This post details how to setup Site to Site VPN with ASA 8.4 and hairpinning enabled. This would mean that remote site can not only get access to networks on Main Site but can also access the internet through this site. This Lab is built on the previous lab however instead of allowing only particular network at main site to travel over VPN, I have to allow any networks, as the remote site network will access the internet as well. This would mean that ACLS for interesting traffic needs to be modified if you are using the lab in the previous post
Otherwise you can just use this Lab as starting point.
We will also introduce a new NAT statement for VPN traffic to use NAT when accessing Internet.
Objective
Traffic between Site 1 Subnet 10.10.10.0/24 and Site 2 Subnet 20.20.20.0/24 should be encrypted and sent over VPN Tunnel
Traffic from Site 2 subnet going to internet should go via Site 2 ASA firewall.
Lab Diagram
| Item | Site1 – Main Site | Site2 – Remote Site |
| Subnet to Access Over VPN | Any | 20.20.20.0/24 |
| Tunnel Termination | S1ASA1 – ASA | S2R1 – Router |
防火墙配置
| ASA 8.4.2 Configuration | |
| Details | |
| Permit Traffic to be answered on the same interface where it was received. | same-security-traffic permit intra-interface |
| This object group is defined to NAT the traffic on Outside Interface. This would mean that traffic from 20.20.20.0/24 subnet will use NAT when leaving for internet. | object network obj-20.20.20.0subnet 20.20.20.0 255.255.255.0 nat (outside,outside) dynamic interface |
| Configure NAT Exemption for VPN Traffic We don't want traffic to be NATed as it travels over the tunnel so using static identity NAT here. (NAT 0 is not longer in use in ASA 8.4) |
object network obj-10.10.10.0 subnet 10.10.10.0 255.255.255.0 object network obj-20.20.20.0 subnet 20.20.20.0 255.255.255.0nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-20.20.20.0 obj-20.20.20.0 |
| Create Policy for Phase 1 | crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 |
| Enable ISAKMP on outside Interface | crypto ikev1 enable outside |
| Define ACL for Interesting Traffic | access-list InterestingTraffic extended permit ip any 20.20.20.0 255.255.255.0 |
| Tunnel Group Use IP of Tunnel’s Remote End |
tunnel-group 192.168.1.1 type ipsec-l2l tunnel-group 192.168.1.1 ipsec-attributes ikev1 pre-shared-key cisco |
| Transform Set | crypto ipsec ikev1 transform-set MySet esp-3des esp-md5-hmac |
| Crypto MAP Refrence the ACL which catches Traffic for Tunnel Set Peer as Remote End Use Transform Set already Crerated |
crypto map IPSEC 1 match address InterestingTraffic crypto map IPSEC 1 set peer 192.168.1.1 crypto map IPSEC 1 set ikev1 transform-set MySet |
| Enable Crypto MAP on Outside Interface | crypto map IPSEC interface outside |
路由器配置
| Router Configuration (Remote End) | |
| Details | |
| Phase 1 Config | crypto isakmp policy 1 encr 3des authentication pre-share group 2 |
| Pre-Shared Key | crypto isakmp key cisco address 192.168.0.1 |
| Transform Set | crypto ipsec transform-set MySet esp-3des esp-md5-hmac |
| ACL for Interesting Traffic | access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 |
| Crypto MAP for Phase 2 | crypto map IPSEC 1 ipsec-isakmp set peer 192.168.0.1 set transform-set MySet match address 101 |
| Enable on Tunnel Termination Interface | interface FastEthernet1/1
crypto map IPSEC |
Lab Setup in Detail
Here is how the network is setup.
Device Configuration can be obtained from here if you want to check/try configuration for yourself.
When trying to setup this LAB make sure that
1. Routing is configured properly on all devices.
2. NAT is configured on ASA such that any traffic leaving ASA outside interface is mapped to outside Interface IP address.
3. No route is configured on ISP router and it doesn't know about 10.10.10.0/24 or 20.20.20.0/24 networks.
4. ICMP inspection is enabled on ASA such that return ICMP traffic is allowed on interface. Might need this for testing network connectivity.
Lab Configuration
Routing
1. Default route from S1R1 to Firewall.
2. Default route on Firewall Pointing toward ISP Router
3. Default route on S2R2 toward S2R1
4. Default route on S2R1 pointing toward ISP Router.
5. Default route on Internet Router pointing toward ISP.
NAT
1. All Traffic leaving ASA outside interface is NAT enabled and mapped to outside interface IP address.
2. All traffic from 10.10.10.0/24 leaving for VPN is not exempted from NAT. However, its NATed when going somewhere else.
3. NAT is not configured for remote end of tunnel (S2R1).
