«

»

Dec 20

Site to Site VPN with Internet Access (Hairpinning)

The primary purpose of this Lab is to test site to site VPN and to make sure that users on remote site are able to access internet via main site.  You will see in the post that all of the configuration is similar to a normal L2L config between a router and firewall however all you need is an extra NAT statement and permit statement on ASA on main site such that remote site users are able to be NAT'ed out of main site.

Internet Access through Site to Site VPN

Site Setup
Following Devices are Considered to be at the Main Site
ASA1
R4
Following Devices are considered to be part of ISP
R2
R3
Following Devices to be considered as of Branch Office
R5

GNS3
I have built this LAB in GNS3 and mainly used following two links to get ASA working in GNS3
http://forum.gns3.net/topic4088.html
http://forum.gns3.net/topic2405.html

Configurations
 

******************************************************
ASA1
******************************************************

ASA Version 8.0(2)
!
hostname asa1
Enable password is cisco
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.30.6 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.30.13 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive

The following command will make sure that traffic being received on the interface is permitted to be out the same interface. Default behaviour is deny return traffic on same interface. This will be required as L2L traffic will be received on outside interface and to go to internet it needs to leave out the same interface. This command is not required if users just need to main site services and not to internet.
same-security-traffic permit intra-interface

Just two ACLs to allow traffic on interfaces, can be customised as per specific requirements
access-list inside-in extended permit ip any any log
access-list outside-in extended permit ip any any log

This ACL is used to bypass NAT all traffic that is leaving for remote site from main site.
access-list nonat extended permit ip any 10.10.20.0 255.255.255.0

This ACL will define interneting traffic which will encrypted and tunnel to Remote site over L2L VPN
access-list ipsec-conn extended permit ip any 10.10.20.0 255.255.255.0

This ACL will NAT traffic that wants to leave for internet and any other network
access-list nat-internal extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/.private/asdm-615.bin
no asdm history enable
arp timeout 14400

Enable NAT
nat-control

Enable outside interface to be used for NAT
global (outside) 1 interface

Now, this NAT statement actually tells that any IPs from remote network should be NATed if they want they want out to internet or any other external networks.
nat (outside) 1 10.10.20.0 255.255.255.0

This NAT statement refers to ACL 'nonat' which will make sure that any IPs detined for remote network are not NATed.
nat (inside) 0 access-list nonat

This NAT statement refers to ACL 'nat-internal' to NAT internal addresses which want to go out to internet or external networks.
nat (inside) 1 access-list nat-internal

access-group outside-in in interface outside
access-group inside-in in interface inside
!
router eigrp 1
no auto-summary
network 10.10.30.4 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 10.10.30.5 1
route inside 10.10.40.0 255.255.255.0 10.10.30.14 1
route inside 10.11.40.0 255.255.255.0 10.10.30.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 16
http server enable
http 10.10.60.2 255.255.255.255 outside
http 10.10.20.2 255.255.255.255 outside
http 10.10.30.10 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

L2L VPN Config
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside
crypto map forsberg 21 match address ipsec-conn
crypto map forsberg 21 set peer 10.10.30.10
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside

crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.abc.com
subject-name CN=sslvpn.abc.com
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa1
proxy-ldc-issuer
crl configure

L2L VPN Config
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl trust-point localtrust outside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

L2L VPN Config
tunnel-group 10.10.30.10 type ipsec-l2l
tunnel-group 10.10.30.10 ipsec-attributes
pre-shared-key cisco
prompt hostname context
Cryptochecksum:6439298ff5b8a24e6dd80fecfb87b428
: end

******************************************************
R5
******************************************************
 
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
L2L VPN Config
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.10.30.6
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer 10.10.30.6
 set transform-set sharks
 match address 120
!
interface FastEthernet0/0
 ip address 10.10.30.10 255.255.255.252
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map nolan
!
interface FastEthernet0/1
 ip address 10.10.20.1 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.30.9
!
ACL Used L2L VPN Config
access-list 120 permit ip 10.10.20.0 0.0.0.255 any
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end
******************************************************
R2
******************************************************
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
interface FastEthernet0/0
 ip address 10.10.30.5 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.30.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.10.30.9 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 10.10.30.0 0.0.0.3
 network 10.10.30.4 0.0.0.3
 network 10.10.30.8 0.0.0.3
 no auto-summary
!
no ip http server
ip forward-protocol nd
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end
 
******************************************************
R4
******************************************************
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 10.10.40.1 255.255.255.0
!
interface Loopback1
 ip address 10.11.40.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.10.30.14 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 1
 network 10.10.30.12 0.0.0.3
 network 10.10.40.0 0.0.0.255
 no auto-summary
!
no ip http server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.30.13
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end
******************************************************
R7
******************************************************
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
interface FastEthernet0/0
 ip address 10.10.30.18 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.60.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 10.10.30.16 0.0.0.3
 network 10.10.60.0 0.0.0.255
 no auto-summary
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
end

Leave a Reply

%d bloggers like this: