Adding vlans to a current site to site vpn

benningtonr · ‎11-07-2013

I have a site to site vpn set up from my office to a remote office. I am planning on putting my DR data storage at the remote office. My current private network is a 192.168.99.0/24, and my backup network is secluded via a second nic on all my servers with a 172.16.16.0/24 address.I currently have a /22 public address space with one /24 address space as my natting for inside services that require an outside address. all this is configured om a asa5550. I have at the remote site a single 192.168.3.0/24 address space via a single IP address through a asa5505. I want to extend the 172 backup network to the remote site, as of right now the 172 does not get routed anywhere, so it could be plugged into the asa5550, but i am not sure how to associate that traffic via the current site to site vpn.

Jouni Forss · ‎11-07-2013

Hi,

If you are planning on extending the actual subnet 172.16.16.0/24 to the remote site then L2L VPN is not really the solution for that. It doesnt enable you to have a L2 connectivity between the sites.

Or did I understand your post wrong?

- Jouni

benningtonr · ‎11-07-2013

That was the original thought, but i could not see how it was possible. What would be the best solution for this DR backup at our remote site. We have done the initail backup locally, now i need to move it to the remote site and then we will do differential backups to the remote site.

benningtonr · ‎11-07-2013

Ideally I would like to send the 172 traffic directly to the 192.168.3 remote site and keep it off my 192.168.99 production network. But i am not sure how to get it to the asa5550 here and then on the vpn connection to the DR with a 192.168.3 address.

Jouni Forss · ‎11-07-2013

Hi,

The ASA would not be able to make that L2 connection. With Cisco routers it would be possible to my understanding.

So your aim at the moment is to just connect the network 172.16.16.0/24 at its local site and configure it on the L2L VPN connection that exists so you can send traffic from the 172.16.16.0/24 network to the remote site?

Well you would naturally have to connect that network to the local ASA (directly or through some other routers depending on your actual setup) and make sure that hosts on that network have a route to the remote network through the local ASA.

When that network is actually connected to the ASA then the needed configurations would be easy if we could see the current configurations.

- Jouni

benningtonr · ‎11-07-2013

ok, here locally, on an unused interface on the asa5550, i would connect the 172 network switch, and give that asa interface a 172.16.16.1/24 address, then i would need to put in a route for the 172 network to go to the 192.168.3 network, which is the remote site, via a site to site vpn connection. Adding the 172 traffic to the current site to site vpn is where i am fuzzy.

benningtonr · ‎11-07-2013

ciscoasa# sho runn | in 98.174.222.x

crypto map outside_map 2 set peer 98.174.222.x

tunnel-group 98.174.222.x type ipsec-l2l

tunnel-group 98.174.222.x ipsec-attributes

ciscoasa# sho isakmp sa

Active SA: 3

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 3

1 IKE Peer: 192.40.125.x

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

2 IKE Peer: 98.174.222.x

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

3 IKE Peer: 12.160.89.x

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

ciscoasa# sho ipsec sa peer 98.174.222.x

peer address: 98.174.222.x

Crypto map tag: outside_map, seq num: 2, local addr: 64.5.141.x

access-list outside_2_cryptomap extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.96.0/255.255.252.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: 98.174.222.179

#pkts encaps: 4465068, #pkts encrypt: 4465069, #pkts digest: 4465069

#pkts decaps: 3477605, #pkts decrypt: 3477605, #pkts verify: 3477605

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 4465068, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 6

#send errors: 0, #recv errors: 0

local crypto endpt.: 64.5.141.x, remote crypto endpt.: 98.174.222.x

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: C904BAEE

current inbound spi : E67EAEA9

inbound esp sas:

spi: 0xE67EAEA9 (3867061929)

transform: esp-aes-256 esp-md5-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, }

slot: 0, conn_id: 8417280, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3909689/24421)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xC904BAEE (3372530414)

transform: esp-aes-256 esp-md5-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, }

slot: 0, conn_id: 8417280, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3912782/24421)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Jouni Forss · ‎11-07-2013

Hi,

Couple of things related to the routing/forwarding of traffic that would need to be cleared is

What is the default gateway of the 172.16.16.0/24 network at the moment or does it have one?
Is there any router connected to that network?

The main thing after connecting the network to the ASA5550 is that when the hosts on the 172.16.16.0/24 network try to connect to the network 192.168.3.0/24 then the traffic should be forwarded to the ASA. This should be accomplished with

Having the default gateway of the network 172.16.16.0/24 on the ASA
Having a route on the hosts for network 192.168.3.0/24 through next hop IP 172.16.16.1
Or if there is a router connected to the 172.16.16.0/24 network then you could configure a static route on it for the remote network 192.168.3.0/24

The L2L VPN configuration on the ASA5550 and on the remote end could be easily added if we could see the current configurations and the configuration for the new interface on the ASA5550.

- Jouni

benningtonr · ‎11-07-2013

It is currently stand alone, i was going to give an open interface on the asa5550 a 172.16.16.1/24 address and connect the backup switch directly to the asa, so the answer to the second question is no, there is currently no router on the 172 network. The configureation for the asa5550 is very large, there is no way i could sanitize it in a timly fashion.

Jouni Forss · ‎11-07-2013

Hi,

So if you dont have any router on the 172.16.16.0/24 network then either the hosts on that network will have to have their default gateway pointing to the new ASA interface IP address or you need actual routes on the hosts themselves so traffic towards 192.168.3.0/24 gets forwarded to ASA.

Since your configuration is large I guess I can give example configurations you might need.

So first look for your L2L VPN configuration connecting to the 192.168.3.0/24 network. Use the following command and find the connection

show run crypto map

You should see a configuration line with "crypto map match address "

After this you need to add the source network to that ACL

access-list permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0

Then you will probably need a NAT0 configuration for the new ASA interface you have created

access-list BACKUP-NAT0 remark NAT0 for backup network L2L VPN

access-list BACKUP-NAT0 permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0

nat () 0 access-list BACKUP-NAT0

This should pretty much be what is needed on an existing L2L VPN connection on the ASA5505 side. Naturally you can configure an interface ACL to restricts traffic as needed.

Remember that the same configurations (as mirror image) are needed at the remote site also.

I am actually not sure what software your ASAs are running. If they are 8.3 or above then the NAT configuration for NAT0 is naturally different.

- Jouni

benningtonr · ‎11-07-2013

here is the crypto map for this vpn:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer 98.174.222.x

crypto map outside_map 2 set transform-set ESP-AES-256-MD5

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

crypto map outside_map 2 match address outside_2_cryptomap

Other nat statements

access-list inside_outbound_nat0_acl extended permit ip any 192.168.98.0 255.255.255.0

access-list web_dmz_outbound_nat0_acl extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.98.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 64.5.128.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.12.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 192.168.14.0 255.255.255.0

access-list web_dmz_nat0_outbound extended permit ip 192.168.96.0 255.255.252.0 host 192.168.98.201

access-list web_dmz_nat0_outbound extended permit ip 64.5.128.0 255.255.252.0 host 192.168.98.201

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (web_dmz) 0 access-list web_dmz_nat0_outbound

Version

asa825-19-k8

Jouni Forss · ‎11-07-2013

Hi,

Well you would use the existing ACL in the "crypto map" configurations

access-list outside_2_cryptomap extended permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0

But since the network 172.16.16.0/24 is according to your information connected to a new ASA interface completely then the NAT0 configuration I mentioned before needs to be applied to that new interface. It wont use any of the existing NAT0 ACL you see above as they are meant for other interfaces of the ASA.

- Jouni

benningtonr · ‎11-07-2013

I am missing something, i am not sending 17202 traffic over

here are the crypto maps

sho access-list outside_2_cryptomap

access-list outside_2_cryptomap; 2 elements; name hash: 0x8d0d4873

access-list outside_2_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_6 192.168.3.0 255.255.255.0 0x3cba3dfd

access-list outside_2_cryptomap line 1 extended permit ip 172.16.16.0 255.255.255.0 192.168.3.0 255.255.255.0 (hitcnt=0) 0x91a7783f

access-list outside_2_cryptomap line 1 extended permit ip 192.168.96.0 255.255.252.0 192.168.3.0 255.255.255.0 (hitcnt=8) 0x3d7fdedb

ciscoasa#

I have not figured out the part about adding the backup interface.

benningtonr · ‎11-07-2013

adding the mapping to the interface, i have plugged the 172 network into the asa5550 here at the main office, mirrored the settings on the remote office asa5505. but still no tunnel that includes the 172.16 network

Jouni Forss · ‎11-07-2013

Hi,

You could use the "packet-tracer" on the ASA5550 to see if the traffic matches the created L2L VPN rule

packet-tracer input tcp 172.16.16.100 12345 192.168.3.100 80

The above IP addresses and ports are just example. You will have to use the new interfaces "nameif" in the command.

Issue the above command twice and post the last output here.

- Jouni