• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 866
  • Last Modified:

Unusuall VPN Setup

I'm having an issue deciphering the instructions below. I need to setup a VPN connection based on what you see. It would be a site to site and that's fine normally but the ACL part is giving me trouble. Once complete I should be able to ping the 192.168.50.x IPs from my internal network. The 172.24 IP is not ours but that's how they distinguish on clinic from the other. In other words I need to set this up so that all my internal traffic that is destined for this looks like it's coming from this 172.24 IP address. Nat over VPN essentialy. I'm sure it's not hard I just have never done it. See the instructions I was given below.



Please provide the VPN parameters to your IT Professional for tunnel completion:

Our endpoint is: xx.xxx.xx.xxx

Our network is: 192.168.50.0 (255.255.255.0)

You will need to make ACL from 172.24.205.254 to host 192.168.50.83, 192.168.50.86, and 192.168.50.50

You will need to NAT interesting traffic to 172.24.205.0 255.255.255.0

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Pre-shared Key: xxxxxxxx

Phase2

ESP encryption 3DES

ESP authentication

Lifetime 28800

<Edited 05/16/2010 by SouthMod to remove IP info>
0
Ironsides
Asked:
Ironsides
1 Solution
 
batry_boyCommented:
You need to implement policy NAT for this application.  See commands below:

object-group network remote-vpn-hosts
 network-object host 192.168.50.50
 network-object host 192.168.50.83
 network-object host 192.168.50.86
access-list cryptomap_acl permit ip host 172.24.205.254 object-group remote-vpn-hosts
global (outside) 10 172.24.205.254
nat (inside) 10 access-list cryptomap_acl
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address cryptomap_acl
crypto map outside_map 20 set peer xx.xxx.xx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime 28800
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
tunnel-group xx.xxx.xx.xxx type ipsec-l2l
tunnel-group xx.xxx.xx.xxx ipsec-attributes
 pre-shared-key xxxxxxxxxx

The only part that is confusing to me are the statements:

"You will need to make ACL from 172.24.205.254 to host 192.168.50.83, 192.168.50.86, and 192.168.50.50"
and
"You will need to NAT interesting traffic to 172.24.205.0 255.255.255.0"

I'm assuming they are expecting any traffic that goes across the VPN tunnel to be sourced from 172.24.205.254, so that is how the policy NAT is configured in my example.  If this is not the case, the nat will have to be adjusted.

0
 
IronsidesAuthor Commented:
That didn't seem to do it :( Sorry for the delay on this. I am going to post the config here, maybe you might see something out of place. Thanks a ton.

camelbackfh# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname camelbackfh
domain-name xxx.com
enable password DjGOaLXBWWiqnfoU encrypted
passwd DjGOaLXBWWiqnfoU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
 domain-name camelbackhealth.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network remote-vpn-hosts
 network-object host 192.168.50.50
 network-object host 192.168.50.83
 network-object host 192.168.50.86
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Remote_splitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Remote_splitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 192.169.0.0 255.255.255.0
access-list Remote1_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.169.0.0 255.255.254.0
access-list cryptomap_acl extended permit ip host 172.24.205.254 object-group remote-vpn-hosts
access-list Remote1_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Remote 192.169.0.100-192.169.1.120
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 10 172.24.205.254
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 access-list cryptomap_acl
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address cryptomap_acl
crypto map outside_map 20 set peer xx.xxx.xx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcprelay server 192.168.0.2 inside

webvpn
group-policy Remote1 internal
group-policy Remote1 attributes
 wins-server value 192.168.0.254
 dns-server value 192.168.0.254 192.168.0.254
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Remote1_splitTunnelAcl_1
 default-domain value camelback
username areed password CBx411WY0F4teDmvs/qHyw== nt-encrypted privilege 15
username ironsides password 7CmD8DTGVc5dOOxr encrypted privilege 15
tunnel-group xx.xxx.xx.xxx type ipsec-l2l
tunnel-group xx.xxx.xx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group Remote1 type ipsec-ra
tunnel-group Remote1 general-attributes
 address-pool Remote
 default-group-policy Remote1
tunnel-group Remote1 ipsec-attributes
 pre-shared-key *
no tunnel-group-map enable ike-id
tunnel-group-map default-group Remote1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b44899caa92989e09b8f76b3b4fca43c
: end

0
 
batry_boyCommented:
Looks OK...what does the output of the commands "sh cryp is sa" and "sh cryp ip sa" look like?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
IronsidesAuthor Commented:
camelbackfh# sh cryp is sa

There are no isakmp sas
camelbackfh# sh cryp ip sa

There are no ipsec sas
camelbackfh#
0
 
IronsidesAuthor Commented:
Dude you were sooo close to dead on here. There was only one line of config that was off. The fix was to add a line to the crypto_map that allows access from my internal to their internal ip range. I'm still giving you props.

THANK YOU!!!
0
 
IronsidesAuthor Commented:
I finally got it but you got me 99% of the way so thank you!!
0
 
batry_boyCommented:
Glad to help...
0
 
BlackDogSCCommented:
Hi batry_boy,
I am assuming that this setup is for the EMDs SureScripts system, one of my clients is a doctors office who also uses EMDs and they recently asked me to setup this same VPN connection from their office to the EMDs SureScripts system. Unfortunately I have no cisco knowledge and I was wondering if you could repost the configuration for the cisco unit with the "crypto_map" addition that was noted above by Ironsides so I could get them up and running.
0
 
bhrenyoCommented:
Ironsides and Batry_boy,

Can you share the addition that is mentioned with regards to the crypto map.  I'm following along using this example setting up the VPN for a customer trying to setup a connection to the same vendor

My "show crypto isakmp stats" and "show crypto ipsec stats" show that nothing is happening.  It doesn't even look like any phase 1 negotiiation is going on.

When I look at the "show nat" command it doesn't look like I have things nat'd correctly.  

This is my first attempt at this with the Cisco.  I've done this many times with another router and I'm trying to translate my knowledge from one to another.

Thanks.
Chuck.
0
 
PTSMNCommented:
Can someone post a working config so we can compare?
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now