CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - tunnel-group

Information

When the production network is managed in-band, the management network could be housed at a NOC that is located remotely at single or multiple interconnected sites. NOC interconnectivity, as well as connectivity between the NOC and the managed network, must be enabled using IPsec tunnels to provide the separation and integrity of the managed traffic.

Solution

Step 1: Configure an ISAKMP policy for IKE connection as shown in the example.

ASA1(config)# crypto ikev1 policy 10
ASA1(config-ikev1-policy)# authentication pre-share
ASA1(config-ikev1-policy)# encryption aes-256
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 5
ASA1(config-ikev1-policy)# lifetime 3600
ASA1(config-ikev1-policy)# exit

Step 2: Enable the IKEv1 policy on the outside interface and identify itself with its IP address.

ASA1(config)# crypto ikev1 enable OUTSIDE
ASA1(config)# crypto isakmp identity address

Step 3: Configure the tunnel group as shown in the example below.

ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key xxxxxxxxxxxxx

Step 4: Configure a transform set for encryption and authentication.

crypto ipsec ikev1 transform-set IPSEC_TRANSFORM esp-aes-192 esp-sha-hmac

Step 5: Configure the ACL to define the management traffic that will traverse the tunnel.

ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit udp any eq snmp 10.2.2.0 255.255.255.0
ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit udp any eq 10.2.2.0 255.255.255.0 snmptrap
ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit udp any eq syslog 10.2.2.0 255.255.255.0
ASA1(config)# access-list MANAGEMENT_TRAFFIC extended permit tcp any eq ssh 10.2.2.0 255.255.255.0

Step 6: Configure crypto map and bind to the outside interface as shown in the example below.

ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 match address MANAGEMENT_TRAFFIC
ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 set peer 10.10.10.2
ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map IPSEC_CRYPTO_MAP 1 set security-association lifetime seconds 3600
ASA1(config)# crypto map IPSEC_CRYPTO_MAP interface OUTSIDE

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CAT|II, CCI|CCI-002403, CCI|CCI-004931, Rule-ID|SV-239868r991800_rule, STIG-ID|CASA-FW-000260, Vuln-ID|V-239868

Plugin: Cisco

Control ID: 7eac4a531cb0efc58d9328f3576de1621321020695e3e98baf8090cd50202771