Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3338
Views
0
Helpful
5
Replies

Site to Site VPN- route on ASA(8.4.2)

Go to solution
siddhartham
Level 4
Level 4

‎06-12-2012 02:13 PM

ASA-SiteA-

Outside int: 4.5.6.7

inside int:10.1.1.1

dmz:192.168.0.1 255.255.255.0

routes onASA-SiteA----

route outside 0.0.0.0 0.0.0.0 4.5.6.7     ----------default route

route inside 172.10.1.0 255.255.255.0 10.1.1.1---route to reach the ASA-SiteB- inside interface

ASA-SiteB-

Outside int- 50.1.2.3

inside int:172.10.1.1

dmz:192.168.87.1 255.255.255.0

routes on ASA-SiteB----

route outside 0.0.0.0 0.0.0.0 50.1.2.3    ----------default route

route inside 10.1.1.0 255.255.255.0 172.10.1.1---route to reach the ASA-SiteA- inside interface

The inside interfaces of the two ASAs can reach each other through MPLS circuit.We want to create a VPN tunnel between the two DMZ networks so that the trafic goes through a tunnel through the LAN.Can you check the below config and suggest if any changes are needed.

1.For the VPN tunnel to work, does the traffic needs to match a route on the ASA or it just needs to match the access-list(interesting traffic) for example after configuring the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 IP does it bring up the tunnel since it matches the interesting traffic or the packets go to 4.5.6.7 since they match the default route?

2.Under normal Site-to-Site VPN scenarios traffic initiates on the high security interface (DMZ or Inside) and goes to low security interface (Outside) but in the above case traffic intiates on the low security interface (DMZ) and goes to the High security interface (Inside) which usually gets blocked unless there is an access-list entry to allow that traffic. So de we have to have an IP any any( on the access-list applied to the DMZ interface) entry between the two dmz networks 

Config on ASA-SiteA---

ikev1 policy

ASA-SiteA(config)#crypto ikev1 enable inside ----- Does enabling ikev1 on the interface interrupts traffic?

ASA-SiteA(config)# crypto ikev1 policy 100

ASA-SiteA(config-ikev1-policy)#authentication pre-share

ASA-SiteA(config-ikev1-policy)#encryption 3des

ASA-SiteA(config-ikev1-policy)#hash sha

ASA-SiteA(config-ikev1-policy)#group 2

ASA-SiteA(config-ikev1-policy)#lifetime 86400

IPSEC tunnel

ASA-SiteA(config)# crypto ipsec ikev1 transform-set VPN-MPLS esp-3des esp-sha-hmac

ASA-SiteA(cfg-crypto-trans)#mode transport

Tunnel Group

ASA-SiteA(config)# tunnel-group172.10.1.1 type ipsec-l2l

ASA-SiteA(config)# tunnel-group172.10.1.1 ipsec-attributes

ASA-SiteA(config-tunnel-ipsec)# pre-shared-key test

Interesting Traffic

ASA-SiteA(config)#object network Site-A-DMZ

ASA-SiteA(config-network-object)#subnet 192.168.0.0 255.255.255.0

ASA-SiteA(config)#object network Site-B-DMZ

ASA-SiteA(config-network-object)#subnet 192.168.87.0 255.255.255.0

ASA-SiteA(config)#access-list VPN-INTERESTING-TRAFFIC extended permit ip object Site-A-SN object Site-B-SN

ASA-SiteA(config)#nat (dmz,inside) source static Site-A-DMZ Site-A-DMZ destination static Site-B-DMZ Site-B-DMZ

Crypto MAP

ASA-SiteA(config)# crypto map VPN-LAN 100 ipsec-isakmp

ASA-SiteA(config-crypto-map)#  match address VPN-INTERESTING-TRAFFIC
ASA-SiteA(config-crypto-map)# set  pfs group2

ASA-SiteA(config-crypto-map)#set  peer 172.10.1.1

ASA-SiteA(config-crypto-map)#set  transform-set  ESP-3DES-SHA

ASA-SiteA(config-crypto-map)#crypto map VPN-LAN interface  inside

Siddhartha
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-12-2012 08:28 PM

Yes, you would need the correct route otherwise it will just route via the default gateway.

So on Site A, you should have:

route inside 192.168.87.0 255.255.255.0 10.1.1.x  --> x should be the next hop from the ASA inside interface

On Site B, you should have:

route inside 192.168.0.0 255.255.255.0 172.10.1.x --> x should be the next hop from the ASA inside interface

Then remove "mode transport" from both ASA.

To answer your questions:

1. Yes, it would need to match a route otherwise it will be routed through the default gateway.

2. Yes, you would need to have access-list to allow traffic from low to high security level. If you want full IP access, then you can configure permit IP between the 2 LANs.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to siddhartham

‎06-14-2012 09:36 PM

1. Yes, correct, leave the IPSec in the default tunnel mode. Transport mode is normally used for L2TP over IPSec, or GRE over IPSec. For just pure LAN-to-LAN tunnel, it is just tunnel mode.

2. No, enabling IKEv1 on the inside interface will not interrupts any traffic. It simply is enabling it so it can terminate IPSec tunnel.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-12-2012 08:28 PM

Yes, you would need the correct route otherwise it will just route via the default gateway.

So on Site A, you should have:

route inside 192.168.87.0 255.255.255.0 10.1.1.x  --> x should be the next hop from the ASA inside interface

On Site B, you should have:

route inside 192.168.0.0 255.255.255.0 172.10.1.x --> x should be the next hop from the ASA inside interface

Then remove "mode transport" from both ASA.

To answer your questions:

1. Yes, it would need to match a route otherwise it will be routed through the default gateway.

2. Yes, you would need to have access-list to allow traffic from low to high security level. If you want full IP access, then you can configure permit IP between the 2 LANs.

0 Helpful

Go to solution
siddhartham
Level 4
Level 4
In response to Jennifer Halim

‎06-13-2012 08:08 AM

Thanks Jennifer, I have few more questions

1."Then remove "mode transport" from both ASA."

Did you mean we have to leave the IPSEC in the default tunnel mode instead of transport?

2. When we enable ikev1 on the inside interface (crypto ikev1 enable inside) does it interrupts any traffic.

Siddhartha
0 Helpful

Go to solution
siddhartham
Level 4
Level 4
In response to siddhartham

‎06-14-2012 12:58 PM

Anyone?

Siddhartha
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to siddhartham

‎06-14-2012 09:36 PM

1. Yes, correct, leave the IPSec in the default tunnel mode. Transport mode is normally used for L2TP over IPSec, or GRE over IPSec. For just pure LAN-to-LAN tunnel, it is just tunnel mode.

2. No, enabling IKEv1 on the inside interface will not interrupts any traffic. It simply is enabling it so it can terminate IPSec tunnel.

0 Helpful

Go to solution
siddhartham
Level 4
Level 4
In response to Jennifer Halim

‎06-15-2012 06:47 AM

Thanks Jennifer

Siddhartha
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents