Several years ago, while being new to security team in Brussels TAC, a case appeared in our queue that would change my view on IPSec VPN (and not only!).
The problem description was quite clear - unable to go out through IPSec VPN to the internet when connected with Cisco VPN Client to a 1841 series router in full tunnel mode.
Seems quite easy, right?
Little did I know, that it would require me to grasp a new, and alien at that time, technology very fast.
Briefly about the technical problem.
What happens when your VPN client, with private IPv4 address assigned wanted to communicate to the outside world?
Typical edge device for a small business will have one IPv4 address assigned to interface of router.
Users on LAN segment also with private IPv4 address, will want to use this WAN IP to connect to the Internet by virtue of PAT/NAT overload.
Very often this method has to be used by VPN users.
Problem with typical (legacy) ezvpn configuration is that (unlike LAN) VPN users do not have their own interface to use certain features, like "ip nat inside" in this particular case. Thus router isn't aware that it is supposed to have VPN traffic NAT'ted.
Previous solutions to this particular problem involved sending VPN traffic (after decapsulation) to a loopback interface by using PBR (the interface would have "ip nat inside" enabled).
This was a neat trick but we can forget about it since we have Dynamic Virtual Tunnel Interface (DVTI).
In this case I configured DVTI, added "ip nat inside" command on it and it worked straight out of the box!
About VTI - high level about Virtual Tunnel interfaces.
While my case was solved, I barely started to see the surface of how useful VTI was.
A few things you should know when starting.
VTI comes in two flavors, SVTI (tunnel interface) and DVTI (virtual-template interface).
SVTI are used to have static "on-all-the-time" IPSec tunnels, while DVTI is used to provide "on-demand" connectivity.
SVTI typically should be thought of as a lan to lan tunnel, while DVTI would be used in case of ezvpn (both server and client!) and recently webvpn.
Let's have a look at some advantages of VTI.
1. Dynamic routing and multicast through VTI!
Remember one nasty limitation of IPSec - no multicast through unless you used GRE?
Getting devices to talk to each other via OSPF or EIGRP required some tweaks.
Now it's available by default!
That being said GRE is not out of the picture, it's still broadly used and more flexible is more-than-one-better.
2. No GRE overhead.
Have a ping with df-bit set over your tunnel interface when it's VTI and GRE over IPSec...
ping TUNNEL_IP_ON_THE_OTHER_SIDE source tunnel X df-bit size 1436
Hi all, I am working on a 5510 ASA that I have acquired and I seem to be having an issue getting gig throughput on it. I can configure it to get on the net and get the ACLs and NAT working and all that, however, when I do a speed test on my PC, I see...
I was wondering how I would figure out if all ISE 2.4 features in code version 15.0.2-SE11 on multiple cat3k platforms are supported. I have followed the release notes of and matrix, and while this code version falls in-between the minimu...
Hi guys,today I am faced with a NAT issue and want to ask you for your valued advice.An external host (and only this host) should access the outside interface of the ASA (OS rel. 8.4(7)30) and this should be translated to an internal server for all kind o...
I am trying to get a permit statement to log an event to a syslog server. Other events from the ASA are showing in the syslog server. I changed the logging level on the permit statement to Warnings but it did not help. Permit statement:access-list EO...
Hello I'm running ISE 2.4 and I'm trying to get NAC via dot1x/radius working. I have a NX-OS 9K switch in my network devices with correct radius key. I also have a default policy set to accept dotx wired users and allow them to do anythin...