ASA IPSEC S2S Config Example

8/13/2019 ASA IPSEC S2S Config Example

1/34

IPSEC -VPN -Scenario -Site -2-Site on ASA

As of now we are done with so many IPSec S2S VPN Scenarios, but in case if you have been

asked to use ASA 5510 rather than IOS Router, then how do we do that? Lets take atopology here.

In above given scenario, we have two sites Site1 & Site2 wherein we have one ASA at each sitePeer1 & Peer2 respectively. We have been asked to secure traffic, flows between privatenetworks i.e. from 1.1.10/24 to 2.2.2.0/24, as it is going through internet. Here Im going to useASAs as a VPN Box and Routers as a Host PC.

R1 Configuration (Host)

!hostname Host!interface FastEthernet0/0ip address 1.1.1.1 255.255.255.0

!ip route 0.0.0.0 0.0.0.0 1.1.1.10!

ASA1 Configuration !

hostname Peer1!!interface Ethernet0nameif Outsidesecurity-level 0ip address 10.1.1.10 255.255.255.0

!
http://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.htmlhttp://1.bp.blogspot.com/-c8Nhb5VmECc/TtuihyPjjpI/AAAAAAAAAHI/V7-Y3Ynrpyo/s1600/IPSEC-VPN-Scenario-S2S+using+ASA.jpghttp://ipsecvpnlabs.blogspot.com/2011/12/ipsec-vpn-scenario-site-2-site-using.html


2/34

interface Ethernet1nameif Insidesecurity-level 100ip address 1.1.1.10 255.255.255.0

!

! ISAKMP Parameters crypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2

!! Create tunnel group which defines the type of VPN you are going to terminate & alsode fine the tunnel group id, i.e. IP Address of the other VPN Peer. tunnel-group 20.1.1.10 type ipsec-l2l!

! Here under ipsec-attributes we define PSK (pre shared key) tunnel-group 20.1.1.10 ipsec-attributes pre-shared-key cisco!! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Interesting Traffic) access-list vpn-traffic extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0!! Crypto MAP to associate ISAKMP & IPSec Parameters crypto map s-map 10 match address vpn-trafficcrypto map s-map 10 set peer 20.1.1.10crypto map s-map 10 set transform-set sec-p!! Apply crypto map on interface crypto map s-map interface Outside!! Enable ISAKMP crypto isakmp enable Outside!! Exempt the IPSec traffic flowing from the lower-to higher-security-level interface sysopt connection permit-vpn!

route Outside 0.0.0.0 0.0.0.0 10.1.1.100!

Internet Configuration !


3/34

hostname Internet!interface FastEthernet0/0ip address 10.1.1.100 255.255.255.0

!

interface FastEthernet0/1ip address 20.1.1.100 255.255.255.0!

ASA2 Configuration !hostname Peer2!!interface Ethernet0

nameif Outsidesecurity-level 0ip address 20.1.1.10 255.255.255.0

!interface Ethernet1nameif Insidesecurity-level 100ip address 2.2.2.10 255.255.255.0

!! ISAKMP Parameters crypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2

!! Create tunnel group which defines the type of VPN you are going to term inate & alsodefine the tunnel group id, i.e. IP Address of the other VPN Peer. tunnel-group 10.1.1.10 type ipsec-l2l!! Here under ipsec-attributes we define PSK (pre shared key) tunnel-group 10.1.1.10 ipsec-attributes pre-shared-key cisco!! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Interesting Traffic) access-list vpn-traffic extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0!


4/34

! Crypto MAP to associate ISAKMP & IPSec Parameters crypto map s-map 10 match address vpn-trafficcrypto map s-map 10 set peer 10.1.1.10crypto map s-map 10 set transform-set sec-p!

! Apply crypto map on interface crypto map s-map interface Outside!! Enable ISAKMP crypto isakmp enable Outside!! Exempt the IPSec traffic flowing from the lower-to higher-security-level interface sysopt connection permit-vpn!

route Outside 0.0.0.0 0.0.0.0 20.1.1.100!

R2 Configuration (Host) !hostname!interface FastEthernet0/0ip add 2.2.2.2 255.255.255.0

!ip route 0.0.0.0 0.0.0.0 2.2.2.10!

Note - Don't forget to bring all routers' & ASAs interfaces upPosted 4th December 2011 by ccie_security 0

Add a comment

Oct 29

IPSEC -VPN -Scenario One site's VPN Boxhaving non -routable -address (Static PATwith NAT -T & without NAT -T)
http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-sites-vpn-box.htmlhttp://www.blogger.com/profile/05689448593371676255


5/34

In a scenario wherein we have PAT Device after VPN Box, as we have non-routable IPconfigured on our VN Box, we are bound to initiate our traffic from the site where we have PATDevice installed. As we have learned about types of NAT, Dynamic NAT & PAT createdynamic entries which do not last for a long. In such scenario we enable NAT Keepalive, but it

does not provide bidirectional functionality, mean to say we cannot initiate the tunnel from bothsites. Here will see how to make it bidirectional so we can initiate our tunnel from either end.

In above given topology I have two sites; Site1 & Site2. So here we need to get both sites private network communicated in a secure fashion. As Site1s VPN Box doesnt have Public IP,so we need to translate its Private IP into Public IP, for that we introduce PAT device after VPNBox & to make this communication bidirectional, mean to say both end can initiate the tunnel,we will implement Static PAT & create static entries. As NAT-T is enabled at both ends we haveto create static entries compatible with NAT-T.

ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/1 4500 ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/1 500

If NAT-T feature is not available we need to configure our IOS_PAT Device as given below-

access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface FastEthernet0/1 overload ip nat inside source static esp 192.168.1.1 interface FastEthernet0/1 ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/1 500

Note- Rest configuration ON R1, R2 & IOS_PAT is same as given in IPSec Pass-throughScenario

Posted 29th October 2011 by ccie_security 0

Add a comment
http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://1.bp.blogspot.com/-baEGaXz8ByU/Tqvqh3N1RaI/AAAAAAAAAGM/-6be6vOurTI/s1600/IPSec-VPN-Scenario+Static+PAT+with+NAT-T.jpghttp://www.blogger.com/profile/05689448593371676255


6/34

IPSEC -VPN -Scenario IPSec Pass -through

Consider a scenario wherein your VPN Box doesnt support NAT -T feature & you have PATDevice after that VPN Box, as your VPN Box doesnt carry public IP. So in this scenario howwill you pass an IPSec tunnel through your PAT Device?Here is your answer; IPSec Pass-through- This is another method for resolving IPSec & NAT

incompatibilities. This method, however applies only to ESP-based IPSec traffic. It supports ESP& IKE in tunnel mode through an IOS PAT Box. AH or ESP in transport mode are notsupported.

Now lets do the LAB -

In above given topology I have two sites; Site1 & Site2. So here we need to get both sites private network communicated in a secure fashion. As Site1s VPN Box doesnt have Public IP,so we need to translate its Private IP into Public IP, for that we introduce PAT device after VPNBox but here we are bound to use IOS PAT Device in place of ASA, becauseASA doesn't support IPSec Pass-through feature.

Note- If you are doing this LAB on GNS, I recommend to use 7200 series router for your PATDevice

R1 Configuration !hostname R1!interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0crypto map s-map
http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.htmlhttp://4.bp.blogspot.com/-RTk9OIIe50M/TquvSMW2tTI/AAAAAAAAAGE/WDxGaipI6NQ/s1600/IPSec-VPN-Scenario+IPSec+Pass-through.jpghttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ipsec-pass-through.html


7/34

!interface Loopback1ip address 10.1.1.1 255.255.255.255

!! ISAKMP Parameters

crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

!! PSK to get VPN Box Authenticated by peer crypto isakmp key cisco address 172.16.1.2!! Security Policy to deal with interesting trafficcrypto ipsec transform-set sec-p esp-3des esp-md5-hmac

!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSec Parameterscrypto map s-map 10 ipsec-isakmpset peer 172.16.1.2set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 192.168.1.10!! Disable NAT-T, as we are using IPSec Pass-throughno crypto ipsec nat-transparency udp-encaps!

IOS_PAT Configuration !hostname IOS_PAT!interface FastEthernet0/0ip address 192.168.1.10 255.255.255.0ip nat inside

!interface FastEthernet0/1ip address 172.16.1.10 255.255.255.0ip nat outside

!! PAT & IPSec Pass-through configuration


8/34

access-list 1 permit 192.168.1.0 0.0.0.255ip nat service list 1 IKE preserve-portip nat service list 1 ESP spi-matchip nat inside source list 1 interface FastEthernet0/1 overload!

R2 Configuration !hostname R2!interface FastEthernet0/0ip address 172.16.1.2 255.255.255.0

crypto map s-map!interface Loopback1ip address 10.1.2.2 255.255.255.255

!! ISAKMP Parameterscrypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

!! PSK to get VPN Box Authenticated by peer crypto isakmp key cisco address 172.16.1.10!! Security Policy to deal with interesting trafficcrypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSec Parameters crypto map s-map 10 ipsec-isakmpset peer 172.16.1.10set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 172.16.1.10!! Disable NAT-T, as we are using IPSec Pass-throughno crypto ipsec nat-transparency udp-encaps!

Note - Don't forget to bring all routers' interfaces up & apply crypto map separately


9/34


Add a comment

IPSEC -VPN -Scenario IKE Keepalives &DPD (Dead Peer Detection)

If we have an IPSEC VPN tunnel between two peers and because of some reason there is noconnectivity between them, then what happen if one peer tries to send traffic to other peer?

Lets take an example here: If PeerA has some data to send to PeerB, first he will encrypt the packet than send, which is his default behavior in the case of IPSEC VPN tunnel, it means toencrypt the traffic he will use VPN boxs resources & consume CPU cycles, although yourtraffic is not going to reach to the PeerB, irrespective of this if PeerA has data to send, it willkeep on encrypting & sending traffic out.
http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://2.bp.blogspot.com/-yHwqjDiDovM/TqgM-ZP2tUI/AAAAAAAAAF4/rAvLKjiEzck/s1600/IPSEC-VPN-Scenario+IKE+Keepalives+%2526+DPD+%2528Dead+Peer+Detection%2529.jpghttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-ike-keepalives-dpd.htmlhttp://www.blogger.com/profile/05689448593371676255


10/34

For every IPSEC VPN tunnel each VPN box is populated with one bidirectional ISAKMP SA &two unidirectional IPSEC SAs, so if PeerA has some data to send to PeerB, it uses one of twoIPSEC SA which is Outbound SA to encrypt the traffic & this results wasting of CPU cycles &existence of any SA either ISAKMP or IPSEC uses peers resources.

So our objective is to check the liveliness of peer & remove the stale SAs. How do VPN Peersachieve this objective?

The keepalive mechanism, wherein peers exchange some type messages to inform each otherthat they are alive, will help resolve these issues.

We have two such mechanisms-

1- IKE keepalives: IKE keepalive messages are exchanged by peers periodically to claim theiravailability. If configured numbers of messages are unacknowledged, it is considered that otherVPN peer is unreachable which results the removal of all the associated SAs. As keepalivesmessages are sent periodically, it doesn't work well when we have thousands of IPSEC sessions

because it will burden the peer and increase the usage of peer boxs resources.

2- DPD (Dead Peer Detection): This is Cisco proprietary and an alternate mechanism which ismore scalable than IKE Keepalives in detecting dead IPSEC peers. Unlike IKE keepalives, DPDdoes not send keepalives periodically to check the liveliness of a peer. The fundamental premise

behind DPD is that DPD is traffic based detection method. In other word DPD specifies thatwhen traffic is occurring between the peers there is no need to send keepalives to check forliveliness of the peer, as traffic itself proves the availability of the peer. This approach of DPD iscalled on-demand approach. For example PeerA has to send outbound traffic & the liveliness ofother peer is questionable, he sends a DPD message to query the status of the peer. Now here aquestion arises i.e.; when its been said questionable? If a period of time elapses during which notraffic is exchanged between the peer the liveliness of each peer is questionable. On the otherhand if peer has traffic to send other peer, and the other peer does not respond, he will initiate aDPD message to the determine the state of the peer.

How do we configure it?

#crypto isakmp keepalive < idle interval> < retransmit interval>

The idle interval timer facilitates the fault detection & the recovery of idle resources in theabsence of a valid connection. Idle interval is the configured time wherein the peer has notreceived any inbound data on its SA from the remote peer. Once the interval is hit anR_U_THERE_MESSAGE is sent and the initiator expects R_U_THERE_ACK back from theother peer. If the ACK is not received, the R_U_THERE_MESSAGE will be retransmitted threetimes, depending on the "retransmit interval", before the initiator declares the remote peer dead.

Now lets do the lab, here Im taking same above given topology, in which we need to makecommunicate Site1s & Site2s private network i.e.; 10.1.1..0/24 & 10.12.0/24 respectively in asecure fashion and we have been also asked to configure settings for DPD to facilitate the faultdetection & removal of stale SAs .


11/34

PeerA Configuration ! hostname PeerA !

interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0

crypto map s-map ! interface Loopback1 ip address 10.1.1.1 255.255.255.255

! ! ISAKMP Parameters crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2

! ! PSK to get VPN Box Authenticated by peer crypto isakmp key cisco address 172.16.1.2 !! Security Policy to deal with interesting trafficcrypto ipsec transform-set sec-p esp-3des esp-md5-hmac ! ! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

! ! Crypto MAP to associate ISAKMP & IPSEC Parameters

crypto map s-map 10 ipsec-isakmp set peer 172.16.1.2 set transform-set sec-p match address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 192.168.1.10 ! ! DPD Configuration crypto isakmp keepalive 20 5 !

Internet Router Configuration ! hostname Internet ! interface FastEthernet0/0 ip address 192.168.1.10 255.255.255.0

! interface FastEthernet0/1 ip address 172.16.1.10 255.255.255.0

!


12/34

PeerB Configuration ! hostname PeerB !interface FastEthernet0/0 ip address 172.16.1.2 255.255.255.0

crypto map s-map ! interface Loopback1 ip address 10.1.2.2 255.255.255.255

! ! ISAKMP Parameters crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2

! ! PSK to get VPN Box Authenticated by peer crypto isakmp key cisco address 192.168.1.1 !! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac !! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!! Crypto MAP to associate ISAKMP & IPSEC Parameters crypto map s-map 10 ipsec-isakmp set peer 192.168.1.1 set transform-set sec-p

match address vpn-traffic !ip route 0.0.0.0 0.0.0.0 172.16.1.10 ! ! DPD Configuration crypto isakmp keepalive 20 5 !



Add a comment

\
http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255


13/34

IPSEC -VPN Scenario - Configure IPSECVPN with Manual Keying

Consider a scenario in which you have VPN device other than Cisco at one site and it does notsupport IKE, then how will you implement IPSEC VPN? In such scenario we use ManualKeying.



!! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Interesting Traffic) ip access-list extended vpn-traffic permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255!! Crypto MAP to define manual keys & associate with Security Policy crypto map s-map 10 ipsec-manualset peer 172.16.1.3set session-key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20
http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.htmlhttp://4.bp.blogspot.com/-Nqsq1CObAgk/TqFm18Pu7JI/AAAAAAAAAFk/AvWF1OYdbP0/s1600/IPSEC-VPN-Scenario+Manual+Keying.jpghttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-configure-ipsec-vpn.html


14/34

set session-key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 192.168.1.10

!

R2 Configuration !hostname R2!interface FastEthernet0/0ip address 192.168.1.10 255.255.255.0

!interface FastEthernet0/1ip address 172.16.1.10 255.255.255.0

!R3 Configuration !hostname r3!interface FastEthernet0/0ip address 172.16.1.3 255.255.255.0crypto map s-map


!! Security Policy to deal with interesting trafficcrypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Interesting Traffic) ip access-list extended vpn-traffic permit ip 10.1.3.0 0.0.0.255 10.1.1.0 0.0.0.255

!! Crypto MAP to define manual keys & associate with Security Policy crypto map s-map 10 ipsec-manualset peer 192.168.1.1set session-key inbound esp 1000 cipher abcd1234abcd1234 authenticator 20set session-key outbound esp 1001 cipher 1234abcd1234abcd authenticator 20set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 172.16.1.10!


15/34


View comments

Oct 20

IPSEC -VPN -Scenario One site is havingNAT -Control enabled ASA How do we deal with such scenario in which we have NAT-Control enabled ASA at one site andwe need to connect it to another site in order to secure the communication?

In above given topology we need to make communicate Site1s & Site2s private network i.e.;10.1.1.0.24 & 10.1.2.0/24 respectively in a secure fashion.But here you have NAT-Control enabled ASA at Site1, so we need to get Site1 VPN peer IPaddress evaded NAT translation rule checking, in order to do so we will use NAT -Identity butwhich NAT -Identity technology, if we want any peer can initiate VPN session we have to go
http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://3.bp.blogspot.com/-z_Bu0a1XSHg/TqAv7_IR4XI/AAAAAAAAAFc/F8pgzVYMlvw/s1600/IPSEC-VPN-Scenario+One+site+is+having+NAT-Control+enabled+ASA.jpghttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-is-having.html


16/34

with Static Identity NAT or NAT -Exemption. So for above given topology we can use eitheroption from following-Static Identity NAT Static (inside,outside) 192.168.1.1 192.168.1.1OR

NAT-Exemption access-list vpn-peer-exempt extended permit ip host 192.168.1.1 host 172.16.1.2nat (inside) 0 access-list vpn-peer-exempt

You must have compatible ACLs on ASA to make communication happen.Following ACLs are required to configure-

access-list out-acl extended permit udp host 172.16.1.2 eq isakmp host 192.168.1.1 eq isakmpaccess-list out-acl extended permit esp host 172.16.1.2 host 192.168.1.1

access-group out-acl in interface outside

Site1 Configuration !hostname Site1!interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0


!! ISAKMP Parameters crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

!! PSK to get VPN Box Authenticated by peer crypto isakmp key cisco address 172.16.1.2!! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSEC Parameters


17/34

crypto map s-map 10 ipsec-isakmpset peer 172.16.1.2set transform-set sec-pmatch address vpn-traffic

!

ip route 0.0.0.0 0.0.0.0 192.168.1.10!

ASA Configuration !hostname ASA!interface Ethernet0/0nameif Outsidesecurity-level 0ip address 172.16.1.10 255.255.255.0

!interface Ethernet0/1nameif Insidesecurity-level 100ip address 192.168.1.10 255.255.255.0

!! Enable Control nat-control

! Static Identity NAT Static (inside,outside) 192.168.1.1 192.168.1.1! OR ! NAT-Exemption access-list vpn-peer-exempt extended permit ip host 192.168.1.1 host 172.16.1.2nat (inside) 0 access-list vpn-peer-exempt!! Compatible ACL required for VPN session access-list out-acl extended permit udp host 172.16.1.2 eq isakmp host 192.168.1.1 eq isakmpaccess-list out-acl extended permit esp host 172.16.1.2 host 192.168.1.1!access-group out-acl in interface outside!

Site2 Configuration !hostname Site2!!interface FastEthernet0/0ip address 172.16.1.2 255.255.255.0

crypto map s-map


18/34


!! ISAKMP Parameters

crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

!! PSK to get VPN Box Authenticated by peer crypto isakmp key cisco address 192.168.1.1!! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac

!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSEC Parameters crypto map s-map 10 ipsec-isakmpset peer 192.168.1.1set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 172.16.1.10!

Note- Don't forget to bring all routers' interfaces up & apply crypto map separatelyPosted 20th October 2011 by ccie_security 0

Add a comment

Oct 19

IPSEC Hairpinning
http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-hairpinning.htmlhttp://www.blogger.com/profile/05689448593371676255


19/34

This feature can be thought of as VPN Spokes connecting through a VPN Hub. In this scenarioHub VPN receives traffic over one tunnel connected to one Spoke VPN, decrypt it & encrypt itagain in order to send out another Spoke VPN through another tunnel.

In above given topology we need to make communicate Site1s & Site2s private network i.e.;2.2.2.0/24 & 3.3.3.0/24 respectively in a secure fashion, but condition is here that we have beenasked to used same tunnels (From Hub VPN Box to Site1 & Site2 VPN Boxes) to make thecommunication happen.



!! ISAKMP Parameters crypto isakmp policy 10encr 3des
http://3.bp.blogspot.com/-i1uRdDomMY4/Tp7FH7d_OAI/AAAAAAAAAFU/dK5hFLEkKO0/s1600/IPSEC+Hairpinning+On+Routers.jpg


20/34

hash md5authentication pre-sharegroup 2

!! PSK to get VPN Box Authenticated by Site1 peer

crypto isakmp key cisco address 20.1.1.2!! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Interesting Traffic for Hub-Site1 tunnel ip access-list extended vpn-traffic-r1-r2 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSEC Parameters for Hub-Site1 tunnel

crypto map s-map 10 ipsec-isakmpset peer 20.1.1.2set transform-set sec-pmatch address vpn-traffic-r1-r2

!! PSK to get VPN Box Authenticated by Site2 peer crypto isakmp key cisco address 30.1.1.3!! Interesting traffic for Hub-Site2 tunnel ip access-list extended vpn-traffic-r1-r3 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSEC Parameters for Hub-Site2 tunnel crypto map s-map 20 ipsec-isakmpset peer 30.1.1.3set transform-set sec-pmatch address vpn-traffic-r1-r3

!ip route 0.0.0.0 0.0.0.0 10.1.1.10!


!


21/34

interface Loopback1ip address 2.2.2.2 255.255.255.255

!! ISAKMP Parameters crypto isakmp policy 10

encr 3deshash md5authentication pre-sharegroup 2

!! PSK to get VPN Box Authenticated by Hub peer crypto isakmp key cisco address 10.1.1.1!! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!

! Interesting Traffic ip access-list extended vpn-traffic permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSEC Parameters for Hub-Site1 tunnel crypto map s-map 10 ipsec-isakmpset peer 10.1.1.1set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 20.1.1.10!



!! ISAKMP Parameters crypto isakmp policy 10encr 3deshash md5authentication pre-share


22/34

group 2!! PSK to get VPN Box Authenticated by Hub peer crypto isakmp key cisco address 10.1.1.1!

! Security Policy to deal with interesting traffic crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Interesting Traffic ip access-list extended vpn-traffic permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255!! Crypto MAP to associate ISAKMP & IPSEC Parameters for Hub-Site2 tunnel crypto map s-map 10 ipsec-isakmpset peer 10.1.1.1

set transform-set sec-pmatch address vpn-traffic!ip route 0.0.0.0 0.0.0.0 30.1.1.10!

R4 Configuration !hostname R4!!interface FastEthernet0/0ip address 20.1.1.10 255.255.255.0



!

Note- Don't forget to bring all routers' interfaces up & apply crypto map separately

http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255


23/34

Add a comment

Oct 18

IPSEC -VPN -Scenario - One site's VPN Boxhaving non -routable -address (Dynamic PAT& NAT Keepalives)

How do we configure IPSEC VPN between two sites if one of my sites VPN Device is having non -

routable (private) IP address? It seems the same scenario which we have seen earlier, so definitely your answer will be same, thatwe have to introduce NAT device here, b ut its been complicated when we implement DynamicPAT instead of using Dynamic NAT because after the inactivity of connection for certain period,respective translated entry will get removed. Although in Dynamic NAT we encounter the sameproblem but idle time out for the entry created by Dynamic NAT is longer i.e. 3 hours, so we dontneed to worry in this case, but for Dynamic PAT; it depends on the type of connection entry existsin the connection table and its duration. Removal of that connection which will definitely be UDP,lead to the deletion of respective PAT entry from xlate (translation table). So here we have the solution i.e.; NAT Keepalives, which allows the NAT device to maintain thatmapped entry which is created for VPN Boxes. NAT Keepalives are UPD packets with anunencrypted payload of 1 byte. Although the currrent dead peer detection (DPD) implementation issimilar to NAT keepalives, there is a slight difference: DPD is used to detect peer status, while NAT

keepalives are sent if the IPSec entity did not send or receive the packet at a specified period oftime valid range is between 5 to 3600 seconds. If NAT keepalives are enabled (via the crypto isamkp nat keepalive command), users should ensurethat the idle value is shorter than the NAT mapping expiration time, which is 20 seconds . One point you have to keep in your mind, enable it before initiating vpn session because to make itfunctional, must be negotiated between the VPN Boxes when negotiation is done.

In the above given topology we have two sites Site1 & Site2. In site1 we have 10.1.1.0/24network & in Site2- 10.1.2.0/24. So here we have been asked to secure the communication

between both sites private network which is going through the Internet. To secure the traffic wewill be implementing IPSEC-VPN.
http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1046259http://2.bp.blogspot.com/-mLIqCwqoVFY/Tp1culapRAI/AAAAAAAAAFM/us4ioW9TbG8/s1600/IPSEC-VPN-Scenario2-One+site+VPN+Box+having+non-routable-address+%2528Dynamic+PAT+%2526+NAT+Keepalives%2529.jpghttp://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1046259http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario2-one-sites-vpn-box.html


24/34

While doing configuration we will encounter one problem that my site1s VPN Box does n othave public IP, so I have to translate it into any public IP address. As I have ASA-Firewall insite1, so I will be using it as NAT Device and will configure Dynamic PAT.Here we will also configure NAT Keepalives to make my connection alive so pat entry will notget removed after idle timeout duration expires.



! ! IPSEC VPN Configuration crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

crypto isakmp key cisco address 172.16.1.2!!crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255!crypto map s-map 10 ipsec-isakmpset peer 172.16.1.2set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 192.168.1.10!! NAT Keepalives configuration crypto isakmp nat keepalive 20!

ASA Configuration !hostname ASA!


25/34

!Configure Inside & Outside Interfaces!interface Ethernet0/0nameif Outsidesecurity-level 0

ip address 172.16.1.10 255.255.255.0!interface Ethernet0/1nameif Insidesecurity-level 100ip address 192.168.1.10 255.255.255.0

!! Configure Dynamic PAT nat (Inside) 5 192.168.1.0 255.255.255.0global (Outside) 5 interface!

! Configure Access-list to allow UDP encapsulated packets; here we don't require allowingESP !because packets get encapsulated by NAT-T feature enabled on both VPN Routers access-list out-acl extended permit udp host 172.16.1.2 any eq 4500!! Aplly that acl on outside interfaceaccess-group out-acl in interface Outside!


crypto map s-map!interface Loopback1 ip address 10.1.2.2 255.255.255.255

! ! IPSEC VPN Configuration crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

!crypto isakmp key cisco address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set sec-p esp-3des esp-md5-hmac


26/34

!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255!

! Here we configure dynamic map because we don't know the peer address and like staticmap 'set !peer' is not the mandatory parameter to be setcrypto dynamic-map D-MAP 10set transform-set sec-pmatch address vpn-traffic

!! We cannot apply dynamic map on interface so we have to associate it with static map & applythat static map on interfacecrypto map s-map 10 ipsec-isakmp dynamic D-MAP!ip route 0.0.0.0 0.0.0.0 172.16.1.10

!

Note- Don't forget to bring all routers' interfaces up & apply cryptomap separately


Add a comment

Oct 17

IPSEC -VPN -Scenario Both sites having sameSubnet range

If we have a scenario in which we have two sites & both the sites having same subnetin their private networks and you need to secure the communication between thosenetworks using IPSEC-VPN, how will you achieve this task?
http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://3.bp.blogspot.com/-O8aD5zIobao/TptQ9yvMF0I/AAAAAAAAAEk/lR2rOsaZK5c/s1600/IPSEC-VPN-Scenario1-Same+subnets+in+two+sites.jpghttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/vpn.htmlhttp://www.blogger.com/profile/05689448593371676255


27/34

In above given topology we have two sites in which private network are same, so hereour objective is to make both networks communicate in a secure fashion.

Now question arise how to secure the communication, for that we can implementIPSEC-VPN but when we deal with this type of VPN, we need to define interestingtraffic i.e. crypto acl. So here second question arise how do we create crypto acl insuch scenarios?

Our first objective is to make them communicate, for we need to translate both subnetinto any other subnet so here we will implement static NAT for subnets in both sites.

On site1 10.1.1.0/24----------->3.3.3.0/24

On site2

10.1.1.0/24----------->4.4.4.0/24

Now it's time to achieve your objective using following GNS-Topology &configuration-

Here you assume that your R1 & R5 are Host & WWW-Server respectively and R2 &R4 both are NAT-VPN Device

R1-Configuration

!
http://1.bp.blogspot.com/-kXWQ_QkkiaI/TptRIWEUX_I/AAAAAAAAAEs/WYaryM2Ubps/s1600/IPSEC-VPN-Scenario1-Same+subnets+in+two+sites-GNS-Topology.jpg


28/34

hostname R1 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0

! ip route 0.0.0.0 0.0.0.0 10.1.1.10 !

R2-Configuration

! hostname R2 ! ! Configure interfaces with appropriate IP address & enable IP NAT accordingly ! interface FastEthernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside

! interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.0 ip nat outside crypto map s-map

! ! Enable Static NAT for private network ip nat inside source static network 10.1.1.0 3.3.3.0 /24 ! !IPSEC VPN Configuration ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2

crypto isakmp key cisco address 2.2.2.2 !!crypto ipsec transform-set sec-p esp-3des esp-md5-hmac ! ! Interesting Traffic (Crypto ACL); Global Network of both subnets will bedefined here


29/34

!ip access-list extended vpn-traffic permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255 ! crypto map s-map 10 ipsec-isakmp set peer 2.2.2.2 set transform-set sec-p match address vpn-traffic

! ip route 0.0.0.0 0.0.0.0 1.1.1.10 !

R3 Configuration

! hostname R3 !interface FastEthernet0/1 ip address 1.1.1.10 255.255.255.0

!interface FastEthernet0/0 ip address 2.2.2.10 255.255.255.0

!

R4 Configuration

!

! hostname R4 ! ! Configure interfaces with appropriate IP address & enable IP NAT accordingly ! interface FastEthernet0/0 ip address 2.2.2.2 255.255.255.0 ip nat outside

crypto map s-map ! interface FastEthernet0/1 ip address 10.1.1.10 255.255.255.0 ip nat inside

!


30/34

! Enable Static NAT for private network ip nat inside source static network 10.1.1.0 4.4.4.0 /24 ! ! IPSEC VPN Configuration !crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2

crypto isakmp key cisco address 1.1.1.1 !!crypto ipsec transform-set sec-p esp-3des esp-md5-hmac ! ! Interesting Traffic (Crypto ACL); Global Network of both subnets will bedefined here ! ip access-list extended vpn-traffic permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255 !crypto map s-map 10 ipsec-isakmp set peer 1.1.1.1 set transform-set sec-p

match address vpn-traffic !ip route 0.0.0.0 0.0.0.0 2.2.2.10 !

R5 Configuration ! hostname R5 ! interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 10.1.1.10 !



31/34


Add a comment

Oct 17

IPSEC -VPN -Scenario One site's VPN Boxhaving non -routable -address

How do we configure IPSEC VPN between two sites if one of my sites VPN Device is havingnon-routable (private) IP address?In such scenario we need to translate that VPN Box non-routable IP address into routable(public) IP address, for that we need to implement NAT.

In the above given topology we have two sites Site1 & Site2. In site1 we have 10.1.1.0/24network & in Site2- 10.1.2.0/24. So here we have been asked to secure the communication

between both sites private network which is going through the Internet. To secure the traffic wewill be implementing IPSEC-VPN.While doing configuration we will encounter one problem that my site1s VPN Box does nothave public IP, so I have to translate it into any public IP address. As I have ASA-Firewall insite1, so I will be using it as NAT Device and will configure Dynamic NAT.

R1 Configuration !
http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://www.blogger.com/profile/05689448593371676255http://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://4.bp.blogspot.com/-NZh_fs52LJg/TpwksLjrTqI/AAAAAAAAAE0/GfcX1B_x9us/s1600/IPSEC-VPN-Scenario2-One+site+VPN+Box+having+non-routable-address.jpghttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://ipsecvpnlabs.blogspot.com/2011/10/ipsec-vpn-scenario-one-site-vpn-box.htmlhttp://www.blogger.com/profile/05689448593371676255


32/34

hostname R1!!interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0


!! IPSEC VPN Configuration crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

!crypto isakmp key cisco address 172.16.1.2!!crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255!crypto map s-map 10 ipsec-isakmpset peer 172.16.1.2set transform-set sec-pmatch address vpn-traffic

!ip route 0.0.0.0 0.0.0.0 192.168.1.10!

ASA Configuration !hostname ASA!!Configure Inside & Outside Interfaces !interface Ethernet0/0nameif Outsidesecurity-level 0ip address 172.16.1.10 255.255.255.0

!interface Ethernet0/1


33/34

nameif Insidesecurity-level 100ip address 192.168.1.10 255.255.255.0

!! Configure Dynamic NAT

nat (Inside) 5 192.168.1.0 255.255.255.0global (Outside) 5 172.16.1.11-172.16.1.20!! Configure Access-list to allow UDP encapsulated packets; here we don't require allowingESP because packets get encapsulated by NAT-T feature enabled on both VPN Routers access-list out-acl extended permit udp host 172.16.1.2 any eq 4500!! Aplly that acl on outside interface access-group out-acl in interface Outside!



!! IPSEC VPN Configuration crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2

!crypto isakmp key cisco address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set sec-p esp-3des esp-md5-hmac!! Crypto ACL (Proxy Identity) ip access-list extended vpn-traffic permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255!! Here we configure dynamic map because we don't know the peer address and like staticmap 'set peer' is not the mandatory parameter to be set


34/34

crypto dynamic-map D-MAP 10set transform-set sec-pmatch address vpn-traffic

!! We cannot apply dynamic map on interface so we have to associate it with static map &

apply that static map on interface crypto map s-map 10 ipsec-isakmp dynamic D-MAP!ip route 0.0.0.0 0.0.0.0 172.16.1.10!


Documents

ASA IPSEC S2S Config Example