Solved

Csico Remote VPN traffic Transversing Site-to-Site Tunnel

Posted on 2014-04-16
6
1,463 Views
Last Modified: 2014-04-21
Good Day,

We have two Cisco ASAs (Site-A 5510 & Site-B 5515-x) with a Site-to-Site VPN Tunnel between the two.

Each ASA is on IOS 9.1(5)

We have remote users that need to access resources at both locations and we need them to be able to do this without confusing them.

Is it possible to configure for a remote connection that is connected to Site-A ASA to transverse the Site-to-Site tunnel to Site-B for resources the user may need to access there? and vice-versa?

If so, Is there an example configuration we could follow for this?

Thanks,

Dave
0
Comment
Question by:Brockstedt
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40004998
Yes, this can be done. Essentially, if you had ASA's A, B, and C with B being the hub, you would configure a site to site with A-B and B-C, and the crypto maps would include ALL destination subnets, not just the destinations on the tunnel endpoint.

Config to follow...
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 40005073
Site A: 10.1.0.0/16
Site B: 10.2.0.0/16
RAVPN : 192.168.255.0/24
RAVPN connects to Site A, and accesses resources at sites A and B.


ip local pool VPNPOOL 192.168.255.1-192.168.255.50

object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site A and RAVPN

access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-10.1.0.0-16 object SUBNET-10.2.0.0-16
access-list SITE_A-TO-SITE_B extended permit ip object SUBNET-192.168.255.0-24 object SUBNET-10.2.0.0-16

!!VPN split tunnel must include both sites A and B. Also, if RAVPN to RAVPN traffic is desired, add the RAVPN
!!subnet as well (this would also need to be put in an (outside,outside) nat exemption).

access-list VPN-SPLITTUNNEL standard permit 10.1.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 10.2.0.0 255.255.0.0 
access-list VPN-SPLITTUNNEL standard permit 192.168.255.0 255.255.255.0 

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_A-TO-SITE_B
crypto map L2L-VPN 1 set peer 9.9.9.9
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 9.9.9.9 type ipsec-l2l
tunnel-group 9.9.9.9 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

group-policy RAVPN-GP internal
group-policy RAVPN-GP attributes
dns-server value 1.1.1.1 1.1.1.2
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLITTUNNEL
default-domain value company.com
vlan none
address-pools value VPNPOOL

tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
 address-pool VPNPOOL
 default-group-policy RAVPN-GP
tunnel-group RAVPN ipsec-attributes
 ikev1 pre-shared-key j0InTh3D@rk$ide




=================================
Site B
=================================

!!This is a mirror of Site A minus the RAVPN




object network SUBNET-10.1.0.0-16
 subnet 10.1.0.0 255.255.0.0

object network SUBNET-10.2.0.0-16
 subnet 10.2.0.0 255.255.0.0

object network SUBNET-192.168.255.0-24
 subnet 192.168.255.0 255.255.255.0

!!The cryptomap needs to include ALL sources and destinations. In this case,
!!the sources will be Site B and destinations will be both Site A and RAVPN

access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-10.1.0.0-16
access-list SITE_B-TO-SITE_A extended permit ip object SUBNET-10.2.0.0-16 object SUBNET-192.168.255.0-24

!!nat exemptions. Below is a VERY generic rule that basically states that any private IP addresses going
!!to other private IP address will not be nat'd. Since the interfaces are (any,any), the routing table
!!will be used to determine ingress and egress interfaces. You may want to be more specific with your nat
!!exemptions. When being more specific, the statements must reference physical interfaces used, meaning that
!!for traffic going from RAVPN through Site A destined for Site B, the nat exemption will be (outside,outside)

object network SUBNET-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0

object network SUBNET-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0

object network SUBNET-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0

object-group network SUBNETS-RFC1918
network-object object SUBNET-192.168.0.0-16
network-object object SUBNET-10.0.0.0-8
network-object object SUBNET-172.16.0.0-12

nat (any,any) source static SUBNETS-RFC1918 SUBNETS-RFC1918 destination static SUBNETS-RFC1918 SUBNETS-RFC1918 no-proxy-arp


!!crypto config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map DYNMAP 100 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNMAP 100 set reverse-route

crypto map L2L-VPN 1 match address SITE_B-TO-SITE_A
crypto map L2L-VPN 1 set peer 10.10.10.10
crypto map L2L-VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map L2L-VPN 65000 ipsec-isakmp dynamic DYNMAP
crypto map L2L-VPN interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
 ikev1 pre-shared-key U$eTh3F0rc3!Y0ungSkyw@lk3r

Open in new window


As much as I'd like so say I'm perfect... that would be far from true. I pulled this from a couple different configs so it should be close, but I may have a couple mistakes in there if you attempt to do a straight copy/paste of that config.

You will still need other components that aren't in the config like routing, interface ACL's... essentially the base components to get the individual VPN connections working. Good luck!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40006057
Now that ^2 Is a post that deserves some points - Bravo!

Really need to update my article on hub and spoke VPN's for post version 8.4!

Pete
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Expert Comment

by:rauenpc
ID: 40006429
Woot!
Thanks Pete
0
 

Author Closing Comment

by:Brockstedt
ID: 40006464
Perfect!!

Thanks,

Dave
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40013294
I know its closed now, but if anyone else comes across this, take a look here

Cisco Firewall VPN "Hair Pinning"

Pete
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now