Re: site to site vpn with internet connection in same time

goran ljubic · ‎07-12-2012

i configured site to site VPN beetwen the asa 5505 (asa 8.4.2) and the asa 5510 (asa 8.4.4). how i can configure that the users from one side and second side use internet in same time? pls help me

thanks

ps: this option is split tunneling? how it configure?

nkarthikeyan · ‎07-12-2012

Nope.... You can do evrything with the ACL......

You have the general outbound acl for internet traffic as well as the site to site permits in the same ACL... and you will have the crypto acl for site to site vpn traffic..... whatever you have mentioned in site to site crypto acl... that alone will get in to s2s tunnel... rest other you can pass through the internet......

If you have the client to site.... then you have to do the split tunneling.....

Please rate if the info really helps!

goran ljubic · ‎07-13-2012

if i understanded all acl's which are in crypto ace enable traffic through tunnel. the other acl's which are not in crypto ace go to internet. my config asa5505 is:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password csq7sfr0bQJqMGET encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.15.100.8 255.255.255.0

!

ftp mode passive

object service ParagrafLex1

service tcp source eq 6190

description Odlazni

object service paragraf

service tcp destination eq 6190

description dolazni

object network server

host 192.168.0.2

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.0_24

subnet 192.168.2.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp

service-object icmp echo-reply

service-object tcp destination eq domain

service-object tcp destination eq echo

service-object tcp destination eq ldap

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_5

service-object ip

service-object icmp echo-reply

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp outside 10.13.74.1 000d.bd64.a8e2

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.15.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.15.100.0 255.255.255.0 outside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.2-192.168.2.128 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy_x.x.x.x

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect ftp paragraf

parameters

policy-map global_policy

class inspection_default

inspect dns

inspect icmp

inspect ip-options

inspect netbios

inspect tftp

inspect h323 h225

inspect h323 ras

inspect ftp

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b6f6c923f233ac9974a733f82ad17fea

: end

nkarthikeyan · ‎07-13-2012

Yes... you are correct!!!... at present you don have any acl for outgoing traffic since evry traffic you pointed to site to site vpn... i.e you have only crypto acl for s2s traffic....

So you need to create inside_to_outside acl which will have all filtered traffic for both internet and vpn traffic & assigh that to inside interface.... since you already have the crypto ACL for vpn... no issues with if that is working.....

VPN Traffic

========

VPN traffic will check the inside_to_outside acl and then it comes to crypto acl and it goes out.....

Internet traffic

==========

all other traffic you mentioned other than vpn will get away as internet traffic...

access-list inside_to_outside extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 (VPN)

access-list inside_to_outside extended permit internet filtered traffic permits

access-list inside_to_outside extended deny ip any any

!

access-group inside_to_outside in interface inside

!

Also you need to have the NAT/PAT & routes to be defined accordingly to access internet....

Please rate if the given information helps!

goran ljubic · ‎07-13-2012

sorry, i don't understand commands. can you explain them:

access-list inside_to_outside extended permit internet filtered traffic permits

access-list inside_to_outside extended deny ip any any

access-group inside_to_outside in interface inside

how go on syntax of command for me? i need tcp,icmp,ip

access-list inside_to_outside extended permit internet filtered traffic permits

why blocking ip for any any?

my lan is bihind asa5505. the outside interface of asa5505 is natted on public address. i defined static route 0.0.0.0 0.0.0.0 10.15.100.1

thanks

nkarthikeyan · ‎07-13-2012

Prsently you have the below ACL's in your ASA

Outside to Inside LAN ACL

====================

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

VPN ACL

========

access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-group outside_access_in in interface outside === Pointed to outside interface (Outside to Inside) LAN.

What am asking you to have the acl for inside interface as well.... there you need to have access rules for internet as well as site to site.....

access-list inside_to_outside extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 (S2sVPN)

access-list inside_to_outside extended permit tcp 192.168.2.0 255.255.255.0 any eq 80 (HTTP-Internet)

access-list inside_to_outside extended permit tcp 192.168.2.0 255.255.255.0 any eq 443 (HTTPS-Internet)

access-list inside_to_outside extended permit udp 192.168.2.0 255.255.255.0 eq 53 (DNS)

access-list inside_to_outside extended deny ip any any

!

like tha above you create the traffic whichever you want to permit..... so as per the above acl only http,https and domain traffic is allowed for internet and rest all get blocked.

!

assigning it to inside interface

========================

access-group inside_to_outside in interface inside

!

Please do rate if the given information helps!

goran ljubic · ‎07-13-2012

pls tell me, i have not problem if my outside interface of asa5505 is natted on public ip with this configuration? i setted static route for outside interface on gateway 10.15.100.1

nkarthikeyan · ‎07-13-2012

PAT is required for the internet access from the lan which is in private segment as well as site to site.... i assume your site to site is created for the public IP's... i.e your outside interface of the ASA....

If your site to site is working now.... then the internet also should work if you follow the steps i provided earlier...

Thanks!

Please rate if the given information helps!

goran ljubic · ‎07-13-2012

before my lan computers that is now bihind asa5505 have been in network 10.15.100.0/24 where's now outside interface of asa5505. they used internet so what are they received ip, dns, gateway automatic from gateway (router) on ip address 10.15.100.1. i don't know whether i should set nat on my asa5505.

goran ljubic · ‎07-16-2012

i tested site to site vpn but site to site doesn't work. i can't ping lan bihind asa5510 but not bihind asa5505. when i put command

sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role

159733105 10.15.100.8/4500 178.254.133.178/4500 READY INITIATOR

Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/113 sec

Child sa: local selector 192.168.5.0/0 - 192.168.5.255/65535

remote selector 192.168.0.0/0 - 192.168.0.255/65535

ESP spi in/out: 0x8825e2c3/0x86e50a36

when i put

asa-siv(config)# show crypto ip sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 10.15.100.8

access-list outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer: 178.254.133.178

#pkts encaps: 78, #pkts encrypt: 78, #pkts digest: 78

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 78, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 10.15.100.8/4500, remote crypto endpt.: 178.254.133.178/4500

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: 86E50A36

current inbound spi : 8825E2C3

inbound esp sas:

spi: 0x8825E2C3 (2284184259)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4331520/28524)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x86E50A36 (2263157302)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4101111/28524)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

asa-siv(config)#

when i put

debug cry isa

debug cry ipsec

i don't receive nothing

what ido?

nkarthikeyan · ‎07-16-2012

Hi Goran,

Can u pls share the configs at both the ends... i do see encap happening and decaps not happening... some parameter missing.... need to check.... Thanks

nkarthikeyan · ‎07-16-2012

Also check with your routing.... this also should work fine.... @ both the ends....

goran ljubic · ‎07-16-2012

configuration from asa5505 is

ASA Version 8.4(2)

!

hostname asa-siv

enable password csq7sfr0bQJqMGET encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.15.100.8 255.255.255.0

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network obj_any

subnet 192.168.5.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.5.0_24

subnet 192.168.5.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp

service-object icmp echo-reply

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object tcp

service-object icmp echo-reply

service-object udp

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_to_outside extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_to_outside extended permit object-group DM_INLINE_SERVICE_2 192.168.5.0 255.255.255.0 any

access-list inside_to_outside extended deny ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup

access-group inside_to_outside in interface inside

route outside 0.0.0.0 0.0.0.0 10.15.100.1 1

route inside 192.168.0.0 255.255.255.0 192.168.5.1 2

route outside 192.168.0.0 255.255.255.0 10.15.100.1 3

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.5.0 255.255.255.0 inside