?
Solved

Need help with Multiple Site-to-Site VPNs (BTB)

Posted on 2005-03-31
14
Medium Priority
?
802 Views
Last Modified: 2008-01-09
I have a PIX 515e firewall as my only exterior facing devce. I run remote access VPNs for sales and IT staff through it, but I also use it for a site-to-site to a vendor (ESP-3DES-SHA). I was told to set up an additional site-to-site (I'll abbreiviate, STS)with a different vendor (ESP-3DES-MD5). I have never built a VPN before, only adjusted the current to allow additional traffic. So I am trying to build it using this book I have and examining the current config for the original STS VPN. The STS has to be ESP-3DES-MD5, and I was given a public IP (no mask provided) for the tunnel and a public IP (no mask provided) for the traffic once the tunnel is created. I am allowing only port 3389 for remote desktop.

1) I am having trouble creating an ACL for this traffic since I am not given any private IP addresses.
2) A crypto map is already created for the first STS, so how do I use this map with a different transform set.
3) Is there a specific order I have to go in to build this STS VPN? For example. Does the ACL have to be in there before I can create the other pieces?

I am a rookie :(
0
Comment
Question by:Kjohnsting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 7

Expert Comment

by:minmei
ID: 13685569
Rookie is ok :)

1)  Me too - ask if they really want you to be using public addresses. (I've used them once before out of a billion (it seems) VPN's)


2) you enter a new crypto map entry, not a new crypto map, as in the following example:

crypto map vpn 35 ipsec-isakmp
crypto map vpn 35 match address outside_cryptomap_35
crypto map vpn 35 set pfs group2
crypto map vpn 35 set peer x.y.z.199
crypto map vpn 35 set transform-set 3destranssha

crypto map vpn 45 ipsec-isakmp
crypto map vpn 45 match address outside_cryptomap_45
crypto map vpn 45 set pfs group2
crypto map vpn 45 set peer x.y.z.293
crypto map vpn 45 set transform-set 3destransmd5


and then use diferent transforms like below:

crypto ipsec transform-set 3destranssha esp-3des esp-sha-hmac
crypto ipsec transform-set 3destransmd5 esp-3des esp-md5-hmac

3) Having the ACL first is good because sometimes when you build a crypto map without a match ACL it sends everything through the tunnel and messes you up until you reload the PIX.

Good luck!
0
 

Author Comment

by:Kjohnsting
ID: 13689922
Currently I have a STS VPN with a vendor and the following is part of that script:

access-list LDL_CRYPTO_ACL permit ip 172.16.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 192.168.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 10.87.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 10.87.1.0 255.255.255.0
access-list LDL_CRYPTO_ACL permit ip 10.87.39.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 10.87.39.0 255.255.255.0
access-list LDL_CRYPTO_ACL permit ip 172.28.0.0 255.255.0.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 172.28.0.0 255.255.0.0
static (inside,outside) tcp 172.16.9.241 3389 X_Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.16.9.241 ftp X_Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.16.9.241 ftp-data X_Server ftp-data netmask 255.255.255.255 0 0
static (inside,outside) 172.16.9.242 Z_Server netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.7 X_Server netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.11 Y_Server netmask 255.255.255.255 0 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address HBS_CRYPTO_ACL
crypto map outside_map 10 set peer (public IP of peer)
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address (public IP of peer) netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

What I was thinking to add in that new STS is the following:

access-list Protect permit ip (peer's public IP) 192.168.1.0 255.255.255.0
access-list SecondSTS_ACL permit udp (peer's public IP) host (our public ip) eq isakmp
access-list SecondSTS_Crypto_ACL permit udp (peer's public ip) host (our public IP) eq isakmp
access-list SecondSTS_Crypto_ACL permit ah (peer's public IP) host (pur public IP)
access-list SecondSTS_Crypto_ACL permit esp (peer's public IP)  host (our public IP)
isakmp key (preshard key) address (peer's public IP)
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3DES
isakmp policy 30 hash MD5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set RSA1 esp-md5-hmac esp-3des
crypto map SecondSTS_map 30 set peer (peer's public IP)      
crypto map SecondSTS_map 30 ipsec-isakmp
crypto map SecondSTS_map 30 set session-key
crypto map SecondSTS_map 30 match address SecondSTS_Crypto_ACL
crypto map SecondSTS_map 30 set transform-set SecondSTS_Crypto_ACL
crypto map SecondSTS_map 30 set pfs group2
crypto map SecondSTS_map 30 security-association seconds 86400

1) Do you see any issues with adding this to my running config?
2) I was given two public IPs to use: one ends in .225 the other ends in .1
    I was told one was for the tunnel (.225), the other for traffic (.1)
   Where should I put those in the script.
3) Also I have asked for a subnet mask of their public IP and they said I don't need it. SO I have used 255.255.255.255 when a command craps out from not having a a mask.

Thanks!
0
 
LVL 7

Expert Comment

by:minmei
ID: 13694482
Starting backwards...

3) Yes. if they give you a host, 255.255.255.255 specifies a host, not any kind of network.

2) if .225 is the tunnel endpoint, it becomes the (peer's public IP) in the above commands.

.1 would be the host for the traffic that needs to be tunneled.

All the commands need to fit in the existing crypto map. So no SecondSTS_map, but additional commands in the outside_map crypto entry.

Add the following...


isakmp key (preshard key) address (peer's public IP - .225)
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3DES
isakmp policy 30 hash MD5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400

crypto ipsec transform-set RSA1 esp-md5-hmac esp-3des

crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address SecondSTS_ACL
crypto map outside_map 20 set peer (public IP of peer - .225)
crypto map outside_map 20 set transform-set RSA1

access-list SecondSTS_ACL permit ip (your local IP net) (netmask) host (their public IP - .1)

You'll also have to add a line to whatever nat 0 ACL you are using.

0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:Kjohnsting
ID: 13700089
1) I was able to enter everything you suggested, except when I entered:
crypto map outside_map 20 match address SecondSTS_ACL

It went through but I received the following:
"Warning: access-list has port selectors may have performance impact"

What does that mean? What should I do? Monitor PCU usage?

2) For the nat 0 ACL, I entered the following:
nat (inside) 0 access-list Protect

Does it look correct? I WAS able to enter it.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13702988
Post the access list entry - it shouldn't have port selectors.

For the nat 0 ACL, it should be any traffic you do not want to nat - traffic to the first vpn site, traffic to the clients, traffic to the second vpn (.1).
All other traffic to the internet should be natted.

Post what you think that is and I'll check it.
0
 

Author Comment

by:Kjohnsting
ID: 13703140
Here is the output of "show Access-list"

access-list cached ACL log flows: total 3, denied 1 (deny-flow-max 1024)
            alert-interval 300
access-list inside-out; 1 elements
access-list inside-out line 1 permit ip any any log 6 interval 300 (hitcnt=620391)
access-list outside_access_in; 3 elements
access-list outside_access_in line 1 deny tcp any any log 6 interval 300 (hitcnt=70711)
access-list outside_access_in line 2 deny udp any any log 6 interval 300 (hitcnt=236)
access-list outside_access_in line 3 deny ip any any log 6 interval 300 (hitcnt=4534)
access-list workers_splitTunnelAcl; 1 elements
access-list workers_splitTunnelAcl line 1 permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0)
access-list inside_outbound_nat0_acl; 2 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.128 (hitcnt=192553)
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 192.1.1.0 255.255.255.128 (hitcnt=138978)
access-list LDL_CRYPTO_ACL; 8 elements
access-list LDL_CRYPTO_ACL line 1 permit ip 172.16.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 2 permit ip 172.16.9.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 3 permit ip 10.87.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 4 permit ip 172.16.9.240 255.255.255.240 10.87.1.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 5 permit ip 10.87.39.0 255.255.255.0 172.16.9.24 0 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 6 permit ip 172.16.9.240 255.255.255.240 10.87.39.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 7 permit ip 172.28.0.0 255.255.0.0 172.16.9.240 255.255.255.240 (hitcnt=39)
access-list LDL_CRYPTO_ACL line 8 permit ip 172.16.9.240 255.255.255.240 172.28.0.0 255.255.0.0 (hitcnt=15749)
access-list dmz-in; 7 elements
access-list dmz-in line 1 permit icmp any host 192.168.2.7 echo (hitcnt=0)
access-list dmz-in line 2 permit tcp any host 192.168.2.7 eq 3389 (hitcnt=388)
access-list dmz-in line 3 permit tcp any host 192.168.2.11 eq ftp (hitcnt=6467)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 object-group FTP host 192.168.2.11 object-group FTP log 6 interval 300
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)
access-list  dynacl382; 1 elements
access-list  dynacl382 line 1 permit ip any host 192.1.1.97 (hitcnt=195)
access-list outside_cryptomap_30; 1 elements
access-list outside_cryptomap_30 line 1 permit ip host HBS_RiteRx host RSA (hitcnt=0)
access-list Protect; 1 elements
access-list Protect line 1 permit ip host (peer'sIP) 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list RSA1_Crypto_ACL; 3 elements
access-list RSA1_Crypto_ACL line 1 permit esp host (peer's ip) host (my public IP) (hitcnt=0)
access-list RSA1_Crypto_ACL line 2 permit udp host (peer's ip) host (my public IP) eq isakmp (hitcnt=0)
access-list RSA1_Crypto_ACL line 3 permit ip host (IPof Server_A) host (peer's IP) (hitcnt=0)

As far as Nat 0 ACL, are you referring to part of what is posted above which reads:

access-list inside_outbound_nat0_acl; 2 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.128 (hitcnt=192553)
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
0
 
LVL 7

Expert Comment

by:minmei
ID: 13703289
Yes - that's the ACL that you need to use in the :

nat (inside) 0 access-list inside_outbound_nat0_acl

command instead of protect.

0
 

Author Comment

by:Kjohnsting
ID: 13703314
But what about the "Warning: access-list has port selectors may have performance impact"?
0
 
LVL 7

Accepted Solution

by:
minmei earned 2000 total points
ID: 13703371
Comments precede lines:

! to log outbound traffic - needs "access-group inside-out in interface inside" to make it work.

access-list inside-out; 1 elements
access-list inside-out line 1 permit ip any any log 6 interval 300 (hitcnt=620391)

! to stop all traffic inbound? hopefully not used.

access-list outside_access_in; 3 elements
access-list outside_access_in line 1 deny tcp any any log 6 interval 300 (hitcnt=70711)
access-list outside_access_in line 2 deny udp any any log 6 interval 300 (hitcnt=236)
access-list outside_access_in line 3 deny ip any any log 6 interval 300 (hitcnt=4534)

! split tunnel on the client VPN traffic - needs "vpngroup <groupname> split-tunnel workers_splitTunnelAcl"

access-list workers_splitTunnelAcl; 1 elements
access-list workers_splitTunnelAcl line 1 permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0)

! traffic to _not_ use NAT on - network to network traffic not destined for a public intenet address...

access-list inside_outbound_nat0_acl; 2 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.128 (hitcnt=192553)
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)

! leftover from PDM???

access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 192.1.1.0 255.255.255.128 (hitcnt=138978)

! existing VPN traffic match (don't need traffic both ways, just outbound)

access-list LDL_CRYPTO_ACL; 8 elements
access-list LDL_CRYPTO_ACL line 1 permit ip 172.16.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 2 permit ip 172.16.9.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 3 permit ip 10.87.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 4 permit ip 172.16.9.240 255.255.255.240 10.87.1.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 5 permit ip 10.87.39.0 255.255.255.0 172.16.9.24 0 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 6 permit ip 172.16.9.240 255.255.255.240 10.87.39.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 7 permit ip 172.28.0.0 255.255.0.0 172.16.9.240 255.255.255.240 (hitcnt=39)
access-list LDL_CRYPTO_ACL line 8 permit ip 172.16.9.240 255.255.255.240 172.28.0.0 255.255.0.0 (hitcnt=15749)

! dmz ACL

access-list dmz-in; 7 elements
access-list dmz-in line 1 permit icmp any host 192.168.2.7 echo (hitcnt=0)
access-list dmz-in line 2 permit tcp any host 192.168.2.7 eq 3389 (hitcnt=388)
access-list dmz-in line 3 permit tcp any host 192.168.2.11 eq ftp (hitcnt=6467)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 object-group FTP host 192.168.2.11 object-group FTP log 6 interval 300
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)

! ?????

access-list  dynacl382; 1 elements
access-list  dynacl382 line 1 permit ip any host 192.1.1.97 (hitcnt=195)

! new VPN site-to-site

access-list outside_cryptomap_30; 1 elements
access-list outside_cryptomap_30 line 1 permit ip host HBS_RiteRx host RSA (hitcnt=0)

! ???

access-list Protect; 1 elements
access-list Protect line 1 permit ip host (peer'sIP) 192.168.1.0 255.255.255.0 (hitcnt=0)

! could be on outside interface to let VPN in, but it's just as easy to use "sysopt connection permit-ipsec"

access-list RSA1_Crypto_ACL; 3 elements
access-list RSA1_Crypto_ACL line 1 permit esp host (peer's ip) host (my public IP) (hitcnt=0)
access-list RSA1_Crypto_ACL line 2 permit udp host (peer's ip) host (my public IP) eq isakmp (hitcnt=0)
access-list RSA1_Crypto_ACL line 3 permit ip host (IPof Server_A) host (peer's IP) (hitcnt=0)

Which is the new ACL?
0
 

Author Comment

by:Kjohnsting
ID: 13706223
The following is new:

Access-list Protect
access-list RSA1_Crypto_ACL
access-list outside_cryptomap_30
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
0
 
LVL 7

Expert Comment

by:minmei
ID: 13755514
Did it work? Anything else you have a question on?
0
 

Author Comment

by:Kjohnsting
ID: 13755607
The tunnel is up. But for some reason I can't get the return traffic to get out of the outside interface.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13755629
Which is the return traffic? From the second site back into HQ? Post the latest config and I'll check it.
0
 

Author Comment

by:Kjohnsting
ID: 13756197
False alarm. I had to backout some of the changes a couple days ago because I lost connectivity to a remote client. So after that was settled I entered the lines back into my script but missed a couple. Most notably the NAT line:

access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP)

Everything is up and tested! Thanks! I have awarded the points.

0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question