How to configure a Cisco ASA Site to Site VPN between Static and Dynamic IP based Peers

Thanks to: http://itzecurity.blogspot.com/


ASA-ASA VPN: One Static & One Dynamic address


To configure a Site to Site VPN between 2 Peers ; one with a Dynamic IP and the other with a static IP a dynamic crypto map is used.However as the static based peer will be unaware of the remote peers IP the VPN can only be initated from the dynamic side. 

Note : Unlike other vendors (such as the Juniper SRX), main mode is used for phase 1 negotiations between the dynamic/static based peers (this can be confirmed via the command 'sh vpn-sessiondb detail l2l').
On the Peer that has a static IP, the configuration is pretty standard. The only difference being is that a dynamic crypto map is configured.A dynamic crypto map is a crypto map that does not have all of the parameters defined, these are then later learnt at the point that the IPsec tunnel is formed.
Note : The dynamic crypto map should have the highest sequence number within the crypto map to ensure that all other crypto map entries are triggered first.

HP side config for the VPN

!--- Make a access list for intersecting traffic which wil be exempt from NAT
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0

!--- try the second one
!-----global (outside) 1 interface 
nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

!---- All other traffic to be NAT'ed

nat (inside) 1 0.0.0.0 0.0.0.0

!--- PHASE 2 CONFIGURATION ---!

!--- The encryption types for Phase 2 are defined here.!--- A triple single 3DES encryption with !--- the md5 hash algorithm is used.

crypto ipsec transform-set router-set esp-3des esp-md5-hmac

!--- Defines a dynamic crypto map with
!--- the specified encryption settings.


crypto dynamic-map cisco 1 set transform-set router-set

!--- Enable Reverse Route Injection (RRI), which allows the Security Appliance
!--- to learn routing information for connected clients.
crypto dynamic-map cisco 1 set reverse-route

!--- Binds the dynamic map to the IPsec/ISAKMP process.

crypto map dyn-map 10 ipsec-isakmp dynamic cisco

!--- Specifies the interface to be used with !--- the settings defined in this configuration.

crypto map dyn-map interface outside

!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the Phase 
!--- 1 policy parameters that are used.

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


!--- The security appliance provides the default tunnel groups 
!--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key
!--- (cisco123) to authenticate the remote router. 
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
 

!--- create an ACL, for more security

access-list acl1 extended permit ip 192.168.100.0 255.255.255.0 Southl 255.255.255.0
 
access-list acl1 extended permit ip Southl 255.255.255.0 192.168.100.0 255.255.255.0


group-policy DfltGrpPolicy attributes
vpn-filter value acl1
vpn-tunnel-protocol IPSec l2tp-ipsec




========================
ST side config

This can be done via the ASDM wizard as well.

!-- create usefull ACLs

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0

access-list hp_vpn extended permit ip 192.168.200.0 255.255.255.0 haynes 255.255.255.0
 
access-list hp_vpn extended permit ip haynes 255.255.255.0 192.168.200.0 255.255.255.0
!--- No NAT on VPN trafficglobal (outside) 1 interface nat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0 

!-- set the route
route outside haynes 255.255.255.0 10.0.0.1 1
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.!--- A triple single 3DES encryption with!--- the md5 hash algorithm is used. Same as doen for HP


crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 10.0.0.1 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
 
crypto map outside_map 1 set security-association lifetime seconds 28800
 
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
 
crypto map outside_map interface outside
!--- PHASE 1 CONFIGURATION ---! 
!--- This configuration uses isakmp policy 10.
!--- Policy 65535 is included in the config by default. 
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used. 

crypto isakmp enable outside
 
crypto isakmp policy 10
 
authentication pre-share
 
encryption 3des

hash md5 
group 2

lifetime 86400!-- Group policy and apply the ACL 

group-policy HP internal
group-policy HP attributes 
vpn-filter value hp_vpn
vpn-tunnel-protocol IPSec!-- tunnel group for the connectiontunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 general-attributes
default-group-policy HP
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key *

Comentarios

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Comando FOR para archivos BAT

How to Setup and Configure Your Own GitLab Server on Ubuntu 20.04