Search This Blog

Sunday 4 November 2012

Cisco ASA - Site to Site VPN from ASA dynamic IP to ASA static IP with version 8.4.2

How to create a site to site VPN from an ASA to an ASA

Branch Office End - IKE Policy

The first step is to create the IKE Policy that will be used to determine the encryption and authorisation. The CLI for this is
Create a crypto policy for IKE version 1 using a pre shared key, 3DES encryption, SHA hashing, Group 2 Diff-Helleman and a key lifetime of 43200 seconds.
crypto ikev1 policy 1
auth pre-share
encry 3des
hash sha
group 2
lifetime 43200
exit
The the IKE version 1 policy is assigned to the outside interface
crypto ikev1 enable outside
Create a crypto policy for IKE version 2 using a pre shared key, 3DES encryption, SHA PRF, Group 2 Diff-Helleman and a key lifetime of 43200 seconds.
crypto ikev2 policy 1
encryp 3des
group 2
prf sha
lifetime seconds 43200
exit
The the IKE version 2 policy is assigned to the outside interface
crypto ikev2 enable outside
Now you need a transform set that contains the combinations of encryption that can be used. In this example we use ESP-3DES and ESP-MD5-HMAC for the IKE 1 proposal and 3DES, AES and DES for the IKE 2 proposal.
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption 3des aes des
protocol esp integrity sha-1

Branch End - ACL and Tunnel Group

So that the ASA can encrypt the correct traffic we need to create an ACL for the traffic that is across the VPN tunnel. In this example I am going to encrypt the traffic from the 192.168.1.0/24 subnet to the 192.168.14.0 subnet.
access-list acl-ipsec-traffic extended permit ip 192.168.1.0 255.255.255.0 192.168.14.0 255.255.255.0
As this is the Branch Office end we need to add a tunnel group with the IP address of the Head End ASA and set this to a Lan to LAN (l2l) type and add the pre shared key.
tunnel-group 94.175.xx.xx type ipsec-l2l
Adding pre shared key.
tunnel-group 94.175.xx.xx ipsec-attributes
ikev1 pre-shared-key Jn88&^%fgy7771w

Branch End - Crypto Map

Now we need to create a crypto map that can be assigned to an interface to tell the ASA what to do with the traffic we want to encrypt.
First I name my crypto map and assign it map number 1, then I match this to the ACL we created so that map will only execute for our traffic
crypto map crypto-map-ebc 1 match address acl-ipsec-traffic
Set the peer IP address for the Tunnel to connect to
crypto map crypto-map-ebc 1 set peer 94.175.232.166
Set the transform set to be used in the IKE proposals
crypto map crypto-map-ebc 1 set ikev transform-set vpn-transform-set
crypto map crypto-map-ebc 1 set ikev2 ipsec-proposal secure
Assign the crypto map to our outside or Internet facing interface
crypto map crypto-map-ebc interface outside

Branch End - Exclude Traffic from PAT or NAT

By default the ASA will execute PAT or NAT statements before it will a crypto map so we need to exclude our traffic from the PAT/NAT process and this is done with a NAT exemption.
First you will need to declare some objects for the local and remote networks.
object network obj-inside
subnet 192.168.1.0 255.255.255.0
exit
object network obj-remote
subnet 192.168.14.0 255.255.255.0
exit
Now we can create a NAT statement with number 1 so it is the first to be executed that tells the ASA to not NAT our traffic and to pass this directly to the outside interface. This translates the source back to the source and the desintation back to the destination.
nat (inside,outside) 1 source static obj-inside obj-inside destination static obj-remote obj-remote

Branch End - Optional ACL

You may have an outbound ACL for traffic from the inside to the outside, if so you will need to add a rule for the tunnel traffic, here I have allowed all TCP traffic across the tunnel.
access-list acl-inside-to-outside extended permit tcp object obj-inside object obj-remote

Head End - IKE Policy

The IKE Policy is created as at the Branch End, this matches the Branch End so that the policy can agree.
crypto ikev1 policy 1
auth pre-share
encry 3des
hash sha
group 2
lifetime 43200
exit
crypto ikev1 enable outside
crypto ikev2 policy 1
encryp 3des
group 2
prf sha
lifetime seconds 43200
exit
crypto ikev2 enable outside
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
protocol esp encryption 3des
protocol esp integrity sha-1 md5

Head End - ACL and Tunnel Group

Because we are using a dynamic crypto map at the Head End we do not need to specify the traffic to be encrypted because the tunnel is started at the Branch End and therefore the ASA knows the source and destination IP of the packets. So we just need to create the Tunnel Group, now because we do not know the IP address at the Branch End we have to add the Tunnel Group information to the Default Tunnel Group. Note that the pre shared key is the same as the Branch End.
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key Jn88&^%fgy7771w

Head End - Crypto Map

The crypto map at the Head End is a dynamic crypto map, this means it can answer any incoming IP address tunnel.
Set the IKE Proposal for IKE version 1 and IKE version 2.
crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set vpn-transform-set
crypto dynamic-map dynamic-map-ipsec 1 set ikev2 ipsec-proposal vpn-transform-set
Allow the tunnel to inject the routing table from the Branch End to allow access back to remote subnets.
crypto dynamic-map dynamic-map-ipsec 1 set reverse-route
Create a crypto map called crypto-map-dynamic, assign it number 1 and then assign our dynamic crypto map to it.
crypto map crypto-map-dynamic 1 ipsec-isakmp dynamic dynamic-map-ipsec
Assign the crypto map to the outside interface
crypto map crypto-map-dynamic interface outside

Head End - Exclude Traffic from PAT or NAT

Once again we need to exclude traffic for the tunnel from the PAT/NAT
object network obj-remote
subnet 192.168.1.0 255.255.255.0
exit
object network obj-inside
subnet 192.168.14.0 255.255.255.0
exit
nat (inside,outside) 1 source static obj-inside obj-inside destination static obj-remote obj-remote

Test the Tunnel

You should now find your tunnel is up and passing traffic. If not then it is time to start debugging, here is a helpful guide.

5 comments:

  1. Excellent post, it helped me with the appropriate nat statements that are used in 8.3+ code. Thanks. Worked like a charm on two 5505's running 8.4.

    ReplyDelete
  2. good post.. let me point out one config mistake.. correct me if i am wrong...
    in Head End Crypto Map

    we have to give
    crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set vpn-transform-set

    instead of

    crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set ESP-3DES-MD5

    ReplyDelete
  3. how to add a second remote at the head end for another remote to connect?

    ReplyDelete
  4. how to add a second remote at the head end for another remote to connect?

    ReplyDelete
  5. how do you add another remote vpn tunnel on the head end to allow second, third remote sites and so on?

    ReplyDelete