topic Re: vpn site to site between FIREWALLS in Network Security

vpn site to site between FIREWALLS

amralrazzaz — Fri, 21 Feb 2020 16:23:07 GMT

can i have on this attached network picture how to configure vpn site to site from remote location to main headoffice location

in remote location i have

Firewall/router: Make/Model/OS

Cisco ASA5516-X

in HO location they have

Firewall/router: Make/Model/OS

Fortigate 3951

have only one way connection from remote location to web server (main HO) (THE CONFIGURATION WILL ONLY ON MY SIDE ASA5516-X)

can i have the step for vpv- site to site example configurations

thanks check attached pic

Re: vpn site to site between FIREWALLS

Fotiosmark — Tue, 23 Oct 2018 13:23:44 GMT

1st you need static Public IP for both sites...i am guessing that is something you already have.

from the ASA side built the tunnels with a preshared key and Objects of what to reach what, add it to an access list and NAT it

you need to do the same on fortigate and Access lists must match exactly.

Config example between 2 ASA Lan to Lan

*******************
ASAVM-ABC
*******************

object network LH
subnet *********** 255.255.255.248

object-group network LH-Lan
network-object object obj-LH

access-list Remote-acl7 extended permit ip object LAN_FOR_VPN object obj-LH

crypto map VPN 90 match address Remote-acl7
crypto map VPN 90 set pfs
crypto map VPN 90 set peer ************
crypto map VPN 90 set ikev1 transform-set LH-Lan
crypto map VPN interface outside

crypto ipsec ikev1 transform-set LH-Lan esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VDC_VPN_MAP 90 set security-association lifetime seconds 3600

nat (inside,outside) source static LAN_FOR_VPN_SUBNET LAN_FOR_VPN_SUBNET destination static LH-Lan LH-Lan route-lookup

tunnel-group ************ type ipsec-l2l
tunnel-group *********** ipsec-attributes
ikev1 pre-shared-key ******

crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

**************
LHASA-*****
**************

object network LAN_FOR_VPN
subnet **************

object network ProfitBricks
subnet 10.12.90.0 255.255.255.0

object-group network ProfitBricks_Lan
network-object object obj-ProfitBricks

access-list Remote-acl7 extended permit ip object LAN_FOR_VPN object obj-ProfitBricks

crypto map VPN 90 match address Remote-acl7
crypto map VPN 90 set pfs
crypto map VPN 90 set peer ***********
crypto map VPN 90 set ikev1 transform-set ProfitBricks_Lan
crypto map VPN interface outside

crypto ipsec ikev1 transform-set ProfitBricks_Lan esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VDC_VPN_MAP 90 set security-association lifetime seconds 3600

nat (inside,outside) source static LAN_FOR_VPN_SUBNET LAN_FOR_VPN_SUBNET destination static ProfitBricks_Lan ProfitBricks_Lan route-lookup

tunnel-group ******** type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev1 pre-shared-key *****

crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

Re: vpn site to site between FIREWALLS

amralrazzaz — Wed, 24 Oct 2018 09:49:29 GMT

thanks alot for the explanation , can i asked you some thing

i already got public ip from isp vendor and its active , my router isp is nokia router , , so when i ping to this ip it should be reached and should has a connectivity ? am i correct ? because its not binging the public ip ? (this is before doing any configurations still )

so the problem from isp that service not active or i should configure something in my network by adding this public ip to wan interface ?

also another question : the main office side told me that tunnel already created and no need to do any configuration from your side just check if you can reach our resources or not , but i cant ?

Re: vpn site to site between FIREWALLS

Fotiosmark — Wed, 24 Oct 2018 09:57:33 GMT

if they wish to do vpn site to site, both equipment needs configuration. if they wanted vpn dial up like cisco anyconnect, you only need username and password and their public ip.

did the provied gave a a leased public ip? Static? Vpns site to site can be build only with Static IP which you assign at your equipment Wan interface, and the default route (next hop)

Re: vpn site to site between FIREWALLS

amralrazzaz — Wed, 24 Oct 2018 11:53:40 GMT

thanks for your clarification , i just contact the isp and they said its your static ip is active , so i cant ping it ?

question is i should make any configurations on my network or the isp already added on its router wan interface ?

any how its active but i cant ping ? why ? i should configure static route next ip (static ip) so my network can reach the static ip ????

check im nw diagram attached

Re: vpn site to site between FIREWALLS

Fotiosmark — Wed, 24 Oct 2018 13:01:32 GMT

ok, step 1. If an IP is not assigned to an interface, it is NOT pingable. Meaning they might have given you a static IP of 85.21.5.32 255.255.255.252 (thats an example) which therefore first usable IP you assign it to your ASA and the next IP should be the default route (we are talking about leased lines, not PPPOE dsl)

So you have your ASA in WAN interface 85.21.5.33 255.255.255.252 and the default route the next ip.

So again....

I have an ASA at my home and want to connect it to Office network Tunnel Lan to Lan

1st contact ISP for static IP

Then I assign that IP to my WAN interface with default route the next hop (i am talking basic ccna here)

In the Inside interface your LAN you assign a Private (which you have to NAT if you want to get on the outside internet)

ip nat inside LAN

ip nat outside WAN

So unless you assign that IP its never going to be reachable.

Re: vpn site to site between FIREWALLS

amralrazzaz — Thu, 25 Oct 2018 10:25:40 GMT

so once i assign the static ip address and check the connectivity , i can check the connectivity from my side to main office sever as i told you they informed me that already vpn tunnel created with my side using static ip which already provided to them but i still didnt configure in my network ??

am i correct ?

can u give me an example of the configuration as per the attached network i sent to u

many thanks boss

Re: vpn site to site between FIREWALLS

amralrazzaz — Thu, 25 Oct 2018 10:29:51 GMT

can i ask u also about the static ip ?

the ip static must be assign on interface of isp router (nokia) which directly connnected to ASA (isp should do that as i dont have access to isp router) ?

and 2nd is an example of how to configure this static ip on asa or how to let my network has connectivity with this static ip

check attached

Re: vpn site to site between FIREWALLS

Fotiosmark — Thu, 25 Oct 2018 10:45:21 GMT

which devices do you have access to and can configure? the ASA is on your side or the fortigate?

Re: vpn site to site between FIREWALLS

amralrazzaz — Thu, 25 Oct 2018 11:09:40 GMT

i sent u attached of my nw , its asa and nokia router for isp company connected directly to asa 5516-x (in my side)

fortigate is head office side not mine , and they already informed that vpn tunnel already created with my branch office and asked me to check the connectivity to them withou any vpn configurations in my side as they said , we will explor this later after my network has connectivity to my static ip which provided from isp company then i can ping the main office server to check

check attached pic

Re: vpn site to site between FIREWALLS

Fotiosmark — Fri, 26 Oct 2018 09:57:09 GMT

Hello,

It sounds like you need to configure it from scratch your ASA that is.

Do you know how to do that? It's not a simple task. Do you have a console cable?

Re: vpn site to site between FIREWALLS

Fotiosmark — Fri, 26 Oct 2018 10:00:55 GMT

Also, if we are talking about VPN tunneling, that means that they need Access lists, Nating, Preshared Key, Static IP from the tunneling, Crypto maps etc etc....So you won't have access to the HQ unless somehow you get into HQ network with VPN - Dialed or Lan2Lan -

If you want to discuss it more through Skype i am fotismark1

Re: vpn site to site between FIREWALLS

Fotiosmark — Fri, 26 Oct 2018 10:01:57 GMT

Also I don't really understand why you went with this expensive solution. A Dialed up VPN to access the office resources would do with Forticlient 🙂

Re: vpn site to site between FIREWALLS

amralrazzaz — Sat, 27 Oct 2018 11:51:02 GMT

im really appreciate your great help and support , my question is need to configure the static ip address on ASA have a connectivity between my network and this static ip as it already paid for the service and activated from isp company

i tried to ping this ip but no hope unless configure it , can u give me an example for configure that 1st

ill check the connectivity with HO server after that if not that mean we need to configure the asa from scratch as u said

because they told me already tunnel created and no need to configure something from ur side

so im need my network to be reachable with my static ip 1st

so how ?

also where technically should be assign this ip static ( is it on the isp router interface ) which directly connected to my asa or should i assigned this ip to my outside interface with directly connected to isp router ?

Re: vpn site to site between FIREWALLS

amralrazzaz — Mon, 29 Oct 2018 08:33:18 GMT

i tried to ping this ip but no hope unless configure it , can u give me an example for configure that 1st

ill check the connectivity with HO server after that if not that mean we need to configure the asa from scratch as u said

because they told me already tunnel created and no need to configure something from ur side

so im need my network to be reachable with my static ip 1st

so how ?

amr alrazzaz

Re: vpn site to site between FIREWALLS

Fotiosmark — Mon, 29 Oct 2018 09:11:32 GMT

Assign this IP to the interface that is connected to the ISP.
If for example on ASA Gi0/0 ---------- ISP
And your ISP gave you for example 62.2.170.128/29 then with the Cisco Logic on mind, you put the first IP on the Gi0/0

Interface gi0/0
ip address 62.2.170.129 255.255.255.248
nameif outside
Security-level 0
no shut
exit

And then you have to tell the router where is the Default Route
ip route 0.0.0.0 0.0.0.0 62.2.170.130 (the next IP would be the providers)

Then off course you have to build your inside LAN network and also NAT the traffic. (split-tunneling) if you have to.

Re: vpn site to site between FIREWALLS

amralrazzaz — Mon, 29 Oct 2018 11:07:49 GMT

thanks a lot for your great help

yes of course my network already configured and working live with users now but the static ip address we ordered it for vpn connectivity recently after we made our configurations so what is pending is to configure the static ip address on our network to be reachable

so your configuration that you sent to me is the only pending to my network for static ip to be recognized on it

correct me if im wrong

thanks again

thanks

Re: vpn site to site between FIREWALLS

amralrazzaz — Mon, 29 Oct 2018 12:02:46 GMT

just wanna ask about the the outside default route on asa because i dont have a router , i have core switch only connected to ASA which directly connected to isp router

so the configuration of default route on asa will be :

Route outside 0.0.0.0 0.0.0.0 next hope ip address (ip of the wan interface of isp router which assign on it the static ip ?)

is it correct ?

thanks

Re: vpn site to site between FIREWALLS

Fotiosmark — Mon, 29 Oct 2018 12:54:53 GMT

What do you mean Core Switch? Layer 3 Switch? do you have Routed Vlans?

So you have connected the ISP side to the Switch? So if its a Layer 3 Switch are you going to assign that IP on the Switch? I don't understand...

Re: vpn site to site between FIREWALLS

amralrazzaz — Mon, 29 Oct 2018 14:43:15 GMT

this is a layer 2 switch only but vlans creations - dhcp servers for each vlan with management ip addresses

so its only layer 2 switch not more , so in that case whats the answer of my question 🙂

thanks many thanks