VPN with cisco

I need to setup a VPN from HQ to 2 branch offices, below is the equipment which i have:-

Cisco ASA 551, Router 2800 at HQ,

2800, Branch 1

2800, Branch 2

There would be clients logging from branch offices, who would be member of active directory, also checking mails and database, can somebody point me to a config i should be using ! Please post me as much help as possible.

many thanks,
LVL 1
skywalker7Asked:
Who is Participating?
 
MikeKaneCommented:
OK....  SO on the ASA, you need to change the nonat and cryptos so that all IPs are nonat'd and encrypted


These:
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 site2 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 site2 255.255.255.0


Should turn into these:
access-list outside_1_cryptomap extended permit ip 0.0.0.0 0.0.0.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip  0.0.0.0 0.0.0.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 0.0.0.0 0.0.0.0 site2 255.255.255.0
access-list outside_2_cryptomap extended permit ip 0.0.0.0 0.0.0.0 site2 255.255.255.0



Then on the Routers (example):
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 any


becomes:
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 110 deny   ip 192.168.3.0 0.0.0.255 any
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
<---  this one is not needed, but ACLs are eval'd from top to bottom, so doesn't hurt
0
 
skywalker7Author Commented:
Thanks for the answer, i will read the how tos and get back, have you tried to do this ?

thanks,
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
skywalker7Author Commented:
I went through the examples, but i am looking for little different scenario, internet will be provided at HQ, and the branch offices needs to connect to HQ and then be able to browse internet, not directly, how would this be possible ?

thanks a lot for the help.
0
 
MikeKaneCommented:
The Nonat and crypto ACLs determine what subnets are encrypted over the VPN.   If you want to tunnel all traffic, then you nonat and tunnel "any any". But you normally wouldn't do this unless you wanted all traffic to go through the HQ for some reason.   IF you want only certain subnets for VPN, then just include those subents in the nonat and crypto.
0
 
skywalker7Author Commented:
Hello MikeKane,

Below is my config on ASA and router 2800, can you help me with the rules as they want all traffic to come at HQ and then be routed to internet.

Thanks a lot !

ASA 5510

ASA Version 8.0(4)
!

name 192.168.3.0 site1
name 192.168.4.0 site2
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.100 255.255.255.0
!
!
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 site2 255.255.255.0
access-list 100 extended permit ip any any
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 site2 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.2.0 255.255.255.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA2 esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_map 1 set security-association lifetime seconds 28800
crypto dynamic-map outside_map 1 set security-association lifetime kilobytes 460800
crypto dynamic-map outside_map 2 set security-association lifetime seconds 28800
crypto dynamic-map outside_map 2 set security-association lifetime kilobytes 460800
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer site1.0
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer site2.0
crypto map outside_map 2 set transform-set ESP-DES-SHA2
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
!
tunnel-group site1.0 type ipsec-l2l
tunnel-group site1.0 ipsec-attributes
 pre-shared-key *
tunnel-group site2.0 type ipsec-l2l
tunnel-group site2.0 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
: end


Cisco 2800
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname site1
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-15.T9.bin
boot-end-marker
!
no logging buffered
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.90 192.168.3.100
!
ip dhcp pool site1
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.100
   domain-name local
   dns-server 192.168.2.1
   lease 7
!
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3572137493
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3572137493
 revocation-check none
 rsakeypair TP-self-signed-3572137493
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key test address hq.0
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnerl to HQ1.0
 set peer hq1.0
 set transform-set ASA-IPSEC
 match address 100
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 2.3.4.5 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
 ip address 192.168.3.100 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ISPgateway
!
!
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
 match ip address 110
!
control-plane

!
end
0
 
skywalker7Author Commented:
Thanks for the fantastic support !
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.