This post details how to setup Site to Site VPN with ASA 8.4 and hairpinning enabled. This would mean that remote site can not only get access to networks on Main Site but can also access the internet through this site. This Lab is built on the previous lab however instead of allowing only particular network at main site to travel over VPN, I have to allow any networks, as the remote site network will access the internet as well. This would mean that ACLS for interesting traffic needs to be modified if you are using the lab in the previous post
Otherwise you can just use this Lab as starting point.
We will also introduce a new NAT statement for VPN traffic to use NAT when accessing Internet.
Traffic between Site 1 Subnet 10.10.10.0/24 and Site 2 Subnet 220.127.116.11/24 should be encrypted and sent over VPN Tunnel
Traffic from Site 2 subnet going to internet should go via Site 2 ASA firewall.
|Item||Site1 – Main Site||Site2 – Remote Site|
|Subnet to Access Over VPN||Any||18.104.22.168/24|
|Tunnel Termination||S1ASA1 – ASA||S2R1 – Router|
|ASA 8.4.2 Configuration|
|Permit Traffic to be answered on the same interface where it was received.||same-security-traffic permit intra-interface|
|This object group is defined to NAT the traffic on Outside Interface. This would mean that traffic from 22.214.171.124/24 subnet will use NAT when leaving for internet.||object network obj-126.96.36.199subnet 188.8.131.52 255.255.255.0|
nat (outside,outside) dynamic interface
|Configure NAT Exemption for VPN Traffic|
We don’t want traffic to be NATed as it travels over the tunnel so using static identity NAT here. (NAT 0 is not longer in use in ASA 8.4)
|object network obj-10.10.10.0|
subnet 10.10.10.0 255.255.255.0
object network obj-184.108.40.206
subnet 220.127.116.11 255.255.255.0nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-18.104.22.168 obj-22.214.171.124
|Create Policy for Phase 1||crypto ikev1 policy 1|
|Enable ISAKMP on outside Interface||crypto ikev1 enable outside|
|Define ACL for Interesting Traffic||access-list InterestingTraffic extended permit ip any 126.96.36.199 255.255.255.0|
Use IP of Tunnel’s Remote End
|tunnel-group 192.168.1.1 type ipsec-l2l|
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
|Transform Set||crypto ipsec ikev1 transform-set MySet esp-3des esp-md5-hmac|
Refrence the ACL which catches Traffic for Tunnel
Set Peer as Remote End
Use Transform Set already Crerated
|crypto map IPSEC 1 match address InterestingTraffic|
crypto map IPSEC 1 set peer 192.168.1.1
crypto map IPSEC 1 set ikev1 transform-set MySet
|Enable Crypto MAP on Outside Interface||crypto map IPSEC interface outside|
|Router Configuration (Remote End)|
|Phase 1 Config||crypto isakmp policy 1|
|Pre-Shared Key||crypto isakmp key cisco address 192.168.0.1|
|Transform Set||crypto ipsec transform-set MySet esp-3des esp-md5-hmac|
|ACL for Interesting Traffic||access-list 101 permit ip 188.8.131.52 0.0.0.255 10.10.10.0 0.0.0.255|
|Crypto MAP for Phase 2||crypto map IPSEC 1 ipsec-isakmp|
set peer 192.168.0.1
set transform-set MySet
match address 101
|Enable on Tunnel Termination Interface||interface FastEthernet1/1|
crypto map IPSEC
Lab Setup in Detail
Here is how the network is setup.
Device Configuration can be obtained from here if you want to check/try configuration for yourself.
When trying to setup this LAB make sure that
1. Routing is configured properly on all devices.
2. NAT is configured on ASA such that any traffic leaving ASA outside interface is mapped to outside Interface IP address.
3. No route is configured on ISP router and it doesn’t know about 10.10.10.0/24 or 184.108.40.206/24 networks.
4. ICMP inspection is enabled on ASA such that return ICMP traffic is allowed on interface. Might need this for testing network connectivity.
1. Default route from S1R1 to Firewall.
2. Default route on Firewall Pointing toward ISP Router
3. Default route on S2R2 toward S2R1
4. Default route on S2R1 pointing toward ISP Router.
5. Default route on Internet Router pointing toward ISP.
1. All Traffic leaving ASA outside interface is NAT enabled and mapped to outside interface IP address.
2. All traffic from 10.10.10.0/24 leaving for VPN is not exempted from NAT. However, its NATed when going somewhere else.
3. NAT is not configured for remote end of tunnel (S2R1).