Solved

Csico Remote VPN traffic Transversing Site-to-Site Tunnel

Posted on 2014-04-16
6
1,500 Views
Last Modified: 2014-04-21
Good Day,

We have two Cisco ASAs (Site-A 5510 & Site-B 5515-x) with a Site-to-Site VPN Tunnel between the two.

Each ASA is on IOS 9.1(5)

We have remote users that need to access resources at both locations and we need them to be able to do this without confusing them.

Is it possible to configure for a remote connection that is connected to Site-A ASA to transverse the Site-to-Site tunnel to Site-B for resources the user may need to access there? and vice-versa?

If so, Is there an example configuration we could follow for this?

Thanks,

Dave
0
Comment
Question by:Brockstedt
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40004998
Yes, this can be done. Essentially, if you had ASA's A, B, and C with B being the hub, you would configure a site to site with A-B and B-C, and the crypto maps would include ALL destination subnets, not just the destinations on the tunnel endpoint.

Config to follow...
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 40005073
Site A: 10.1.0.0/16
Site B: 10.2.0.0/16
RAVPN : 192.168.255.0/24
RAVPN connects to Site A, and accesses resources at sites A and B.


ip local pool VPNPOOL 192.168.255.1-192.168.255.50

object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site A and RAVPN

access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-10.1.0.0-16 object SUBNET-10.2.0.0-16
access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-192.168.255.0-24 object SUBNET-10.2.0.0-16

!!VPN split tunnel must include both sites A and B. Also, if RAVPN to RAVPN traffic is desired, add the RAVPN
!!subnet as well (this would also need to be put in an (outside,outside) nat exemption).

access-list VPN-SPLITTUNNEL standard permit 10.1.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 10.2.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 192.168.255.0 255.255.255.0 

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_A-TO-SITE_B
crypto map L2L-VPN 1 set peer 9.9.9.9
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 9.9.9.9 type ipsec-l2l
tunnel-group 9.9.9.9 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

group-policy RAVPN-GP internal
group-policy RAVPN-GP attributes
dns-server value 1.1.1.1 1.1.1.2
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLITTUNNEL
default-domain value company.com
vlan none
address-pools value VPNPOOL

tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
 address-pool VPNPOOL
 default-group-policy RAVPN-GP
tunnel-group RAVPN ipsec-attributes
 ikev1 pre-shared-key j0InTh3D@rk$ide




=================================
Site B
=================================

!!This is a mirror of Site A minus the RAVPN




object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site B and destinations will be both Site A and RAVPN

access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-10.1.0.0-16
access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-192.168.255.0-24

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_B-TO-SITE_A
crypto map L2L-VPN 1 set peer 10.10.10.10
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

Open in new window


As much as I'd like so say I'm perfect... that would be far from true. I pulled this from a couple different configs so it should be close, but I may have a couple mistakes in there if you attempt to do a straight copy/paste of that config.

You will still need other components that aren't in the config like routing, interface ACL's... essentially the base components to get the individual VPN connections working. Good luck!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40006057
Now that ^2 Is a post that deserves some points - Bravo!

Really need to update my article on hub and spoke VPN's for post version 8.4!

Pete
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 20

Expert Comment

by:rauenpc
ID: 40006429
Woot!
Thanks Pete
0
 

Author Closing Comment

by:Brockstedt
ID: 40006464
Perfect!!

Thanks,

Dave
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40013294
I know its closed now, but if anyone else comes across this, take a look here

Cisco Firewall VPN "Hair Pinning"

Pete
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question