How to configure a Cisco ASA Site to Site VPN between Static and Dynamic IP based Peers
Thanks to: http://itzecurity.blogspot.com/
HP side config for the VPN
!--- Make a access list for intersecting traffic which wil be exempt from NAT
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0
!--- try the second one!-----global (outside) 1 interface
ASA-ASA VPN: One Static & One Dynamic address
To configure a Site to Site VPN between 2 Peers ; one with a Dynamic IP and the other with a static IP a dynamic crypto map is used.However as the static based peer will be unaware of the remote peers IP the VPN can only be initated from the dynamic side.
Note : Unlike other vendors (such as the Juniper SRX), main mode is used for phase 1 negotiations between the dynamic/static based peers (this can be confirmed via the command 'sh vpn-sessiondb detail l2l').
On the Peer that has a static IP, the configuration is pretty standard. The only difference being is that a dynamic crypto map is configured.A dynamic crypto map is a crypto map that does not have all of the parameters defined, these are then later learnt at the point that the IPsec tunnel is formed.
Note : The dynamic crypto map should have the highest sequence number within the crypto map to ensure that all other crypto map entries are triggered first.
HP side config for the VPN
!--- Make a access list for intersecting traffic which wil be exempt from NAT
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0
!--- try the second one!-----global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
!---- All other traffic to be NAT'ed
nat (inside) 1 0.0.0.0 0.0.0.0
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.!--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.
crypto ipsec transform-set router-set esp-3des esp-md5-hmac
!--- Defines a dynamic crypto map with
!--- the specified encryption settings.
crypto dynamic-map cisco 1 set transform-set router-set
!--- Enable Reverse Route Injection (RRI), which allows the Security Appliance
!--- to learn routing information for connected clients.crypto dynamic-map cisco 1 set reverse-route
!--- Binds the dynamic map to the IPsec/ISAKMP process.
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
!--- Specifies the interface to be used with !--- the settings defined in this configuration.
crypto map dyn-map interface outside
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!--- The security appliance provides the default tunnel groups
!--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key!--- (cisco123) to authenticate the remote router.
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
!--- create an ACL, for more security
access-list acl1 extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0
access-list acl1 extended permit ip Southl 255.255.255.0 192.168.100.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-filter value acl1
vpn-tunnel-protocol IPSec l2tp-ipsec
========================
ST side config
This can be done via the ASDM wizard as well.
!-- create usefull ACLs
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list hp_vpn extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list hp_vpn extended permit ip haynes 255.255.255.0 192.168.200.0 255.255.255.0!--- No NAT on VPN trafficglobal (outside) 1 interface nat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0
!-- set the routeroute outside haynes 255.255.255.0 10.0.0.1 1
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.!--- A triple single 3DES encryption with!--- the md5 hash algorithm is used. Same as doen for HP
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 10.0.0.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase!--- 1 policy parameters that are used.
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400!-- Group policy and apply the ACL
group-policy HP internal
nat (inside) 0 access-list inside_nat0_outbound
!---- All other traffic to be NAT'ed
nat (inside) 1 0.0.0.0 0.0.0.0
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.!--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.
crypto ipsec transform-set router-set esp-3des esp-md5-hmac
!--- Defines a dynamic crypto map with
!--- the specified encryption settings.
crypto dynamic-map cisco 1 set transform-set router-set
!--- Enable Reverse Route Injection (RRI), which allows the Security Appliance
!--- to learn routing information for connected clients.crypto dynamic-map cisco 1 set reverse-route
!--- Binds the dynamic map to the IPsec/ISAKMP process.
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
!--- Specifies the interface to be used with !--- the settings defined in this configuration.
crypto map dyn-map interface outside
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!--- The security appliance provides the default tunnel groups
!--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key!--- (cisco123) to authenticate the remote router.
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
!--- create an ACL, for more security
access-list acl1 extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0
access-list acl1 extended permit ip Southl 255.255.255.0 192.168.100.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-filter value acl1
vpn-tunnel-protocol IPSec l2tp-ipsec
========================
ST side config
This can be done via the ASDM wizard as well.
!-- create usefull ACLs
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list hp_vpn extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
access-list hp_vpn extended permit ip haynes 255.255.255.0 192.168.200.0 255.255.255.0!--- No NAT on VPN trafficglobal (outside) 1 interface nat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0
!-- set the routeroute outside haynes 255.255.255.0 10.0.0.1 1
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.!--- A triple single 3DES encryption with!--- the md5 hash algorithm is used. Same as doen for HP
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 10.0.0.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase!--- 1 policy parameters that are used.
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400!-- Group policy and apply the ACL
group-policy HP internal
group-policy HP attributes
vpn-filter value hp_vpn
vpn-tunnel-protocol IPSec!-- tunnel group for the connectiontunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 general-attributes
default-group-policy HP
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key *
tunnel-group 10.0.0.1 general-attributes
default-group-policy HP
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key *
Comentarios
Publicar un comentario
Dime si la información de este blog te sirvio.