5 Enable Perfect Forward Secrecy: No DH Group: Group 2 Lifetime: 3600 Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 6 / 8

Verify Whether the Tunnel Works After the tunnel has been established successfully, a green check mark displays next to it on the VPN page on the Barracuda Link Balancer at both corporate headquarters and Michigan. Both private IP addresses should now be accessible using the ping command. Troubleshooting A yellow triangle next to the VPN tunnel on the VPN page of the Barracuda Link Balancer indicates that something does not work as intended. To troubleshoot: Check the LOGS > VPN Log page on the Barracuda Link Balancer. You can also refer to the logs generated by the Cisco ASDM web interface. Make sure that routing is correctly configured on the client networks and on the Cisco device. Cisco ASDM provides network logs. You may also use the TCP Dump command on the ADVANCED > Troubleshooting page on the Barracuda Link Balancer. Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 7 / 8

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels 8 / 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information