分享是一种生活态度,求知,求真,分享工作,分享生活!

ASA防火墙和路由器Site to Site IPSec VPN对接

Cisco iqianyue 2481次浏览 0个评论 扫描二维码

This post details how to setup Site to Site VPN with ASA 8.4 and hairpinning enabled. This would mean that remote site can not only get access to networks on Main Site but can also access the internet through this site.  This Lab is built on the previous lab however instead of allowing only particular network at main site to travel over VPN, I have to allow any networks, as the remote site network will access the internet as well. This would mean that ACLS for interesting traffic needs to be modified if you are using the lab in the previous post

Otherwise you can just use this Lab as starting point.

We will also introduce a new NAT statement for VPN traffic to use NAT when accessing Internet.

 

Objective

Traffic between Site 1 Subnet 10.10.10.0/24 and Site 2 Subnet 20.20.20.0/24 should be encrypted and sent over VPN Tunnel

Traffic from Site 2 subnet going to internet should go via Site 2 ASA firewall.

Lab Diagram

ASA 8.4 Site to Site VPN Hairpinning

ItemSite1 – Main SiteSite2 – Remote Site
Subnet to Access Over VPNAny20.20.20.0/24
Tunnel TerminationS1ASA1 – ASAS2R1 – Router

防火墙配置

ASA 8.4.2 Configuration
Details
Permit Traffic to be answered on the same interface where it was received.same-security-traffic permit intra-interface
This object group is defined to NAT the traffic on Outside Interface. This would mean that traffic from 20.20.20.0/24 subnet will use NAT when leaving for internet.object network obj-20.20.20.0subnet 20.20.20.0 255.255.255.0
nat (outside,outside) dynamic interface
Configure NAT Exemption for VPN Traffic
We don’t want traffic to be NATed as it travels over the tunnel so using static identity NAT here. (NAT 0 is not longer in use in ASA 8.4)
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-20.20.20.0
subnet 20.20.20.0 255.255.255.0nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-20.20.20.0 obj-20.20.20.0
Create Policy for Phase 1crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Enable ISAKMP on outside Interfacecrypto ikev1 enable outside
Define ACL for Interesting Trafficaccess-list InterestingTraffic extended permit ip any 20.20.20.0 255.255.255.0
Tunnel Group
Use IP of Tunnel’s Remote End
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
Transform Setcrypto ipsec ikev1 transform-set MySet esp-3des esp-md5-hmac
Crypto MAP
Refrence the ACL which catches Traffic for Tunnel
Set Peer as Remote End
Use Transform Set already Crerated
crypto map IPSEC 1 match address InterestingTraffic
crypto map IPSEC 1 set peer 192.168.1.1
crypto map IPSEC 1 set ikev1 transform-set MySet
Enable Crypto MAP on Outside Interfacecrypto map IPSEC interface outside

路由器配置

Router Configuration (Remote End)
Details
Phase 1 Configcrypto isakmp policy 1
encr 3des
authentication pre-share
group 2
Pre-Shared Keycrypto isakmp key cisco address 192.168.0.1
Transform Setcrypto ipsec transform-set MySet esp-3des esp-md5-hmac
ACL for Interesting Trafficaccess-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Crypto MAP for Phase 2crypto map IPSEC 1 ipsec-isakmp
set peer 192.168.0.1
set transform-set MySet
match address 101
Enable on Tunnel Termination Interfaceinterface FastEthernet1/1

crypto map IPSEC

Lab Setup in Detail

Here is how the network is setup.

Device Configuration can be obtained from here if you want to check/try configuration for yourself.

When trying to setup this LAB make sure that

1. Routing is configured properly on all devices.

2. NAT is configured on ASA such that any traffic leaving ASA outside interface is mapped to outside Interface IP address.

3. No route is configured on ISP router and it doesn’t know about 10.10.10.0/24 or 20.20.20.0/24 networks.

4. ICMP inspection is enabled on ASA such that return ICMP traffic is allowed on interface. Might need this for testing network connectivity.

 

ASA 8.4 Site to Site VPN.jpeg

 

 

Lab Configuration

Routing

1. Default route from S1R1 to Firewall. 

2. Default route on Firewall Pointing toward ISP Router

3. Default route on S2R2 toward S2R1

4. Default route on S2R1 pointing toward ISP Router.

5. Default route on Internet Router pointing toward ISP.

 

NAT

1. All Traffic leaving ASA outside interface is NAT enabled and mapped to outside interface IP address.

2. All traffic from 10.10.10.0/24 leaving for VPN is not exempted from NAT. However, its NATed when going somewhere else.

3. NAT is not configured for remote end of tunnel (S2R1).


iqianyue , 版权所有丨如未注明 , 均为原创,转载请注明iqianyue
喜欢 (2)
[]
分享 (0)
发表我的评论
取消评论

表情 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址