Demand for secure communications over the internet rapidly grows daily within organizations. There’s no big surprise why. After all, CPO Magazine reported that the FBI reported about 847,376 cybersecurity complaints last year, representing almost $7 billion in business losses.
In this changing landscape, organizations are forced to implement appropriate technologies to satisfy requirements and provide a simple, secure base for exchanging data between geographically connected dispersed sites.
The simplest and best approach to these new business trends that follows modern security standards is to implement an appropriate VPN deployment based on the organization’s requirements.
Such an arrangement provides high-level protection for transferred data over high-speed broadband internet connections and virtually connects all remote corporate sites, allowing full access to all services.
Download the guide and refer back to it at any time!
In this article, we will:
Looking for other ways to understand the mobile business landscape better? Check out these articles:
Back in the day, organizations relied heavily on classic router WANs to interconnect geographically dispersed sites, exchange data and offer access to internal services.
Today, WANs are considered obsolete and not appropriate for modern business requirements, and have been replaced with site-to-site VPNs. This type of VPN allows secure connectivity between enterprise sites and the ability to partner networks over an untrusted public network, such as the internet.
The site-to-site VPNs are usually deployed between branch offices and the headquarters, but they can also be deployed between offices from the same organization.
This VPN type integrates the IPsec framework as a mechanism for applying various security algorithms to provide confidentiality, integrity, authentication and anti-reply protection.
At the same time, the basic requirements — such as high reliability and extensive scalability — are satisfied with the site-to-site VPN deployments and achieved more cost-effectively. On top of that, this VPN type provides more scalable performance and greater flexibility.
Because of the support for various topologies and technologies, the IPsec VPNs can be deployed in many different variants. Ensure you are familiar with all of those options to choose and apply the most appropriate one when designing an IPsec site-to-site VPN solution.
A network topology represents how certain entities are interconnected with each other over a public or private network. The same approach applies to VPNs as well.
Geographically dispersed sites are connected to the headquarters or between each other over the internet, which defines the VPN topology, which generally means a logical one.
Even though numerous logical VPN topologies can be used in site-to-site VPNs, three of them are most commonly used in deployments. They are:
Besides the three main VPN topologies that are commonly used, three additional more complex topologies can be used in site-to-site VPN deployments when there are special requirements. These VPN topologies are:
________________
Here at PivIT, we know the importance doesn't stop with the device itself. It stretches to what is available today, financing options, and more. We make it easy for you to find the hardware to build your network on your terms.
________________
Even though we will focus on configuring a simple site-to-site (point-to-point) VPN later on in the article, you should be aware that there are a few additional site-to-site VPN deployments that you can implement:
Before we start with the site-to-site VPN implementation on a Cisco ASA firewall, we first need to take a look at the site-to-site VPN tunnel negotiation process.
This is essential to easily understand the IPsec site-to-site VPN configuration steps used later on in the article, but most importantly the overall configuration process.
The tunnel negotiation process is quite simple and involves several steps, so let’s take a look at the figure above and find out what those steps are. The main requirement in our use case is for firewalls ASA1 and ASA2 to establish a VPN tunnel so PC1 and PC2 can securely exchange data with each other over the internet.
For the VPN to get established, PC1 must send some data (also known as “interesting traffic”) to PC2 to trigger the negotiation process between the firewalls. The process consists of two phases, and each phase is responsible for building different tunnels.
In Phase 1, ASA1 and ASA2 negotiate security parameters among executing other things to build a secure tunnel. In other words, they need to find common support for cryptographic algorithms that will be used for encryption, authentication, and integrity to protect the data that will be sent through the VPN.
Upon agreement, they build something called ISAKMP Security Association (SA), which represents a bi-directional secure tunnel, through which Phase 2 takes place.
Then, in Phase 2, both firewalls continue with the VPN establishment process and they negotiate security parameters one more time. This step is needed to create the “real” VPN tunnel that will be used to protect the data exchanged between PC1 and PC2.
Keep in mind that the whole communication of Phase 2 is now secured because it goes through the tunnel established in Phase 1. Now, ASA1 uses the active ISAKMP SA to initiate negotiation of an IPsec SA to ASA2, which is the goal of the negotiation process in the first place.
This IPsec SA is a unidirectional tunnel whose responsibility is to protect the real data exchanged from the sender to the receiver. Since Phase 2 IPsec ESP SAs are unidirectional, ASA2 must also negotiate an additional IPsec SA towards ASA1.
To summarize, the result of the negotiation process is to establish a tunnel within a tunnel. The ISAKMP SA is the outer tunnel and is needed to protect the negotiation of the IPsec SAs, while the IPsec SAs represent the inner tunnels and protect the exchanged data. When the existing IPsec SAs expire, they are replaced with new IPsec SAs, negotiated using the ISAKMP SA.
Configuring a site-to-site VPN on a Cisco ASA firewall is no different than configuring it on a Cisco router or Cisco Firepower NGFW firewall. In our use case in the figure below, we will see how it can be deployed on a Cisco ASA in the branch office, so it can establish a VPN to the Cisco ASA in the Headquarters.
This would allow a secure transfer of data between the finance network in the branch office to the finance servers, located behind the ASA firewall at the headquarters.
It is very important to have the following information ready before starting with the deployment:
Configuring a site-to-site VPN on a Cisco ASA firewall can be done in two different ways. The first approach is by using the CLI (which is the more difficult option because you must know the exact commands) while the other is to use the Adaptive Security Device Manager (ASDM) management tool, which allows the Cisco ASA to be managed through a graphical user interface.
However, if the ASDM is selected for configuring the VPN, there are not one but three different approaches that can be used. The first two options rely on a manual configuration and you can use the advanced menus or the connection profiles menus, which most of the time is the preferred method.
The last one offers an automated procedure to get the same result in a much easier way by using the site-to-site VPN wizard. In our use case, we will use this automated option, so let’s go step by step and take a look at how simple the configuration process is.
As you can notice, there are multiple VPN wizards available to choose from, however, we will choose the site-to-site VPN wizard.
The first step (introduction) after you start the site-to-site VPN wizard provides optional guidance on how to use the wizard, however, we will skip that part and go “next.”
The second step is the start of the site-to-site VPN configuration. It requires providing the peer IP address and the local exit interface that will be used to connect to the peer.
In our case, the IP address of the peer device (headquarters ASA) is 192.168.1.2 and the local interface that will be used on the branch ASA is “outside.” Keep in mind that when using Cisco ASA, the interfaces are represented by names.
In the third step, we need to define the local and remote networks that will be protected by the IPsec VPN. In our case, the local network behind the branch ASA is the Finance network (an object that represents the IP network), while the remote network behind the headquarters ASA is 10.1.0.0/16, where the finance servers belong.
The fourth step is about defining the authentication method. In our case, we will choose a simple configuration, therefore the correct pre-shared key must be applied.
The last step is all about network address translation (NAT). If it is required, here you can exempt local hosts or networks from NAT.
When we finish with the configuration steps, a summary of the configuration is displayed. It contains all data that has been defined during the configuration steps and the cryptographic algorithms that are supported and can be used in the VPN deployment.
The last part provides a preview of the CLI commands that will be sent to the Cisco ASA.
As you can notice from the configuration example above, using the wizard is not a difficult process at all, and in just a few steps you can easily set up your Cisco ASA firewall with a VPN tunnel to the peer device on the other side.
Once the site-to-site VPN is successfully established, the Cisco ASA and the peer on the other side can securely exchange data without any risk of eavesdropping or man-in-the-middle attacks.
By following these helpful tips, you’ll understand the basics of utilizing site-to-site VPN technology — the best way to capitalize on evolving trends and for your organization, providing protection for transferred data and equipping you to worry about more important things.
With an extensive list of Cisco models, PivIT has a comprehensive portfolio of security hardware solutions—for an average of 65% savings.
PivIT also offers OneCall, which gives you top-to-bottom, all-inclusive support of new and legacy hardware. And with PivIT’s EXTEND, you have certified pros at your disposal for everything from installation to troubleshooting and beyond (including VPN configurations!).