Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Csico Remote VPN traffic Transversing Site-to-Site Tunnel

Posted on 2014-04-16
6
Medium Priority
?
1,536 Views
Last Modified: 2014-04-21
Good Day,

We have two Cisco ASAs (Site-A 5510 & Site-B 5515-x) with a Site-to-Site VPN Tunnel between the two.

Each ASA is on IOS 9.1(5)

We have remote users that need to access resources at both locations and we need them to be able to do this without confusing them.

Is it possible to configure for a remote connection that is connected to Site-A ASA to transverse the Site-to-Site tunnel to Site-B for resources the user may need to access there? and vice-versa?

If so, Is there an example configuration we could follow for this?

Thanks,

Dave
0
Comment
Question by:Brockstedt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40004998
Yes, this can be done. Essentially, if you had ASA's A, B, and C with B being the hub, you would configure a site to site with A-B and B-C, and the crypto maps would include ALL destination subnets, not just the destinations on the tunnel endpoint.

Config to follow...
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 40005073
Site A: 10.1.0.0/16
Site B: 10.2.0.0/16
RAVPN : 192.168.255.0/24
RAVPN connects to Site A, and accesses resources at sites A and B.


ip local pool VPNPOOL 192.168.255.1-192.168.255.50

object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site A and RAVPN

access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-10.1.0.0-16 object SUBNET-10.2.0.0-16
access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-192.168.255.0-24 object SUBNET-10.2.0.0-16

!!VPN split tunnel must include both sites A and B. Also, if RAVPN to RAVPN traffic is desired, add the RAVPN
!!subnet as well (this would also need to be put in an (outside,outside) nat exemption).

access-list VPN-SPLITTUNNEL standard permit 10.1.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 10.2.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 192.168.255.0 255.255.255.0 

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_A-TO-SITE_B
crypto map L2L-VPN 1 set peer 9.9.9.9
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 9.9.9.9 type ipsec-l2l
tunnel-group 9.9.9.9 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

group-policy RAVPN-GP internal
group-policy RAVPN-GP attributes
dns-server value 1.1.1.1 1.1.1.2
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLITTUNNEL
default-domain value company.com
vlan none
address-pools value VPNPOOL

tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
 address-pool VPNPOOL
 default-group-policy RAVPN-GP
tunnel-group RAVPN ipsec-attributes
 ikev1 pre-shared-key j0InTh3D@rk$ide




=================================
Site B
=================================

!!This is a mirror of Site A minus the RAVPN




object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site B and destinations will be both Site A and RAVPN

access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-10.1.0.0-16
access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-192.168.255.0-24

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_B-TO-SITE_A
crypto map L2L-VPN 1 set peer 10.10.10.10
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

Open in new window


As much as I'd like so say I'm perfect... that would be far from true. I pulled this from a couple different configs so it should be close, but I may have a couple mistakes in there if you attempt to do a straight copy/paste of that config.

You will still need other components that aren't in the config like routing, interface ACL's... essentially the base components to get the individual VPN connections working. Good luck!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40006057
Now that ^2 Is a post that deserves some points - Bravo!

Really need to update my article on hub and spoke VPN's for post version 8.4!

Pete
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 20

Expert Comment

by:rauenpc
ID: 40006429
Woot!
Thanks Pete
0
 

Author Closing Comment

by:Brockstedt
ID: 40006464
Perfect!!

Thanks,

Dave
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40013294
I know its closed now, but if anyone else comes across this, take a look here

Cisco Firewall VPN "Hair Pinning"

Pete
0

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question