Solved: Site-to-Site VPN

jill.johnson · ‎08-13-2010

We have two ASA's for both locations. I see this document on how to configure site-to-site VPN. I am using port 0/0 for outside interface and port 0/1 for inside interface to configure VPN client. Would you use port 0/2 to configure site-to-site VPN? Would you use the public IP address to configure site-to-site VPN? Do you have any other suggestions? Do you have a brief notes on how configure site-to-site VPN?

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html

Thanks.

Jill

Asim Malik · ‎08-13-2010

Review this document for configuration example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Let me know if this helps

View solution in original post

JORGE RODRIGUEZ · ‎08-15-2010

Hi Diane,

You do not need to create another (inside port ) for your L2L vpn, the link you have and link provided by Asimalik provides all the information you need.

If you need to create a L2L VPN to another gateway through the internet generally you will use the interface in your firewall facing the internet, generally in ASA firewall most people label their port ethernet0/0 as their outside interface that is configured statically with a public IP address, the outside will be the vpn termination point in your firewall, and the other end VPN gateway your firewall will be peering with will be the far end VPN termination point .

The link provided by Asimalik for example depicts a simple network at both ends (inside and outside) , you have an inside interface which houses or routes your LAN subnet and then your outside interface. When you create the VPN you will enable isakmp and crypto map to the outside interface, this will enable VPN on the outside. The same rule applies if for example the VPN connection was coming from another interface but not to get you confused I do not think this is your case thus will not elaborate on this. So from your initial request seems to me you simply need to VPN peer with another network using the internet if this is so your requirements is on the link above to create the l2l VPN.

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎08-16-2010

Yes , follow that same link example , just read the link carefully , try to build the tunnel in command line, just as in the example but using your IP scheme of course , ASDM gui sometimes may get you confused, try creating a script config for each firewall separately , use notepad , when you think you have a script built you can post the configuration script here in this thread for us to look at it before you enter the script in the firewalls.

You can use this link as well for both gui and command line.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎08-17-2010

Hi.. apology for the delay.. looked at both configs but could not decipher the L2L tunnel, I see the RA vpn tunnels but not the l2l tunnel you created .

So looking at your logical information was able to understand your topology a bit, I am not to clear why you have in both Corporate and Remote a network of 192.168.100.0/24 being routed through an inside gateway at each end , perhaps you can explain.

In the mean time I have created a script for your new L2L tunnel between Corporate and Remote site, assuming there is no other connections between them that we are not aware off so I am creating this script based no on the 192.168.100.0/24 but the other subnets in them.

Base on CORPORATE logical IP lets assume that on this tunnel inside LAN subnet in remote site 72.30.1.0/24 will access Corporate LAN subnet 66.102.10.0/24 and 66.102.1.0/24 which traffic will not be nated so we will use what your existing nona alc.

Corporate - Network

Outside ip 66.102.9.17 255.255.255.0

Inside ip 66.102.10.1 255.255.255.0

Inside subnet 66.102.1.0/24

Inside subnet 66.102.10.0/24 via 66.102.10.254

Inside subnet 66.102.102.0/24 via 66.102.9.1 1

Inside subnet 66.102.216.0/24 via 66.102.10.254

Inside subnet 66.102.254.0/24 via 66.102.9.1 1

Inside subnet 192.168.100.0/24 via 66.102.10.254

This usually is the process I use.

Corporate network Requirements to build the tunnel , I like to do it in this order.

a- define crypto acl for this l2l tunnel - traffic that will be encrypted

b- define nonat access-list - and apply nat exempt rule in interface (inside)

c- define VPN Phase-1 config

d- define VPN Phase-2 config

e- create tunnel-group

access-list outside_remote_cryptomap extended permit ip 72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list outside_remote_cryptomap extended permit ip 72.30.1.0 255.255.255.0 66.102.1.0 255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.1.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300

crypto ipsec transform-set REMOTE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_remote_cryptomap

crypto map outside_map 3 set pfs group2

crypto map outside_map 3 set peer 72.30.2.17

tunnel-group 72.30.2.17 type ipsec-l2l

tunnel-group 72.30.2.17 ipsec-attributes

pre-shared-key < Tunnel***secret***key>

This tunnel policy above is complete for Corporate side, you have to do the same on other side matching VPN Phase-1

and Phase-2 Policies and invert the access-list on the REMOTE firewall and change the peer to be the corporate side.

lest jump on REMOTE firewall next.

/////////////////////////////////////////

REMOTE SITE

Outside ip 72.30.2.17 255.255.255.0

Inside ip 72.30.3.1 255.255.255.0 (lan)

Inside subnet 72.30.1.0/24 via 72.30.3.254

Inside subnet 72.30.3.0/24 via 72.30.3.254

Inside subnet 72.30.132.0/24 via 72.30.2.1 1

Inside subnet 72.30.216.0/24 via 72.30.3.254

Inside subnet 72.30.254.0/24 via 72.30.2.1 1

Inside subnet 192.168.100.0/24 via 72.30.3.254

access-list outside_corporate_cryptomap extended permit ip 66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list outside_corporate_cryptomap extended permit ip 66.102.1.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.1.0 255.255.255.0 72.30.1.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300

crypto ipsec transform-set CORPORATE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_corporate_cryptomap

crypto map outside_map 3 set pfs group2

crypto map outside_map 3 set peer 66.102.9.17

tunnel-group 66.102.9.17 type ipsec-l2l

tunnel-group 66.102.9.17 ipsec-attributes

pre-shared-key < Tunnel***secret***key>

You can add networks in the cryoto acl and nonat acl as you work your way on permiting more networks between the two

corprate and remote site.

To answer your other question , if you have a spare ASA firewall it may be possible to simulate provided you will have to have a spare public IP for your outside interface and perhaps connect the inside on a separate switch creating a LAN inside subnet for it for creating the tunnel.

Hope this help

Regards

Jorge Rodriguez

View solution in original post

Asim Malik · ‎08-13-2010

Review this document for configuration example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Let me know if this helps

jill.johnson · ‎08-15-2010

Thanks for your prompt response and information. If I read the documentation correctly, I need to create a separate inside port for site-to-site VPN on the ASA 5550. Do you have a short notes on how to configure site-to-site VPN?

Thanks.

Diane

JORGE RODRIGUEZ · ‎08-15-2010

Hi Diane,

You do not need to create another (inside port ) for your L2L vpn, the link you have and link provided by Asimalik provides all the information you need.

If you need to create a L2L VPN to another gateway through the internet generally you will use the interface in your firewall facing the internet, generally in ASA firewall most people label their port ethernet0/0 as their outside interface that is configured statically with a public IP address, the outside will be the vpn termination point in your firewall, and the other end VPN gateway your firewall will be peering with will be the far end VPN termination point .

The link provided by Asimalik for example depicts a simple network at both ends (inside and outside) , you have an inside interface which houses or routes your LAN subnet and then your outside interface. When you create the VPN you will enable isakmp and crypto map to the outside interface, this will enable VPN on the outside. The same rule applies if for example the VPN connection was coming from another interface but not to get you confused I do not think this is your case thus will not elaborate on this. So from your initial request seems to me you simply need to VPN peer with another network using the internet if this is so your requirements is on the link above to create the l2l VPN.

Regards

Jorge Rodriguez

jill.johnson · ‎08-15-2010

Thanks Jorgemcse. If the Remote Site has ASA 5520 or 5540, do I still follow the same example as ASA 5505 (in the link that Asimalik provided)? Thanks.

JORGE RODRIGUEZ · ‎08-16-2010

Yes , follow that same link example , just read the link carefully , try to build the tunnel in command line, just as in the example but using your IP scheme of course , ASDM gui sometimes may get you confused, try creating a script config for each firewall separately , use notepad , when you think you have a script built you can post the configuration script here in this thread for us to look at it before you enter the script in the firewalls.

You can use this link as well for both gui and command line.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

Jorge Rodriguez

jill.johnson · ‎08-16-2010

Thanks Jorgemcse for your prompt response and information. Your link is helpful. I do not have access to the ASA of the remote site. So, I just modified my config and made it to a Remote site ASA. Attached are two configs: one for the Corporate office and the other one is for the Remote office. I will wait for you before I add these statements to my ASA. My ASA is also setup for Remote Access for Cisco VPN client.

Does it matter what type of ASA (5510, 5520, etc.) the Remote Site has? Please let me know if you need additional information. Thanks again.

jill.johnson · ‎08-16-2010

Hi Jorgemcse,

One more question: If I had another ASA, is it possible for me to simulate the Remote site ASA using my current network? Thanks.

JORGE RODRIGUEZ · ‎08-17-2010

Hi.. apology for the delay.. looked at both configs but could not decipher the L2L tunnel, I see the RA vpn tunnels but not the l2l tunnel you created .

So looking at your logical information was able to understand your topology a bit, I am not to clear why you have in both Corporate and Remote a network of 192.168.100.0/24 being routed through an inside gateway at each end , perhaps you can explain.

In the mean time I have created a script for your new L2L tunnel between Corporate and Remote site, assuming there is no other connections between them that we are not aware off so I am creating this script based no on the 192.168.100.0/24 but the other subnets in them.

Base on CORPORATE logical IP lets assume that on this tunnel inside LAN subnet in remote site 72.30.1.0/24 will access Corporate LAN subnet 66.102.10.0/24 and 66.102.1.0/24 which traffic will not be nated so we will use what your existing nona alc.

Corporate - Network

Outside ip 66.102.9.17 255.255.255.0

Inside ip 66.102.10.1 255.255.255.0

Inside subnet 66.102.1.0/24

Inside subnet 66.102.10.0/24 via 66.102.10.254

Inside subnet 66.102.102.0/24 via 66.102.9.1 1

Inside subnet 66.102.216.0/24 via 66.102.10.254

Inside subnet 66.102.254.0/24 via 66.102.9.1 1

Inside subnet 192.168.100.0/24 via 66.102.10.254

This usually is the process I use.

Corporate network Requirements to build the tunnel , I like to do it in this order.

a- define crypto acl for this l2l tunnel - traffic that will be encrypted

b- define nonat access-list - and apply nat exempt rule in interface (inside)

c- define VPN Phase-1 config

d- define VPN Phase-2 config

e- create tunnel-group

access-list outside_remote_cryptomap extended permit ip 72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list outside_remote_cryptomap extended permit ip 72.30.1.0 255.255.255.0 66.102.1.0 255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.1.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300

crypto ipsec transform-set REMOTE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_remote_cryptomap

crypto map outside_map 3 set pfs group2

crypto map outside_map 3 set peer 72.30.2.17

tunnel-group 72.30.2.17 type ipsec-l2l

tunnel-group 72.30.2.17 ipsec-attributes

pre-shared-key < Tunnel***secret***key>

This tunnel policy above is complete for Corporate side, you have to do the same on other side matching VPN Phase-1

and Phase-2 Policies and invert the access-list on the REMOTE firewall and change the peer to be the corporate side.

lest jump on REMOTE firewall next.

/////////////////////////////////////////

REMOTE SITE

Outside ip 72.30.2.17 255.255.255.0

Inside ip 72.30.3.1 255.255.255.0 (lan)

Inside subnet 72.30.1.0/24 via 72.30.3.254

Inside subnet 72.30.3.0/24 via 72.30.3.254

Inside subnet 72.30.132.0/24 via 72.30.2.1 1

Inside subnet 72.30.216.0/24 via 72.30.3.254

Inside subnet 72.30.254.0/24 via 72.30.2.1 1

Inside subnet 192.168.100.0/24 via 72.30.3.254

access-list outside_corporate_cryptomap extended permit ip 66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list outside_corporate_cryptomap extended permit ip 66.102.1.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.1.0 255.255.255.0 72.30.1.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300

crypto ipsec transform-set CORPORATE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_corporate_cryptomap

crypto map outside_map 3 set pfs group2

crypto map outside_map 3 set peer 66.102.9.17

tunnel-group 66.102.9.17 type ipsec-l2l

tunnel-group 66.102.9.17 ipsec-attributes

pre-shared-key < Tunnel***secret***key>

You can add networks in the cryoto acl and nonat acl as you work your way on permiting more networks between the two

corprate and remote site.

To answer your other question , if you have a spare ASA firewall it may be possible to simulate provided you will have to have a spare public IP for your outside interface and perhaps connect the inside on a separate switch creating a LAN inside subnet for it for creating the tunnel.

Hope this help

Regards

Jorge Rodriguez

jill.johnson · ‎08-17-2010

Thanks very much for taking time to work on the config for me, Jorgemcse. I am sorry for confusing you with my configs since they also include Remote Access. I will follow your instructions and get back to you to let you know the results. Thanks again for taking time to help me out.

jill.johnson · ‎08-22-2010

Hi Jorgemcse,

Thank you again for taking time to help me configure site-to-site VPN. I need to add another ASA from the remote office. How would you add the second ASA from the remote office to my current config at the Main office? Thanks.

Richard Burts · ‎08-22-2010

Jill

I am not clear in your follow up question whether you need to do an ASA in another remote office (pretty easy) or another ASA in the same remote office (we would need additional information, such as is this to be active/standby failover for ASA or is this 2 independent ASAs each processing certain traffic).

Assuming that you need to add another remote ste with ASA to do another LAN to LAN VPN then you can take parts of this config and use them as a model of what to add for the second remote site. As suggested before do these steps:

a- define crypto acl for this l2l tunnel - traffic that will be encrypted

b- define nonat access-list - and apply nat exempt rule in interface (inside)

c- define VPN Phase-1 config

d- define VPN Phase-2 config

e- create tunnel-group

I would suggest that the crypto acl for the new tunel should be a separate acl for what you configured for the first. tunnel.

You would usethe same nonat acl (just add additional entries in the same acl).

Depending on the requirements the ISAKMP policy might be the same or might be different.

For IPSec you want another instance of the same crypto map. If you are using crypto map outside_map 3 then you might want to create crypto map outside_map 5

And you would need to configure another tunnel-group for the new connection.

The configuration of the remote site would be quite similar to the example previously given, with changes to reflect different addressing etc.

HTH

Rick

HTH

Rick

jill.johnson · ‎08-22-2010

Rick,

Thanks very much for your prompt response and information. Sorry for not making my question clear. You are correct. I am adding another remote site with the ASA to do LAN-to-LAN. Is it possible for you to write me the sample config to add the second LAN-to-LAN? Also, is there a way to find out the password for the Pre-shared-key? Thanks.