Showing posts with label L2L. Show all posts
Showing posts with label L2L. Show all posts

Tuesday, 27 October 2009

PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets - Howto

This is the how to for this lab: here

Ok here we go...

Basic Setup:

FW1

!
interface Ethernet0
nameif outside
security-level 0
ip address 142.100.123.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
!For Testing Allow pings/ICMP through
access-list WAN_IN extended permit icmp any any
access-group WAN_IN in interface outside
!
!NAT
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
!
!Default Route
route outside 0.0.0.0 0.0.0.0 142.100.123.99
!


FW2

!
interface Ethernet0
nameif outside
security-level 0
ip address 208.69.34.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
access-list WAN_IN extended permit icmp any any
access-group WAN_IN in interface outside
!
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 208.69.34.99 1
!



Now the interesting part, we want a user at site 1 to ping 192.168.102.100 and it reach 192.168.1.100 (at site 2) and a user at site 2 to ping 192.168.101.100 and it reach 192.168.1.100 (at site1).

Here is how:

FW1

!ACL defining traffic for static nat
access-list site2 extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
!ACL for the IPSec Tunnel
access-list IPSEC-TUN extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
! Static NAT
static (inside,outside) 192.168.101.0 access-list site2


Now the tunnel itself

crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-md5-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 208.69.34.2
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto map FW1 interface outside
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 208.69.34.2 type ipsec-l2l
tunnel-group 208.69.34.2 ipsec-attributes
pre-shared-key letmein



FW2

access-list site1 extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
!
static (inside,outside) 192.168.102.0 access-list site1
!
crypto ipsec transform-set FW2-TRANSFORM esp-3des esp-md5-hmac
crypto map FW2 10 match address IPSEC-TUN
crypto map FW2 10 set peer 142.100.123.1
crypto map FW2 10 set transform-set FW2-TRANSFORM
crypto map FW2 interface outside
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group 142.100.123.1 type ipsec-l2l
tunnel-group 142.100.123.1 ipsec-attributes
pre-shared-key letmein
!


All done!
Posted by at No comments:
Labels: , , , , ,

PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets

Here is another lab where we have the same subnet at each site, and we want to be able to establish a Lan to Lan VPN between them.

Here is the lab:
Posted by at 5 comments:
Labels: , , , , ,

Wednesday, 30 September 2009

PIX/ASA Remote Access VPN with L2L VPN and Failover - How to

This is the practical for this lab:
here

There are a few things that we have already covered in other labs, Lan to Lan (or site to site) VPNs, NAT etc. However the main reason for this lab is three fold.

1) Setting up Active/Standby Failover
2) Setting up remote access IPSec VPN (in combination with L2L VPN)
3) Allowing the Remote User access to the Spoke Via Split Tunneling


When setting up failover, you should setup the first "unit" with a basic configuration, then use the LAN failover interface to sync the two up.


So here the basic config on FW1 (Primary unit):

Setting up the Interfaces:

interface Ethernet0
nameif Outside
security-level 0
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet2
description trunk for failovers
!
interface Ethernet2.200
description LAN Failover Interface
vlan 200
!
interface Ethernet2.300
description STATE Failover Interface
vlan 300
!


Note: The failover interfaces cannot be on a shared interface.

Diagnostic ACL for pings etc:

access-list WAN_IN extended permit icmp any any


NAT

global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0


Default Gateway:

route Outside 0.0.0.0 0.0.0.0 10.0.0.4



Failover Config (Primary):

failover lan unit primary
failover lan interface lan-fo Ethernet2.200
failover polltime unit msec 200 holdtime msec 800
failover key letmeinfo
failover link state-fo Ethernet2.300
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover interface ip state-fo 192.168.30.1 255.255.255.0 standby 192.168.30.2
failover lan enable
failover


Failover Config (Secondary):
This unit up until now had a blank configuration.

interface Ethernet2
description trunk for failovers
!
interface Ethernet2.200
description LAN Failover Interface
vlan 200
!
failover lan unit secondary
failover lan interface lan-fo Ethernet2.200
failover key letmeinfo
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover lan enable
failover


At this point you should wait until the two configurations are synced up and the primary has taken the "active" role.

Setting up L2L VPN:

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Inside) 0 access-list NO-NAT
crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-sha-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.34.3
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 10.0.34.3 type ipsec-l2l
tunnel-group 10.0.34.3 ipsec-attributes
pre-shared-key letmeinl2l


Setting up the other end (FW3):
Basic setup:

!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.34.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!


VPN and ACLs:

access-list WAN_IN extended permit icmp any any
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group WAN_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.34.4 1
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key letmeinl2l



Now, as it stands we should have an "Hub" and a "Spoke" set up with L2L vpn between the sites as well as their own wan (internet) traffic going out untouched.

Now Remote Access VPN:
Obviously LAN= 192.168.1.0/24 and VPN=10.1.1.0/24

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq www
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ftp
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet
access-list 101 extended permit icmp any any
aaa-server acs protocol radius
aaa-server acs (Outside) host 192.168.0.45
timeout 5
key letmein
ip local pool VPN-POOL 10.1.1.1-10.1.1.254
crypto ipsec transform-set VPN-TRANSFORM esp-3des esp-sha-hmac
crypto dynamic-map DYNA-MAP 1 set transform-set VPN-TRANSFORM
crypto dynamic-map DYNA-MAP 1 set security-association lifetime seconds 288000
crypto dynamic-map DYNA-MAP 1 set reverse-route
crypto map FW1 20 ipsec-isakmp dynamic DYNA-MAP
group-policy VPN-REMOTE internal
group-policy VPN-REMOTE attributes
dns-server value 208.67.222.222
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
default-domain value cookie.local
tunnel-group VPN-REMOTE type remote-access
tunnel-group VPN-REMOTE general-attributes
address-pool VPN-POOL
authentication-server-group acs
default-group-policy VPN-REMOTE
tunnel-group VPN-REMOTE ipsec-attributes
pre-shared-key cisco123



Now the Split Tunnel and IPsec access to the Spoke:
FW-3:

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0


FW1:

same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
group-policy VPN-REMOTE attributes
dns-server value 208.67.222.222
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel




And that is it! :P

If you need any info as to how to setup the client look here:
Setup VPN Client
The "group name" is VPN-REMOTE and the password is cisco123


Screenshot of it all working:
Posted by at 9 comments:
Labels: , , , , ,

Tuesday, 29 September 2009

PIX/ASA Remote Access VPN with L2L VPN and Failover

Well I was going to do a nice multiple context PIX/ASA lab, but after playing around with GNS for a while and a good few hours into the lab I came to a brick wall.

The brick wall being that if you use multiple contexts you cannot use VPNs:
(http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1116132)

So I created this lab instead:




If I get time ill upload the config tonight.
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)