Solved

Router to ASA to another ASA via IPSec, oh my.

Posted on 2011-03-20
9
597 Views
Last Modified: 2012-05-11
I want to add our new warehouse via IPSEC to our main office.  I purchased 2 ASA 5505 Security Plus devices.  I am a newbie on router configs, I'm hoping someone can help.

Here is the layout (I've changed the real IP numbers to protect the innocent):


Warehouse ASA 5505
Inside interface 10.10.201.0/24
ASA Outside interface 99.99.111.194 gw 99.99.111.193


HeadQuarters ASA 5505
Inside Interface 10.10.101.0/24
ASA Outside 99.99.115.98 gw 99.99.115.97


The HeadQuarters' ASA is linked to an HP Switch on an Untagged port to a Linux box (our Main router).  This main router handles various VLANs among them:  10.10.10.0/24 for our main LAN (PCs, Macs, and Linux), and 10.10.11.0/24 for our IP Phone system.

I am trying to get the following working:

1) an IPSec connection going between the ASA's,
2) Have the Warehouse network be able to communitcate to the 10.10.10.0/24 and 10.10.11.0/24 networks at HQ and vice versa.

I seem to have parts of it working, but I'm to a point where I'm confusing myself.  My big questions are:

How do I set up a route on my linux router to route traffic for the warehouse?  I believe I need to add a route on the linux router and something on the HQ ASA, but I don't know what exactly.
How do I configure the ASA's to properly route the 10.10.10.0/24 and 10.10.11.0/24 networks back and forth?

Below are the configs for both the Warehouse and HQ ASAs.

Warehouse ASA
: Saved
:
ASA Version 8.2(1) 
!
hostname warehouseasa
enable password AAP1/sAp encrypted
passwd AAP1/sAN.COnyiHp encrypted
names
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 99.99.111.194 255.255.255.252 
!
interface Vlan3
 nameif fc_network
 security-level 100
 ip address 10.10.201.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
access-list 100 extended permit ip 10.10.201.0 255.255.255.0 10.10.101.0 255.255.255.0 
access-list nonat extended permit ip 10.10.201.0 255.255.255.0 10.10.101.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu fc_network 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (fc_network) 0 access-list nonat
nat (fc_network) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 99.99.111.193 1
route outside 10.10.101.0 255.255.255.0 99.99.111.193 1
route outside 99.99.115.96 255.255.255.248 99.99.111.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 99.99.115.98 255.255.255.255 outside
http 10.10.201.0 255.255.255.0 fc_network
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 99.99.115.98 
crypto map outside_map 20 set transform-set AES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 50
telnet 99.99.115.98 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.201.10-10.10.201.20 fc_network
dhcpd dns 99.99.108.2 99.99.108.20 interface fc_network
dhcpd enable fc_network
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username mike password IBb./RYIzFdg6Rbt encrypted privilege 15
tunnel-group 99.99.115.98 type ipsec-l2l
tunnel-group 99.99.115.98 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:6459256c60ba850119a98efdc9d1a741
: end
no asdm history enable

Open in new window


HQ Warehouse
: Saved
:
ASA Version 8.2(1) 
!
hostname hqasa
enable password 8sVZztDrC encrypted
passwd 5fFQnKYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.101.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 99.99.115.98 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
access-list 100 extended permit ip 10.10.101.0 255.255.255.0 10.10.201.0 255.255.255.0 
access-list nonat extended permit ip 10.10.101.0 255.255.255.0 10.10.201.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 99.99.115.97 1
route outside 10.10.201.0 255.255.255.0 99.99.115.97 1
route outside 99.99.111.192 255.255.255.252 99.99.115.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 99.99.111.194 
crypto map outside_map 20 set transform-set AES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp nat-traversal 50
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.10.101.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username sijacic password TK8rxrWwNpZGwiKB encrypted privilege 15
tunnel-group 99.99.111.194 type ipsec-l2l
tunnel-group 99.99.111.194 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:488dcffa71908f4c37221b0f1dca3b82
: end
no asdm history enable

Open in new window

0
Comment
Question by:sijacic
9 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 35176158
How do I set up a route on my linux router to route traffic for the warehouse?  I believe I need to add a route on the linux router and something on the HQ ASA, but I don't know what exactly.
How do I configure the ASA's to properly route the 10.10.10.0/24 and 10.10.11.0/24 networks back and forth?


Not sure if the Linux box needs a route, there are a few things that are not clear; is the Linux router Natting the 10.10.10.0 and/or the 10.10.11.0 networks? Does the Linux box have any type of IP Tables, etc? Do you have a network diagram that outlines the networks on both ends? Are the ASA specifically for the IPSEC tunnels (Meaning you have a dedicated connection for IPSEC)?

Billy
0
 

Author Comment

by:sijacic
ID: 35176280
Here is a some more information on the linux router.  It hosts several vlan networks.  In addition to the internal networks of 10.10.10.0 and 10.10.11.0 (each setup as a seperate vlan), it has a vlan for its connection to the Internet (using a different IP address than the one used by the HQ ASA).

I do have several routes setup on the linux box...

to NAT traffic from 10.10.10.0 going to the main Internet connection
from 10.10.10.0 to 10.10.11.0 for IP phone desktop management

Here are the ip route table
99.99.120.224/29 dev vlan2  scope link  src 99.99.120.226
10.10.101.0/24 via 10.10.101.2 dev vlan101  scope link
10.10.101.0/24 dev vlan101  scope link
10.10.201.0/24 via 10.10.101.2 dev vlan101  scope link
10.10.10.0/24 dev vlan1  scope link  src 10.10.10.1
10.10.11.0/24 dev vlan4  scope link  src 10.10.11.1
default via 99.99.120.225 dev vlan2

And yes, I guess the IPSEC are dedicated tunnels.  The warehouse should not be going through IPSEC to access the general internet.

Mike  
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35176320
You have not stated that you are natting on the linux box for the 10.10.10/11.0 networks to 10.10.101.0/24. If that is the case, you will need to add the networks to the nonat ACLs for these networks.

warehouse asa:

access-list nonat extended permit ip 10.10.201.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.201.0 255.255.255.0 10.10.11.0 255.255.255.0

HQ ASA:

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.10.201.0 255.255.255.0
access-list nonat extended permit ip 10.10.11.0 255.255.255.0 10.10.201.0 255.255.255.0

Billy
0
 

Author Comment

by:sijacic
ID: 35176992
Sorry... no, i do not want NAT on the ASAs for 10.10.10.0, 10.10.11.0, 10.10.101.0, or 10.10.201.0.

I added the access-lists for nonat of the traffic as you stated.

I can ping from the inside network of HQ (10.10.101.0) to the inside network of the Warehouse ASA (10.10.201.8) and vice versa.

However, when I do a tracert from the 10.10.201.8 to 10.10.10.3, it is unreachable.  

I have the 10.10.10.0 and 10.10.11.0 in the crypto map as protected traffic on the WareHouse ASA.

Do I need to config anything on the HQ ASA to do something with the 10.10.10.0 and 10.10.11.0 traffic?

Mike
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:sijacic
ID: 35177068
Here is a diagram to better illustrate the overall challenge.
-Mike Network Diagram HQ Warehouse
0
 

Author Comment

by:sijacic
ID: 35178029
I notice I get the following message in the log on the HQ ASA when I try to access the 10.10.10.0 network.

3      Mar 20 2011      18:28:11      713061                              Group = 99.99.111.194, IP = 99.99.111.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.201.0/255.255.255.0/0/0 local proxy 10.10.10.0/255.255.255.0/0/0 on interface outside

0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 35193291
Your access lists reference network 10.10.101.0/24, but they do not reference 10.10.10.0/24

You need to add these lines:

Warehouse:

access-list 100 extended permit ip 10.10.201.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip 10.10.201.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.201.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.201.0 255.255.255.0 10.10.11.0 255.255.255.0

Headquarters:

access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.10.201.0 255.255.255.0
access-list 100 extended permit ip 10.10.11.0 255.255.255.0 10.10.201.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.10.201.0 255.255.255.0
access-list nonat extended permit ip 10.10.11.0 255.255.255.0 10.10.201.0 255.255.255.0

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35496529
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VLSM calcuation 5 28
Failover VDSL Modems 3 26
SMB Routers with GB WAN 12 36
Sonicwall routing between VPNs 5 28
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now