We have an office block where we sub-let offices to different companies, these sub-lets have their own Broadcast domain via a Layer 3 VLAN so have their own local IP range. We have an internet connection with live IP's for each of the sub-lets and a 5520 Firewall/Cisco 3925 Multi Service Router connecting to the internet.
Can you tell me how I can create dialin IPSec VPN's for each of these offices so the traffic routes through to the correct VLAN and therefore connects to the end user to their own network. The VLAN's are created by HP Procurve 5412zl switches if that helps.
Thanks in advance for any assistance.
"It depends" :-)
You could implement IPsec VPN for RA users and specify different egress vlan per group-policy.
This is of course only true if you're not separating sub-lets in different contexts.
If it's a router you can do VRF lite and decapsulte IPsec traffic into VRFs (very easy when using DVTI)
Multiple chocices, it depends on how everything is configured right now and/or how much time you would like to "sacrifice".
I'd start by showing a topology diagram specying how everything is connected. :-)
Thanks for your reply,
I have attached a basic topology as the network stands at the moment. We are waiting for the internet connections to be provisioned and so have very little information on what IP ranges will be supplied. However it is our understanding we will have a range of public IP addresses which we can associate with each VLAN on the local network allowing us to NAT any protocol (SMTP, HTTPS, FTP etc..) to a particular VLAN interface.
In addition we would terminate VPN's inbound from these public IP addresses onto the firewall. From here the packets would be tagged for a VLAN on the local network depending on which public IP they are coming in from.
Thanks in advance for your help.
A few comments.
Regarding terminating VPN, you can use only one IP address per interface to terminate VPN and it is always the IP address assigned to a given interface.
Also if you want to terminate VPN it's best that you make a decission where the actual traffic should be put on, based on group-name you specify in PCF file - which matches usually tunnel-group name.
As far as haviing insde users access internet, there's a few options for NAT - dynamic PAT being THE most used :-)
The actual configuration will depend also on version of ASA software - recent 8.3 version contains new NAT commands.
If you have questions - shoot. I might have misunderstood something ;-)
Right ok , that raised a few other questions for me then if you don't mind..
First off is the function of the router, if the firewall (5500) only has one IP address per interface (Currently is has two - one inside and one outside) where would I setup these range of IP addresses which I need to NAT across to different VLAN's on the local network.
As an example of this lets say we have a tenant within the building with their own mailserver and they have an email address of email@example.com , the MX records for their domain would delivery down to mail.lenovo.co.uk which resolves to one of these public IP addresses. We would then need to NAT port 25 from this public IP to the mailserver sitting on the tenants VLAN.
I'm guessing all this would then be on the router then with rules which route the traffic over to the firewall but I don't see how I can distinguish between tenant A and tenant B for Natting across the firewall.
Thanks again for your help and patience.
Well first of all we'd need to know if the NAT is to be done on ASA or the router.
Both can do it, but if I may say so ASA is the device to do NAT on.
How this usually would work is that you'd have your router in front and a subnet of public IP addresses assigned to the ASA-facing interfaces.(Do you need that router there in the first place, apart from routing and access technologies ASA can do almost same features as the router).
Anyway, you assign public IP range to the outside interface of ASA and private addressing/routing on the inside interface.
You then do (note this is ASA pre-8.3 config)
static (inside,outside) tcp EXTERNAL_IP_1 25 INTERNAL_IP 25
nat (inside) 100 INTERNAL_SUBNET INTERNAL_MASK
global (outside) 100 EXTERNAL_IP_2
That's one of the possibilioties.
You do static command for all needed services that tenants want to have available on outside.
And then you applu nat and global commands for access for all other users.
Hope that makes sense.
Note that firewall can have only one IP address on interface, but can respond to ARP for multiple IP addresses (via static or global). So it's not like you're limited the ASA only showing up as one IP address on "outside".
I think I got more confused with my explanation... if it doesn't make sense let me know
Hope you can help again, I've not got the router/Firewall all setup and running and the local network can browse the internet from the different VLAN's on the network!!
However I'm now trying to get some NAT rules up and running so I can access webservers for example from outside the network, also the VPN isn’t working although I've used the ADSM wizard to setup IPSec VPN using the CISCO VPN Client.
The network is now has the following topology
CISCO 3900 router with an outside interface of 126.96.36.199 and an inside interface of 188.8.131.52, a default route is also set to route 0.0.0.0/0 to 184.108.40.206 (The ISP's gateway)
CISCO ASA 5520 config below, as I understand it as the ISP has allocated us the useable range of 220.127.116.11 - 126 I should be able to use any of these IP addresses to NAT traffic across to the local network. However I've tried adding one of the IP's to the firewall's ARP table with a Mac address but I'm still unable to ping it.
Any help with getting this working would be gratefully received!
Here's a copy of the config
Result of the command: "show running-config"
ASA Version 8.3(1)
enable password WOfRr0q2y4OlubXL encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !
ip address 18.104.22.168 255.255.255.252 !
no ip address
no ip address
ip address 192.168.1.1 255.255.255.0
ip address 192.168.8.252 255.255.255.0 !
ip address 172.16.0.253 255.255.0.0
ip address 192.168.0.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface object network NETWORK_OBJ_192.168.1.48_29 subnet 192.168.1.48 255.255.255.248 object network NETWORK_OBJ_192.168.1.56_29 subnet 192.168.1.56 255.255.255.248 object network Test host 22.214.171.124 object network MainSwitch host 192.168.1.254 description Core Switch Access access-list Inside_access_in extended permit ip any any access-list Outside_access_in extended permit ip any any pager lines 24 logging asdm informational mtu management 1500 mtu Inside 1500 mtu Outside 1500 mtu CEC_VOIP 1500 mtu CEC_Data8 1500 ip local pool VPN_Pool 192.168.1.50-192.168.1.55 mask 255.255.255.0 ip local pool vpn_pool2 192.168.1.56-192.168.1.60 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp Outside 126.96.36.199 9a7b.653e.8b3c alias arp timeout 14400 nat (Inside,Outside) source dynamic any interface nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.56_29 NETWORK_OBJ_192.168.1.56_29 nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.48_29 NETWORK_OBJ_192.168.1.48_29 !
object network Test
nat (Outside,Inside) dynamic 192.168.1.254 object network MainSwitch nat (Inside,Outside) static 188.8.131.52 service tcp www www access-group Inside_access_in in interface Inside access-group Outside_access_in in interface Outside route Outside 0.0.0.0 0.0.0.0 184.108.40.206 1 route Inside 172.16.0.0 255.255.255.0 192.168.1.254 1 route Inside 172.16.1.0 255.255.255.0 192.168.1.254 1 route Inside 192.168.0.0 255.255.0.0 192.168.1.254 1 route Inside 192.168.100.0 255.255.255.0 192.168.1.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.0.0 255.255.255.0 management http 192.168.1.0 255.255.255.0 Inside http 0.0.0.0 0.0.0.0 Outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Inside_map interface Inside crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_map interface Outside crypto isakmp enable Inside crypto isakmp enable Outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.0.2-192.168.0.254 management dhcpd enable management !
dhcpd address 192.168.1.100-192.168.1.200 Inside dhcpd dns 220.127.116.11 interface Inside dhcpd option 3 ip 192.168.1.254 interface Inside dhcpd enable Inside !
dhcpd address 192.168.8.10-192.168.8.50 CEC_Data8 dhcpd dns 18.104.22.168 interface CEC_Data8 dhcpd option 3 ip 192.168.8.254 interface CEC_Data8 !
threat-detection statistics access-list
no threat-detection statistics tcp-intercept webvpn group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 22.214.171.124 vpn-tunnel-protocol l2tp-ipsec username steverooney password IX47al9fxz4DeRcSdolGHg== nt-encrypted privilege 0 username steverooney attributes vpn-group-policy DefaultRAGroup tunnel-group DefaultRAGroup general-attributes address-pool VPN_Pool tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** tunnel-group Test type remote-access tunnel-group Test general-attributes address-pool VPN_Pool tunnel-group Test ipsec-attributes pre-shared-key ***** !
policy-map type inspect dns preset_dns_map parameters
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
The configuration is displayed incorrectly - can you maybe attach it in a file?
What is not working in VPN, can't you connect or are you having problems passing traffic while connected?
By the looks of it NAT config would require a bit of changes, but maybe you can highlight what you would like to do :-)
There is no reason to do any MAC address tweaks - everything should work without it.
Here you go, txt file attached which hopefully will come through OK.
With regards to the VPN the software just doesn't connect, just sits there connecting and then fails.
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 16:00:03.849 12/10/10 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
2 16:00:03.849 12/10/10 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
3 16:00:03.849 12/10/10 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
4 16:00:03.850 12/10/10 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)
Looks like it’s a VPN group issue, I've got some more work to do on this so hopefully I can figure this one out but any help on the other stuff would be great!
nat (Inside,Outside) source dynamic any interface
object network Test
nat (Outside,Inside) dynamic 192.168.1.254
I think you should consider doing it a bit differently.
(this was not checked in the lab)
object network MY_INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside, outside) dynamic interface
I understnad that you are connecting on interface outside IP with group name "Test" and pass word you have put in there.
Can you doublecheck the password on both sides? Use something easy in the beginning ... like "cisco".
Hope this helps,