[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1568
  • Last Modified:

Csico Remote VPN traffic Transversing Site-to-Site Tunnel

Good Day,

We have two Cisco ASAs (Site-A 5510 & Site-B 5515-x) with a Site-to-Site VPN Tunnel between the two.

Each ASA is on IOS 9.1(5)

We have remote users that need to access resources at both locations and we need them to be able to do this without confusing them.

Is it possible to configure for a remote connection that is connected to Site-A ASA to transverse the Site-to-Site tunnel to Site-B for resources the user may need to access there? and vice-versa?

If so, Is there an example configuration we could follow for this?

Thanks,

Dave
0
Brockstedt
Asked:
Brockstedt
  • 3
  • 2
1 Solution
 
rauenpcCommented:
Yes, this can be done. Essentially, if you had ASA's A, B, and C with B being the hub, you would configure a site to site with A-B and B-C, and the crypto maps would include ALL destination subnets, not just the destinations on the tunnel endpoint.

Config to follow...
0
 
rauenpcCommented:
Site A: 10.1.0.0/16
Site B: 10.2.0.0/16
RAVPN : 192.168.255.0/24
RAVPN connects to Site A, and accesses resources at sites A and B.


ip local pool VPNPOOL 192.168.255.1-192.168.255.50

object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site A and RAVPN

access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-10.1.0.0-16 object SUBNET-10.2.0.0-16
access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-192.168.255.0-24 object SUBNET-10.2.0.0-16

!!VPN split tunnel must include both sites A and B. Also, if RAVPN to RAVPN traffic is desired, add the RAVPN
!!subnet as well (this would also need to be put in an (outside,outside) nat exemption).

access-list VPN-SPLITTUNNEL standard permit 10.1.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 10.2.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 192.168.255.0 255.255.255.0 

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_A-TO-SITE_B
crypto map L2L-VPN 1 set peer 9.9.9.9
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 9.9.9.9 type ipsec-l2l
tunnel-group 9.9.9.9 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

group-policy RAVPN-GP internal
group-policy RAVPN-GP attributes
dns-server value 1.1.1.1 1.1.1.2
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLITTUNNEL
default-domain value company.com
vlan none
address-pools value VPNPOOL

tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
 address-pool VPNPOOL
 default-group-policy RAVPN-GP
tunnel-group RAVPN ipsec-attributes
 ikev1 pre-shared-key j0InTh3D@rk$ide




=================================
Site B
=================================

!!This is a mirror of Site A minus the RAVPN




object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site B and destinations will be both Site A and RAVPN

access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-10.1.0.0-16
access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-192.168.255.0-24

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_B-TO-SITE_A
crypto map L2L-VPN 1 set peer 10.10.10.10
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

Open in new window


As much as I'd like so say I'm perfect... that would be far from true. I pulled this from a couple different configs so it should be close, but I may have a couple mistakes in there if you attempt to do a straight copy/paste of that config.

You will still need other components that aren't in the config like routing, interface ACL's... essentially the base components to get the individual VPN connections working. Good luck!
0
 
Pete LongTechnical ConsultantCommented:
Now that ^2 Is a post that deserves some points - Bravo!

Really need to update my article on hub and spoke VPN's for post version 8.4!

Pete
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
rauenpcCommented:
Woot!
Thanks Pete
0
 
BrockstedtAuthor Commented:
Perfect!!

Thanks,

Dave
0
 
Pete LongTechnical ConsultantCommented:
I know its closed now, but if anyone else comes across this, take a look here

Cisco Firewall VPN "Hair Pinning"

Pete
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now