Solved: New site-to-site VPN

Stephen Sisson · ‎08-30-2013

Hello everyone,

Jouni Forss · ‎08-30-2013

Hi,

The actual NAT configuration to enable the use of public IP address through the L2L VPN is very simple but I would see that the bigger question here is to determine the actual setup requirements and the parameters used.

I presume you have been provided with a document which states the Phase1 and Phase2 parameters for this connection clearly? If you do have such a document could you take a screencapture of the Phase1 and Phase2 parameters (dont include any PSK/Pre-shared-key, we dont need to know it)

I would also like to confirm the following things

Do you only have 1 public IP address at your disposal (which would be configured naturally on your "outside" interface) or do you perhaps have a small /29 or /28 subnet of public IP addresses?
Will it be only your site that open connections through the L2L VPN connection to the remote server OR will they need to be able to connect/initiate a connection to some of your server?

The NAT portion might be really simple if you only have a single public IP address. In that case you might not even need to configure any additional NAT than you already have on the device but rather specify the local and remote network correctly.

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi,

Would it be possible to also see the current configuration of the ASA?

Could then see the current configurations and what additions are needed for this to work.

The configuration that you have attached do have some things that need to be changed and some things that are not needed.

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi,

I guess we can try this without looking at the whole configuration.

So I presume that you have yet not configured any VPN related configurations and you dont have any previous/existing VPN Connections (IPsec) configured on your firewall.

The below also presumes

Local interface is named "inside" and remote interface is named "outside"
Spare public IP address for the server is x.x.x.x

Static NAT for Server

object network LAN-SERVER

host 172.16.5.x

nat (inside,outside) static x.x.x.x

L2L VPN Configurations

access-list EARLY-WARNINGS-L2LVPN remark Encyption Domain for L2L VPN Connection

access-list EARLY-WARNINGS-L2LVPN permit ip host x.x.x.x host 199.47.136.140

crypto ipsec ikev1 transform-set EARLY-WARNING-TS esp-aes-256 esp-sha-hmac

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

crypto map CRYPTOMAP 1 match address EARLY-WARNINGS-L2LVPN

crypto map CRYPTOMAP 1 set peer 199.47.137.230

crypto map CRYPTOMAP 1 set ikev1 transform-set EARLY-WARNINGS-TS

crypto map CRYPTOMAP 1 set security-association lifetime seconds 3600

crypto ikev1 enable interface outside

crypto map CRYPTOMAP interface outside

tunnel-group 199.47.137.230 type ipsec-l2l

tunnel-group 199.47.137.230 ipsec-attributes

ikev1 pre-shared-key

That should pretty much be it.

There is naturally some settings that could cause problems with this setup. For example some NAT configurations that might override the above Static NAT or perhaps you might have the "no sysopt connection permit-vpn" setting configured globally which would require that you allow the traffic on the external interfaces ACL.

Enabling this setting might actually be something that you would want to consider. This is because the default setting on the ASA will allow any traffic coming from a VPN Connection to bypass the interface ACL. If you have the default setting, this would mean that the remote host could initiate connection with any destination port/service to your server.

Also, since we configure Static NAT for this server, be sure that you DO NOT allow any traffic to it from the public network or that none of your current rules in the external interfaces ACL allow some traffic to this server.

The NAT could be configured to be a Static Policy NAT also but considering your situation at the moment (/29 network), I guess you can spare the public IP address for just this server)

When both you and the remote site has configured the

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi,

Did you have a Static NAT configuration for this server already or? If not, then use the configuration I mentioned and use the public IP address that you have reserved for the server.

Naturally you can use a different name for the "object" so that it fits your current naming policy better.

In your situation since you dont seem to have any existing VPN configurations (unless you have removed them from above) I would suggest configuring "no sysopt connection permit-vpn" command which will prevent connections coming from VPN connections to bypass your interface ACL.

Just add the ACL rules to your existing ACL to allow the ports which are required for your server.

access-list OUTSIDE-IN remark Early Warning Services L2L VPN rules

access-list OUTSIDE-IN permit tcp host 199.47.136.140 object LAN-SERVER eq

access-list OUTSIDE-IN permit udp host 199.47.136.140 object LAN-SERVER eq

access-list OUTSIDE-IN permit icmp host 199.47.136.140 object LAN-SERVER echo

The above is just the example if you were to add TCP/UDP Ports to which the remote site could connect to or perhaps ICMP.

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Also,

You naturally have to use the PCSFTP interface as the source interface for the Static NAT as that is where the actual host is located at.

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi,

With the source interface I mean the source interfae used in the actual "nat" configuration line. As you can see I used originally "inside" which what I presumed BUT the server is located behind "PCSFTP" interface judging by your Running Configurations

I modified the configurations to match the Running Configuration that you posted after my reply

object network LAN-SERVER

host 172.16.5.50

nat (PCSFTP,outside) static 98.101.206.53

access-list EARLY-WARNINGS-L2LVPN remark Encyption Domain for L2L VPN Connection

access-list EARLY-WARNINGS-L2LVPN permit ip host 98.101.206.53 host 199.47.136.140

crypto ipsec ikev1 transform-set EARLY-WARNING-TS esp-aes-256 esp-sha-hmac

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

crypto map CRYPTOMAP 1 match address EARLY-WARNINGS-L2LVPN

crypto map CRYPTOMAP 1 set peer 199.47.137.230

crypto map CRYPTOMAP 1 set ikev1 transform-set EARLY-WARNINGS-TS

crypto map CRYPTOMAP 1 set security-association lifetime seconds 3600

crypto ikev1 enable interface outside

crypto map CRYPTOMAP interface outside

tunnel-group 199.47.137.230 type ipsec-l2l

tunnel-group 199.47.137.230 ipsec-attributes

ikev1 pre-shared-key

BELOW ACL ADDITION IS JUST EXAMPLE LINES. NOT SOMETHING THAT YOU CAN USE DIRECTLY AS ITS MISSING INFORMATION. ADD THE RULES THAT YOU NEED!

access-list OUTSIDE-IN remark Early Warning Services L2L VPN rules

access-list OUTSIDE-IN permit tcp host 199.47.136.140 object LAN-SERVER eq

access-list OUTSIDE-IN permit udp host 199.47.136.140 object LAN-SERVER eq

access-list OUTSIDE-IN permit icmp host 199.47.136.140 object LAN-SERVER echo

no sysopt connection permit-vpn

With regards to issuing the command "no sysopt connection permit-vpn",

This is a global setting that will affect ALL the VPN connections on the device. What the above setting will essentially do is require any connection that is taken from the VPN remote networks to be allowed in the "outside" inteface ACL. Just like any traffic coming from the Internet through the "outside" interface.

Why I would suggest using this command is the fact that since you are (to my understanding) connection to a remote site that is not part of your companys network, you probably would want to control what connections they can take to your server rather than just allow anything to your server (which leaving out the above command would mean).

Any future VPN Client or L2L VPN connections would also require their own ACL rules in the current "outside" interface ACL if the remote networks need to initiate connections to your network but that is just like allowing traffic from the Internet so there should be no problem.

The setting mentioned above is a global setting, so as I said, it affects all VPN connections. It can't be configured per VPN Connection. For that you would need to use VPN Filter ACL and thats a different story again.

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi,

The actual NAT configuration to enable the use of public IP address through the L2L VPN is very simple but I would see that the bigger question here is to determine the actual setup requirements and the parameters used.

I presume you have been provided with a document which states the Phase1 and Phase2 parameters for this connection clearly? If you do have such a document could you take a screencapture of the Phase1 and Phase2 parameters (dont include any PSK/Pre-shared-key, we dont need to know it)

I would also like to confirm the following things

Do you only have 1 public IP address at your disposal (which would be configured naturally on your "outside" interface) or do you perhaps have a small /29 or /28 subnet of public IP addresses?
Will it be only your site that open connections through the L2L VPN connection to the remote server OR will they need to be able to connect/initiate a connection to some of your server?

The NAT portion might be really simple if you only have a single public IP address. In that case you might not even need to configure any additional NAT than you already have on the device but rather specify the local and remote network correctly.

- Jouni

Stephen Sisson · ‎08-30-2013

Hello Jouni

We have a /29 subnet but we have several addresses we can use for this VPN, we only have the PCS Images site requiring the connection to Early Warning Services.

I'm willing to do whatever you recommend on configuring this sit-to-site with Early Warning

Sending you what they sent me on the IKE1/2

Early Warning Services VPN Gateway Parameters

The following are the Early Warning Services VPN Gateway parameters.

Stephen Sisson · ‎08-30-2013

They also need access to our server for copying files to and from each site through the day; we do the same from our site

Jouni Forss · ‎08-30-2013

Hi,

Would it be possible to also see the current configuration of the ASA?

Could then see the current configurations and what additions are needed for this to work.

The configuration that you have attached do have some things that need to be changed and some things that are not needed.

- Jouni

Stephen Sisson · ‎08-30-2013

Jouni,

We have some sensitive information in this current config, any way to send this running-config to you securely?

Jouni Forss · ‎08-30-2013

Hi,

I guess we can try this without looking at the whole configuration.

So I presume that you have yet not configured any VPN related configurations and you dont have any previous/existing VPN Connections (IPsec) configured on your firewall.

The below also presumes

Local interface is named "inside" and remote interface is named "outside"
Spare public IP address for the server is x.x.x.x

Static NAT for Server

object network LAN-SERVER

host 172.16.5.x

nat (inside,outside) static x.x.x.x

L2L VPN Configurations

access-list EARLY-WARNINGS-L2LVPN remark Encyption Domain for L2L VPN Connection

access-list EARLY-WARNINGS-L2LVPN permit ip host x.x.x.x host 199.47.136.140

crypto ipsec ikev1 transform-set EARLY-WARNING-TS esp-aes-256 esp-sha-hmac

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

crypto map CRYPTOMAP 1 match address EARLY-WARNINGS-L2LVPN

crypto map CRYPTOMAP 1 set peer 199.47.137.230

crypto map CRYPTOMAP 1 set ikev1 transform-set EARLY-WARNINGS-TS

crypto map CRYPTOMAP 1 set security-association lifetime seconds 3600

crypto ikev1 enable interface outside

crypto map CRYPTOMAP interface outside

tunnel-group 199.47.137.230 type ipsec-l2l

tunnel-group 199.47.137.230 ipsec-attributes

ikev1 pre-shared-key

That should pretty much be it.

There is naturally some settings that could cause problems with this setup. For example some NAT configurations that might override the above Static NAT or perhaps you might have the "no sysopt connection permit-vpn" setting configured globally which would require that you allow the traffic on the external interfaces ACL.

Enabling this setting might actually be something that you would want to consider. This is because the default setting on the ASA will allow any traffic coming from a VPN Connection to bypass the interface ACL. If you have the default setting, this would mean that the remote host could initiate connection with any destination port/service to your server.

Also, since we configure Static NAT for this server, be sure that you DO NOT allow any traffic to it from the public network or that none of your current rules in the external interfaces ACL allow some traffic to this server.

The NAT could be configured to be a Static Policy NAT also but considering your situation at the moment (/29 network), I guess you can spare the public IP address for just this server)

When both you and the remote site has configured the

Hope this helps

- Jouni

Stephen Sisson · ‎08-30-2013

I will remove some data from the current running-config so you see what we have.

Thanks

Stephen Sisson · ‎08-30-2013

Jouni,

I'm sorry about not adding this for the PCS images Server, would be in the running-config listed above, but thought best to send here.

PCS-EW-VPC51

172.16.5.50

PCS-EW-VPC51-Public

98.101.206.53

They will connect to this server for transfers through the day

Thanks Jouni

Jouni Forss · ‎08-30-2013