Site to Site VPN between Cisco ASA 5510 and 857 Router
Hi Everyone,
I've got a Cisco ASA 5510 device at my work which has been in use for about 6 months now. I just recently purchased a Cisco 857 ADSL router for a branch office and have the internet up and running, but am stuck getting the site to site VPN working. I didn't want to configure it via the SDM and I'm new to setting up VPN's via the command line.
I used the ASDM on the ASA side as it is very simple to do that, but what needs to be changed on my config below to get the VPN running. I'm sure it has something to do with routing / natting. The IPSEC / IKE policies should be mirrored ok on the ASA side.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_857
!
boot-start-marker
boot-end-marker
!
enable secret 5 **************************
!
no aaa new-model
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN_Pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.254
!
!
ip cef
!
!
!
username admin privilege 15 secret 5 *************************
!
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp key <preshared key> address <peer IP>
!
!
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CAL 1 ipsec-isakmp
set peer <peer ip>
set transform-set ESP-3DES-SHA3
match address 104
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
description ** ADSL2 **
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description ** INTERNAL VLAN **
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description ** PPP Connection **
bandwidth 1000
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username <username> password 0 <password>
crypto map CAL
!
interface Dialer1
no ip address
encapsulation ppp
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source list 105 interface Dialer0 overload
!
access-list 50 permit any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip host xxx.xxx.xxx.xxx any
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 105 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password ****************
login
length 30
transport input telnet ssh
!
scheduler max-task-time 5000
end
I've got a Cisco ASA 5510 device at my work which has been in use for about 6 months now. I just recently purchased a Cisco 857 ADSL router for a branch office and have the internet up and running, but am stuck getting the site to site VPN working. I didn't want to configure it via the SDM and I'm new to setting up VPN's via the command line.
I used the ASDM on the ASA side as it is very simple to do that, but what needs to be changed on my config below to get the VPN running. I'm sure it has something to do with routing / natting. The IPSEC / IKE policies should be mirrored ok on the ASA side.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_857
!
boot-start-marker
boot-end-marker
!
enable secret 5 **************************
!
no aaa new-model
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN_Pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.254
!
!
ip cef
!
!
!
username admin privilege 15 secret 5 *************************
!
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp key <preshared key> address <peer IP>
!
!
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CAL 1 ipsec-isakmp
set peer <peer ip>
set transform-set ESP-3DES-SHA3
match address 104
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
description ** ADSL2 **
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description ** INTERNAL VLAN **
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description ** PPP Connection **
bandwidth 1000
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username <username> password 0 <password>
crypto map CAL
!
interface Dialer1
no ip address
encapsulation ppp
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source list 105 interface Dialer0 overload
!
access-list 50 permit any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip host xxx.xxx.xxx.xxx any
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 105 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password ****************
login
length 30
transport input telnet ssh
!
scheduler max-task-time 5000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked spot on! Thanks for your help and for clearing that up for me. On a separate issue, now on the ASA side, if I wanted to restrict their access to certain parts of our network, can I create an ACL for that particular network, or would I do it as part of the IPSec ACL (eg. set it to deny, therefore not encrypting the traffic and stopping the flow.)
My ASA config for the Branch office VPN looks like (and is working for full access between the networks):
access-list inside_nat0_outbound line 4 extended permit ip 10.10.0.0 255.0.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list outside_cryptomap_30 extended permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0
crypto map outside_map 30 set connection-type bidirectional
crypto map outside_map 30 set peer <branch peer ip>
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 30 set security-association lifetime seconds 28800 kilobytes 4608000
no crypto map outside_map 30 set nat-t-disable
no crypto map outside_map 30 set reverse-route
crypto map outside_map 30 set phase1-mode main
crypto map outside_map 30 set inheritance rule
crypto map outside_map interface outside
So say I had a server at 10.10.1.1 that I didn't want them to access, would I create an ACL for inbound from my Outside interface?
access-list outside_access_in extended deny ip 192.168.1.0 255.255.255.0 10.10.1.1 255.255.255.255
and apply that inbound on the outside interface?
?
Thanks guys.
My ASA config for the Branch office VPN looks like (and is working for full access between the networks):
access-list inside_nat0_outbound line 4 extended permit ip 10.10.0.0 255.0.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list outside_cryptomap_30 extended permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0
crypto map outside_map 30 set connection-type bidirectional
crypto map outside_map 30 set peer <branch peer ip>
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 30 set security-association lifetime seconds 28800 kilobytes 4608000
no crypto map outside_map 30 set nat-t-disable
no crypto map outside_map 30 set reverse-route
crypto map outside_map 30 set phase1-mode main
crypto map outside_map 30 set inheritance rule
crypto map outside_map interface outside
So say I had a server at 10.10.1.1 that I didn't want them to access, would I create an ACL for inbound from my Outside interface?
access-list outside_access_in extended deny ip 192.168.1.0 255.255.255.0 10.10.1.1 255.255.255.255
and apply that inbound on the outside interface?
?
Thanks guys.
access-list 120 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 120 permit ip 10.0.1.0 0.0.0.255 any
route-map route_map_to_avoid_natting
match ip address 120
exit
ip nat inside source route-map route_map_to_avoid_natting
I dont want to look into your ip nat inside rule too much with your 'custom' pools. but I expect you want to replace these three lines with the following lines:
------------------------
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source list 105 interface Dialer0 overload
------------------------
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip nat inside source list 106 interface Dialer0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
basicly, how ever you fix it, the underlying problem is that your traffic is doing this on the outbound interface dialer 0 in the following order:
1: nat traffic which matches acl 101
2: encrypt traffic which matches CAL (AKA access-list 104)
since by the time the traffic hits number 2 it's being NAT'ed, the ACL for 104 does not correctly "permit from 192.*.*.* to 10.*.*.*".