Wednesday, 30 September 2009

PIX/ASA Remote Access VPN with L2L VPN and Failover - How to

This is the practical for this lab:
here

There are a few things that we have already covered in other labs, Lan to Lan (or site to site) VPNs, NAT etc. However the main reason for this lab is three fold.

1) Setting up Active/Standby Failover
2) Setting up remote access IPSec VPN (in combination with L2L VPN)
3) Allowing the Remote User access to the Spoke Via Split Tunneling


When setting up failover, you should setup the first "unit" with a basic configuration, then use the LAN failover interface to sync the two up.


So here the basic config on FW1 (Primary unit):

Setting up the Interfaces:

interface Ethernet0
nameif Outside
security-level 0
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet2
description trunk for failovers
!
interface Ethernet2.200
description LAN Failover Interface
vlan 200
!
interface Ethernet2.300
description STATE Failover Interface
vlan 300
!


Note: The failover interfaces cannot be on a shared interface.

Diagnostic ACL for pings etc:

access-list WAN_IN extended permit icmp any any


NAT

global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0


Default Gateway:

route Outside 0.0.0.0 0.0.0.0 10.0.0.4



Failover Config (Primary):

failover lan unit primary
failover lan interface lan-fo Ethernet2.200
failover polltime unit msec 200 holdtime msec 800
failover key letmeinfo
failover link state-fo Ethernet2.300
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover interface ip state-fo 192.168.30.1 255.255.255.0 standby 192.168.30.2
failover lan enable
failover


Failover Config (Secondary):
This unit up until now had a blank configuration.

interface Ethernet2
description trunk for failovers
!
interface Ethernet2.200
description LAN Failover Interface
vlan 200
!
failover lan unit secondary
failover lan interface lan-fo Ethernet2.200
failover key letmeinfo
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover lan enable
failover


At this point you should wait until the two configurations are synced up and the primary has taken the "active" role.

Setting up L2L VPN:

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Inside) 0 access-list NO-NAT
crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-sha-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.34.3
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 10.0.34.3 type ipsec-l2l
tunnel-group 10.0.34.3 ipsec-attributes
pre-shared-key letmeinl2l


Setting up the other end (FW3):
Basic setup:

!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.34.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!


VPN and ACLs:

access-list WAN_IN extended permit icmp any any
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group WAN_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.34.4 1
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key letmeinl2l



Now, as it stands we should have an "Hub" and a "Spoke" set up with L2L vpn between the sites as well as their own wan (internet) traffic going out untouched.

Now Remote Access VPN:
Obviously LAN= 192.168.1.0/24 and VPN=10.1.1.0/24

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq www
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ftp
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet
access-list 101 extended permit icmp any any
aaa-server acs protocol radius
aaa-server acs (Outside) host 192.168.0.45
timeout 5
key letmein
ip local pool VPN-POOL 10.1.1.1-10.1.1.254
crypto ipsec transform-set VPN-TRANSFORM esp-3des esp-sha-hmac
crypto dynamic-map DYNA-MAP 1 set transform-set VPN-TRANSFORM
crypto dynamic-map DYNA-MAP 1 set security-association lifetime seconds 288000
crypto dynamic-map DYNA-MAP 1 set reverse-route
crypto map FW1 20 ipsec-isakmp dynamic DYNA-MAP
group-policy VPN-REMOTE internal
group-policy VPN-REMOTE attributes
dns-server value 208.67.222.222
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
default-domain value cookie.local
tunnel-group VPN-REMOTE type remote-access
tunnel-group VPN-REMOTE general-attributes
address-pool VPN-POOL
authentication-server-group acs
default-group-policy VPN-REMOTE
tunnel-group VPN-REMOTE ipsec-attributes
pre-shared-key cisco123



Now the Split Tunnel and IPsec access to the Spoke:
FW-3:

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0


FW1:

same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
group-policy VPN-REMOTE attributes
dns-server value 208.67.222.222
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel




And that is it! :P

If you need any info as to how to setup the client look here:
Setup VPN Client
The "group name" is VPN-REMOTE and the password is cisco123


Screenshot of it all working:

9 comments:

Shivlu Jain said...

thanks it helps me lot....:)

regards
shivlu jain
http://shivlu.blogspot.com

Roggy said...

No problem, glad it helped :)

MikeFrizzi said...

Is this for a class on making these connections? I am curious as to whether all of this hassle creates a connection that is less than, equal to, or greater than off the shelf remote access. Is there an advantage here, or is it just practical coding?

Roggy said...

Well the package you listed looks to be very similar to "logmein" or "gotomypc" which are great.
However it is not suitable for example on phones.
Imagine having a 100/200 remote phones like a cisco 7960 and a remote call manager server. You need a solution where your "tunnel" to resources is invisible to the devices, resources and users.
Not to say there isnt room to use both. The sort of solution you listed is great for remote desktop support.
But if I was to distribute desktops in a centralized way as shown on their website-VMware View 4 is IMHO much better simply for PCoIP.
Hope that helps.

Mary said...

Thanks for the article. I'm struggling to get this working with Windows using Active Directory instead of Radius. I'd like to be able to only allow specific groups of users to access VPN on the ASA, instead of the entire domain. Can this be done, or only with Radius?

VPN

Mary said...
This comment has been removed by the author.
Roggy said...

Sure, this can be done with IAS.
See your other post for more info

bestbvs said...

Thanks for sharing this such a great information.I really appreciate your work i share this link to my facebook friend as well as Digg and twitter this info helps to everyone
________
US VPN

Sandy Shaw said...

Nice Article! Thanks for sharing with us.
Basic IP Traffic Management with Access lists