VPN setup with DIP cisco ASA 5505

Sanga Collins
Sanga Collins used Ask the Experts™
on
Hello EE

New to cisco, coming from all juniper environment for the last 5 years. Need to create a VPN connection to govt agency for several services that my company subscribes to. On paper i know exactly what i need to do, but in cisco asdm i have no clue where i am going ... and i am too green for command line (but willing to try)

(IP addresses changed to protect the victims identity :)

Remote site:
Public IP 67.67.67.67
Source NAT: 10.99.47.0/24
Encryption --> 3DES with group2
Integrity --> SHA1
Transform --> ESP-3DES-SHA
pre-shared-key: 123456789
IKE key Xchange --> 3DES with group 2
IKE SA lifetime 8 hours

remote ip i need access too

service1: 32.32.32.7 port 23111
service2: 32.32.32.35 port 992
service3: 69.69.69.69 port22
service4: 32.32.32.34 port 9964
service5: 157.157.157.7 port 21
service6: 32.32.32.67 port21
service7: 199.199.199.184 port 22

I was able to use the VPn wizard in asdm to get the basics of the VPn setup. I was stuck on a bunch of things listed below

after creating frist VPN. how do i specify multiple remote ips to connect to through the tunnel. I cant create more than one VPN pointing to the same remote IP like i can on the juniper.

Do the port values of the services need to be addressed anywhere in the VPN connection?

My LAN is 10.10.1.1/24, but the source subnet has to be 10.99.47.0/24 or the traffic will be dropped by the remote site. How to i create a DIP pool so that clinets on the 10.10.1.1 network, and alos about 40 other subnets behind the cisco LAN get NATsd to an ip from the source pool?

how do i tell if i am succesful with setting up the vpn. on asdm i got to monitoring tab and it doesnt show me whther its working or not or even exists to begin with.


i have soo many more questions, but ill start with these then probably create more posts linked back to this one, coz this is def more than a 500pt project i got on my hands. also let me know what inof you might need from my device. i dont like justposting the config unless someone really needs it.

thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
John MeggersNetwork Architect
Commented:
Any traffic that matches your interesting-traffic ACL will be encrypted through the tunnel.  Not sure what you mean about "can't create more than one VPN pointing to the same remote IP" -- between only two peers you create a single VPN.  If you need to encrypt traffic from the remote LAN network to the service IPs you listed, that's what you put in your ACL.  

I'm confused by the 10.99.47.0 subnet.  At the beginning you indicate that's the remote LAN but they you say "the source subnet has to be 10.99.47.0/24 or the traffic will be dropped by the remote site."  Maybe a diagram would help.

You can create a NAT pool of addresses and NAT your internal addresses to the NAT pool.

nat (inside) 1 10.10.1.0 255.255.255.0
global (outside) 1 10.99.47.2-10.99.47.199  <== NAT address pool
global (outside) 1 10.99.47.200    <== will PAT when it runs out of NAT addresses in the pool

To see if the VPN is up, look at "show crypto isakmp sa" and "show crypto ipsec sa" on the CLI.  If it's not showing up in ASDM, chances are it's not completely configured.

There's more work to do, so post any configs you have and we can help you work through it.

Author

Commented:
Ill post full details, like config when i get to work tomorrow, but just ton answer your specific questions.

- Create more than one VPN: while completing the wizard i had to specify the remote LAN ip (1 of the seven services) i couldnt see an obvious way to specify more than one remote LAN ip so i tried to create multiple VPNs connected to the remote WAN ip, and got an error message that i couldnt do that.

- 10.99.47.0/24 was not specified as the remote LAN. The seven services are the remote LAN ips i need to connect to. 10.99.47.0/24 is what they specified my source IP should be, hence needing the DIP pool to translate my LAN to 10.99 ... before sending traffic.

When i get to work ill get the rest of the info you need and post the config.

Thanks!

Author

Commented:
Here is a copy of my running config attached. And below are the results of the commands you asked me to run. From the results i can see that i am no where near where i need to be to get this running.

I guess what id like to do is get the VPN up and runnning first before i worry about multiple remote LANs and/or DIP pools and PAT.

The result of the command: "show crypto isakmp sa"
There are no isakmp sas

Result of the command: "show crypto ipsec sa"
There are no ipsec sas


asa5505.txt
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Network Architect
Commented:
Sorry I haven't gotten back to this.  IPSec is one of those things that really helps to see both sides, so if you have a config for the remote end that might help too.  If the remote-site config isn't correct the tunnel won't come up and traffic won't flow.

In general your crypto config looks ok to me, but your static NAT statement is confusing, what with the object groups.  I'd suggest not using the object groups -- especially when there's only one member in the group -- plus the syntax of the command isn't correct.  It should be "static (inside,outside) <outside_global> <inside_local> netmask <mask>.  The syntax you're using looks more like what you'd see in IOS.

I've never actually configured what it sounds like you're trying to do (NAT internal addresses to another internal address and then put that through the tunnel), but let's try the following and see if it works.

static (inside,outside) 10.99.47.0 10.10.1.0 netmask 255.255.255.0

Your crypto ACL and the rest of the crypto configuration looks good.

One thing you have to think about is excluding your VPN traffic from dynamic NAT, and I'm not certain how it will work in this instance.  Typically, if your VPN was from 10.10.1.0, you would do something like the following:

nat (inside) 1 10.10.1.0 255.255.255.0
global (outside) 1 <either interface or dynamic pool>
access-list no-nat permit ip 10.10.1.0 255.255.255.0 <VPN_destination> <mask>
nat (inside) 0 access-list no-nat

Which basically says "NAT all the 10.10.1.0 subnet when going to the Internet, but not if it's going to the LAN on the other side of the VPN."

So in your case you probably want to do something like the following:

nat (inside) 1 10.10.1.0 255.255.255.0
global (outside) 1 interface
access-list no-nat permit ip 10.99.47.0 255.255.255.0 host 32.90.100.7
nat (inside) 0 access-list no-nat

I honestly don't know if it will work or not, but the ASA should do outbound NAT before it does outbound encryption, so maybe it will.  

Regarding bringing up the tunnel, remember the tunnel won't connect until there's traffic that matches the ACL (10.99.47.0/24 to host 32.90.100.7).  But once you've tried to generate traffic that matches that, you should be able to see at least ISAKMP try to establish the connection.  You can do "debug crypto isakmp" and "debug crypto ipsec" to see what's happening.

Author

Commented:
Hi  jmeggers.

Apart from one minor config i was able to get this all sorted out.

--> The first problem was with the VPN tunnel missing PFS

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 67.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

--> Also since i was connecting to multiple remote IP addresses, i had to specify an object-group as as destination LAN. This was then configured as the destination access-list.

access-list outside_1_cryptomap extended permit ip object 10.99.47.0_DIP object-group IvansLime

object-group network IvansLime
 network-object host 157.154.96.7
 network-object host 199.97.32.184
 network-object host 32.77.242.3
 network-object host 32.90.100.7
 network-object host 32.90.117.34
 network-object host 32.90.221.67
 network-object host 32.90.234.35

--> Since my source IP for the VPN had to be from the range 10.99.47.0/24 I created a couple of Network Object NAT rules to handle all my local LANs (10.0.0.0/8 and 192.168.0.0/16) and translate them to the range required to send traffic through the VPN. On junipers where i have years of experience this is also called Proxy-ID with DIP pool.

object network obj-10.10.1.0_24
 subnet 10.10.1.0 255.255.255.0
 description Source NAT address pool
object network 10.99.47.0_DIP
 range 10.99.47.2 10.99.47.99
object network obj-10.10.1.254
 host 10.10.1.254
object network obj-10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network obj-192.168.0.0_8
 subnet 10.0.0.0 255.255.0.0

object network obj_any
 nat (inside,outside) dynamic interface
object network obj-10.10.1.254
 nat (inside,outside) dynamic 10.99.47.0_DIP
object network obj-10.0.0.0_8
 nat (inside,outside) dynamic 10.99.47.0_DIP
object network obj-192.168.0.0_16
 nat (inside,outside) dynamic 10.99.47.0_DIP

Author

Commented:
The only thing i was unable to do is traffic from the LAN of the cisco (10.10.1.0/24) when translated all goes out the VPN. I would like it to only go out the VPN if its destination is one of the IPs in the group IvansLime.

This is not so critical since the cisco was purchased just for creating this VPN. it would be nice to have though since i could use that network in my office for other minor things like testing environments etc.

Either way thanks for the help. It wasnt a direct answer, but you gave me enough ammo to figure things out pretty quickly after that.

Author

Commented:
I included my comment as part of the solution since it has the final working config for future EE users to reference

:)
John MeggersNetwork Architect

Commented:
Let me see your config as it stands right now.  We should be able to control what goes through the VPN and what goes out without being encrypted.

John

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial