«

»

Mar 23

ASA 8.4 Site to Site IPSec VPN – Hairpinning

This post details how to setup Site to Site VPN with ASA 8.4 and hairpinning enabled. This would mean that remote site can not only get access to networks on Main Site but can also access the internet through this site.  This Lab is built on the previous lab however instead of allowing only particular network at main site to travel over VPN, I have to allow any networks, as the remote site network will access the internet as well. This would mean that ACLS for interesting traffic needs to be modified if you are using the lab in the previous post – http://www.xerunetworks.com/2012/03/asa-8-4-site-to-site-ipsec-vpn-lan-to-lan-ipsec-vpn-without-nat/

Otherwise you can just use this Lab as starting point.

We will also introduce a new NAT statement for VPN traffic to use NAT when accessing Internet.

 

Objective

Traffic between Site 1 Subnet 10.10.10.0/24 and Site 2 Subnet 20.20.20.0/24 should be encrypted and sent over VPN Tunnel

Traffic from Site 2 subnet going to internet should go via Site 2 ASA firewall.

Lab Diagram

ASA 8.4 Site to Site VPN Hairpinning

Item Site1 – Main Site Site2 – Remote Site
Subnet to Access Over VPN Any 20.20.20.0/24
Tunnel Termination S1ASA1 – ASA S2R1 – Router
 
 
 
ASA 8.4.2 Configuration  
Details  
Permit Traffic to be answered on the same interface where it was received. same-security-traffic permit intra-interface
This object group is defined to NAT the traffic on Outside Interface. This would mean that traffic from 20.20.20.0/24 subnet will use NAT when leaving for internet. object network obj-20.20.20.0

 

subnet 20.20.20.0 255.255.255.0
nat (outside,outside) dynamic interface

Configure NAT Exemption for VPN Traffic
We don't want traffic to be NATed as it travels over the tunnel so using static identity NAT here. (NAT 0 is not longer in use in ASA 8.4)
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-20.20.20.0
subnet 20.20.20.0 255.255.255.0

 

nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-20.20.20.0 obj-20.20.20.0

Create Policy for Phase 1 crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Enable ISAKMP on outside Interface crypto ikev1 enable outside
Define ACL for Interesting Traffic access-list InterestingTraffic extended permit ip any 20.20.20.0 255.255.255.0
Tunnel Group
Use IP of Tunnel’s Remote End
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
Transform Set crypto ipsec ikev1 transform-set MySet esp-3des esp-md5-hmac
Crypto MAP
Refrence the ACL which catches Traffic for Tunnel
Set Peer as Remote End
Use Transform Set already Crerated
crypto map IPSEC 1 match address InterestingTraffic
crypto map IPSEC 1 set peer 192.168.1.1
crypto map IPSEC 1 set ikev1 transform-set MySet
Enable Crypto MAP on Outside Interface crypto map IPSEC interface outside

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Router Configuration (Remote End)  
Details  
Phase 1 Config crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
Pre-Shared Key crypto isakmp key cisco address 192.168.0.1
Transform Set crypto ipsec transform-set MySet esp-3des esp-md5-hmac
ACL for Interesting Traffic access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Crypto MAP for Phase 2 crypto map IPSEC 1 ipsec-isakmp
set peer 192.168.0.1
set transform-set MySet
match address 101
Enable on Tunnel Termination Interface interface FastEthernet1/1

 

crypto map IPSEC

 

Lab Setup in Detail

 

Here is how the network is setup.

Device Configuration can be obtained from here if you want to check/try configuration for yourself.

http://www.mediafire.com/?d7ud5131jmd53aa

 

When trying to setup this LAB make sure that

1. Routing is configured properly on all devices.

2. NAT is configured on ASA such that any traffic leaving ASA outside interface is mapped to outside Interface IP address.

3. No route is configured on ISP router and it doesn't know about 10.10.10.0/24 or 20.20.20.0/24 networks.

4. ICMP inspection is enabled on ASA such that return ICMP traffic is allowed on interface. Might need this for testing network connectivity.

 

ASA 8.4 Site to Site VPN.jpeg

 

 

Lab Configuration

Routing

1. Default route from S1R1 to Firewall. 

2. Default route on Firewall Pointing toward ISP Router

3. Default route on S2R2 toward S2R1

4. Default route on S2R1 pointing toward ISP Router.

5. Default route on Internet Router pointing toward ISP.

 

NAT

1. All Traffic leaving ASA outside interface is NAT enabled and mapped to outside interface IP address.

2. All traffic from 10.10.10.0/24 leaving for VPN is not exempted from NAT. However, its NATed when going somewhere else.

3. NAT is not configured for remote end of tunnel (S2R1).

14 comments

Skip to comment form

  1. SC

    your access-list look wrong to me – try changing it to

    access-list test extended permit ip 10.10.100.0 255.255.255.0 10.10.20.0 255.255.255.0 and then reverse it on the other asa

  2. Bon

    I cannot run downloaded file but cannot run it. Can you suggest what might be problem.

  3. khizer

    Traffic from Site 2 subnet going to internet should go via Site 2 ASA firewall.
    The above objective is confusing…do u mean SITE 1 here ?as Site 2 is connected to the router S2r1..how its traffic will go from Site 1 firewall?

  4. Jimmy

    Great Lab. Many thanks

  5. prince

    hey hi i have tried to configure site to site vpn between ASA in GNS3 however not able to ping from one site pc to other site as i have configured the crypto and ACL.

    once i try to check with show crypto iskamp or ipsec its says
    ciscoasa# sh crypto isakmp sa

    There are no isakmp sas

    ciscoasa(config)# sh run
    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.10.10.1 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.100.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list test extended permit ip any 10.10.100.0 255.255.255.0
    access-list testout extended permit ip 10.10.100.0 255.255.255.0 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group test in interface outside
    access-group testout out interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set Test esp-aes esp-md5-hmac
    crypto map test 10 match address test
    crypto map test 10 set peer 10.10.10.2
    crypto map test 10 set transform-set Test
    crypto map test interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 10.10.100.10 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map test_test
    match default-inspection-traffic
    !
    !
    policy-map test-test
    class test_test
    inspect icmp
    !
    tunnel-group 10.10.10.2 type ipsec-l2l
    tunnel-group 10.10.10.2 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:00000000000000000000000000000000
    : end

    ciscoasa# sh run
    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.10.10.2 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.20.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list test extended permit ip any 10.10.20.0 255.255.255.0
    access-list testout extended permit ip host 10.10.20.2 host 10.10.10.1
    access-list testout1 extended permit ip 10.10.20.0 255.255.255.0 any
    access-list tst extended permit ip any 10.10.20.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group tst in interface outside
    access-group testout1 out interface outside
    access-group testout out interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set test esp-aes esp-md5-hmac
    crypto map test 10 match address test
    crypto map test 10 set peer 10.10.10.1
    crypto map test 10 set transform-set test
    crypto map test interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map test
    match default-inspection-traffic
    !
    !
    policy-map test
    class test
    inspect icmp
    !
    tunnel-group 10.10.10.1 type ipsec-l2l
    tunnel-group 10.10.10.1 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:00000000000000000000000000000000
    : end

    awaiting for any one correct response

  6. Mo

    Hi Cap,
     
    I am not sure you have sorted this issue but if you do ping from Host A behind Firewall A to Host B which is Behind firewallB, at that point it will force to build the tunnel, initially I was confused as well when I was creating b/w 2 ASAs.

  7. Jody

    Hey,
    Do you have a configuration example for a site to site vpn where the remote site has a dynamic ISP address?
    Thanks,  Jody 

  8. saji

    I can ping the both the ASA. The only thing is the site to site dont work. Yes I am using window 7.
    Also I can see under Licenses that Peer licenses are showing as 0. Does that something to do it vpn?
     

    1. xerunetworks

      If you used the keys provided, you should have unrestricted license, did you tey to debug the vpn and tried to send traffic aacross?

      1. Saj

        I tried it but nothing is going in between them. I mean no vpn traffic. not a single packet.

  9. cap

    Hi!
    can you give a shoot at  asa (8.4) to asa (8.4) site to site vpn. I tried many config but its not working so confused if i am not able to do it because of gns3.
     
    Thanks,

    1. xerunetworks

      First try ping between both devices, let see if it works. Are u using windows?

      1. cap

        Yes windows. I can ping the both asa. the only thing is i can see under license is vpn peer = 0.

  10. jon

    Great post my friend!

Leave a Reply to jon Cancel reply

%d bloggers like this: