Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

Site to Site VPN- route on ASA(8.4.2)

ASA-SiteA-

Outside int: 4.5.6.7

inside int:10.1.1.1

dmz:192.168.0.1 255.255.255.0

routes onASA-SiteA----

route outside 0.0.0.0 0.0.0.0 4.5.6.7     ----------default route

route inside 172.10.1.0 255.255.255.0 10.1.1.1---route to reach the ASA-SiteB- inside interface

ASA-SiteB-

Outside int- 50.1.2.3

inside int:172.10.1.1

dmz:192.168.87.1 255.255.255.0

routes on ASA-SiteB----

route outside 0.0.0.0 0.0.0.0 50.1.2.3    ----------default route

route inside 10.1.1.0 255.255.255.0 172.10.1.1---route to reach the ASA-SiteA- inside interface

The inside interfaces of the two ASAs can reach each other through MPLS circuit.We want to create a VPN tunnel between the two DMZ networks so that the trafic goes through a tunnel through the LAN.Can you check the below config and suggest if any changes are needed.

1.For the VPN tunnel to work, does the traffic needs to match a route on the ASA or it just needs to match the access-list(interesting traffic) for example after configuring the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 IP does it bring up the tunnel since it matches the interesting traffic or the packets go to 4.5.6.7 since they match the default route?

2.Under normal Site-to-Site VPN scenarios traffic initiates on the high security interface (DMZ or Inside) and goes to low security interface (Outside) but in the above case traffic intiates on the low security interface (DMZ) and goes to the High security interface (Inside) which usually gets blocked unless there is an access-list entry to allow that traffic. So de we have to have an IP any any( on the access-list applied to the DMZ interface) entry between the two dmz networks 

Config on ASA-SiteA---

ikev1 policy

ASA-SiteA(config)#crypto ikev1 enable inside ----- Does enabling ikev1 on the interface interrupts traffic?

ASA-SiteA(config)# crypto ikev1 policy 100

ASA-SiteA(config-ikev1-policy)#authentication pre-share

ASA-SiteA(config-ikev1-policy)#encryption 3des

ASA-SiteA(config-ikev1-policy)#hash sha

ASA-SiteA(config-ikev1-policy)#group 2

ASA-SiteA(config-ikev1-policy)#lifetime 86400

IPSEC tunnel

ASA-SiteA(config)# crypto ipsec ikev1 transform-set VPN-MPLS esp-3des esp-sha-hmac

ASA-SiteA(cfg-crypto-trans)#mode transport

Tunnel Group

ASA-SiteA(config)# tunnel-group172.10.1.1 type ipsec-l2l

ASA-SiteA(config)# tunnel-group172.10.1.1 ipsec-attributes

ASA-SiteA(config-tunnel-ipsec)# pre-shared-key test

Interesting Traffic

ASA-SiteA(config)#object network Site-A-DMZ

ASA-SiteA(config-network-object)#subnet 192.168.0.0 255.255.255.0

ASA-SiteA(config)#object network Site-B-DMZ

ASA-SiteA(config-network-object)#subnet 192.168.87.0 255.255.255.0

ASA-SiteA(config)#access-list VPN-INTERESTING-TRAFFIC extended permit ip object Site-A-SN object Site-B-SN

ASA-SiteA(config)#nat (dmz,inside) source static Site-A-DMZ Site-A-DMZ destination static Site-B-DMZ Site-B-DMZ

Crypto MAP

ASA-SiteA(config)# crypto map VPN-LAN 100 ipsec-isakmp

ASA-SiteA(config-crypto-map)#  match address VPN-INTERESTING-TRAFFIC
ASA-SiteA(config-crypto-map)# set  pfs group2

ASA-SiteA(config-crypto-map)#set  peer 172.10.1.1

ASA-SiteA(config-crypto-map)#set  transform-set  ESP-3DES-SHA

ASA-SiteA(config-crypto-map)#crypto map VPN-LAN interface  inside

Siddhartha
2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Site to Site VPN- route on ASA(8.4.2)

Yes, you would need the correct route otherwise it will just route via the default gateway.

So on Site A, you should have:

route inside 192.168.87.0 255.255.255.0 10.1.1.x  --> x should be the next hop from the ASA inside interface

On Site B, you should have:

route inside 192.168.0.0 255.255.255.0 172.10.1.x --> x should be the next hop from the ASA inside interface

Then remove "mode transport" from both ASA.

To answer your questions:

1. Yes, it would need to match a route otherwise it will be routed through the default gateway.

2. Yes, you would need to have access-list to allow traffic from low to high security level. If you want full IP access, then you can configure permit IP between the 2 LANs.

Super Bronze

Site to Site VPN- route on ASA(8.4.2)

1. Yes, correct, leave the IPSec in the default tunnel mode. Transport mode is normally used for L2TP over IPSec, or GRE over IPSec. For just pure LAN-to-LAN tunnel, it is just tunnel mode.

2. No, enabling IKEv1 on the inside interface will not interrupts any traffic. It simply is enabling it so it can terminate IPSec tunnel.

5 REPLIES
Super Bronze

Site to Site VPN- route on ASA(8.4.2)

Yes, you would need the correct route otherwise it will just route via the default gateway.

So on Site A, you should have:

route inside 192.168.87.0 255.255.255.0 10.1.1.x  --> x should be the next hop from the ASA inside interface

On Site B, you should have:

route inside 192.168.0.0 255.255.255.0 172.10.1.x --> x should be the next hop from the ASA inside interface

Then remove "mode transport" from both ASA.

To answer your questions:

1. Yes, it would need to match a route otherwise it will be routed through the default gateway.

2. Yes, you would need to have access-list to allow traffic from low to high security level. If you want full IP access, then you can configure permit IP between the 2 LANs.

Silver

Site to Site VPN- route on ASA(8.4.2)

Thanks Jennifer, I have few more questions

1."Then remove "mode transport" from both ASA."

Did you mean we have to leave the IPSEC in the default tunnel mode instead of transport?

2. When we enable ikev1 on the inside interface (crypto ikev1 enable inside) does it interrupts any traffic.

Siddhartha
Silver

Site to Site VPN- route on ASA(8.4.2)

Anyone?

Siddhartha
Super Bronze

Site to Site VPN- route on ASA(8.4.2)

1. Yes, correct, leave the IPSec in the default tunnel mode. Transport mode is normally used for L2TP over IPSec, or GRE over IPSec. For just pure LAN-to-LAN tunnel, it is just tunnel mode.

2. No, enabling IKEv1 on the inside interface will not interrupts any traffic. It simply is enabling it so it can terminate IPSec tunnel.

Silver

Site to Site VPN- route on ASA(8.4.2)

Thanks Jennifer

Siddhartha
2113
Views
0
Helpful
5
Replies