Solved

Csico Remote VPN traffic Transversing Site-to-Site Tunnel

Posted on 2014-04-16
6
1,529 Views
Last Modified: 2014-04-21
Good Day,

We have two Cisco ASAs (Site-A 5510 & Site-B 5515-x) with a Site-to-Site VPN Tunnel between the two.

Each ASA is on IOS 9.1(5)

We have remote users that need to access resources at both locations and we need them to be able to do this without confusing them.

Is it possible to configure for a remote connection that is connected to Site-A ASA to transverse the Site-to-Site tunnel to Site-B for resources the user may need to access there? and vice-versa?

If so, Is there an example configuration we could follow for this?

Thanks,

Dave
0
Comment
Question by:Brockstedt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40004998
Yes, this can be done. Essentially, if you had ASA's A, B, and C with B being the hub, you would configure a site to site with A-B and B-C, and the crypto maps would include ALL destination subnets, not just the destinations on the tunnel endpoint.

Config to follow...
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 40005073
Site A: 10.1.0.0/16
Site B: 10.2.0.0/16
RAVPN : 192.168.255.0/24
RAVPN connects to Site A, and accesses resources at sites A and B.


ip local pool VPNPOOL 192.168.255.1-192.168.255.50

object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site A and RAVPN

access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-10.1.0.0-16 object SUBNET-10.2.0.0-16
access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-192.168.255.0-24 object SUBNET-10.2.0.0-16

!!VPN split tunnel must include both sites A and B. Also, if RAVPN to RAVPN traffic is desired, add the RAVPN
!!subnet as well (this would also need to be put in an (outside,outside) nat exemption).

access-list VPN-SPLITTUNNEL standard permit 10.1.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 10.2.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 192.168.255.0 255.255.255.0 

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_A-TO-SITE_B
crypto map L2L-VPN 1 set peer 9.9.9.9
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 9.9.9.9 type ipsec-l2l
tunnel-group 9.9.9.9 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

group-policy RAVPN-GP internal
group-policy RAVPN-GP attributes
dns-server value 1.1.1.1 1.1.1.2
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLITTUNNEL
default-domain value company.com
vlan none
address-pools value VPNPOOL

tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
 address-pool VPNPOOL
 default-group-policy RAVPN-GP
tunnel-group RAVPN ipsec-attributes
 ikev1 pre-shared-key j0InTh3D@rk$ide




=================================
Site B
=================================

!!This is a mirror of Site A minus the RAVPN




object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site B and destinations will be both Site A and RAVPN

access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-10.1.0.0-16
access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-192.168.255.0-24

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_B-TO-SITE_A
crypto map L2L-VPN 1 set peer 10.10.10.10
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

Open in new window


As much as I'd like so say I'm perfect... that would be far from true. I pulled this from a couple different configs so it should be close, but I may have a couple mistakes in there if you attempt to do a straight copy/paste of that config.

You will still need other components that aren't in the config like routing, interface ACL's... essentially the base components to get the individual VPN connections working. Good luck!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40006057
Now that ^2 Is a post that deserves some points - Bravo!

Really need to update my article on hub and spoke VPN's for post version 8.4!

Pete
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Expert Comment

by:rauenpc
ID: 40006429
Woot!
Thanks Pete
0
 

Author Closing Comment

by:Brockstedt
ID: 40006464
Perfect!!

Thanks,

Dave
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40013294
I know its closed now, but if anyone else comes across this, take a look here

Cisco Firewall VPN "Hair Pinning"

Pete
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month5 days, 8 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question