11-28-2011 09:40 AM - edited 02-21-2020 05:44 PM
With Marcin Latosiewicz
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to Get an update on IPsec VPN with Cisco expert Marcin Latosiewicz who will answer questions on the topic of best practices when implementing IPsec VPNs on IOS and ASA. Marcin Latosiewicz is a Customer Support Engineer at the Cisco Technical Assistance Center in Belgium, which over four years of experience with Cisco Security products and technologies including IPSec, VPN, internetworking appliances, network and systems security, internet services and Cisco networking equipment.
Remember to use the rating system to let Marcin know if you have received an adequate response.
Marcin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through December 9th, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
Solved! Go to Solution.
11-30-2011 09:19 AM
Hi Marcy,
I set up in a Cisco 1801 a site-to-site vpn between site A and site B, also I set up the Cisco 1801 as a Easy VPN server. Everything works fine ...
The site-to-site vpn traffic from A to B has to do a source NAT to xxx.xxx.xxx.xxx address to be able to arrive to B site.
The remote vpn traffic is arriving to the LAN of site A
The problem that i am facing is that i don't know how to set up the Cisco 1801 to manage the remote vpn traffic to site B. I think i have to do a source nat of the remote vpn traffic to xxx.xxx.xxx.xxx address but i don't know how, should i use a ip nat inside or a nat outside command?
Thanks in advanced
11-30-2011 10:36 AM
Alejandro,
What you need to remember is that NAT is done before encryption and after decryption.
So if you NAT traffic you need to most likely take it into consideration for routing and/or VPN.
Let's take this scenario:
X - one network
Y - network two
Z - network I would like X to be visible as on when traversing to Y.
A - device with X on LAN
B - device with Y on LAN
X -----A --- (internet) ---- B ---- Y
Scenario 1.
What I would typically do is on A.
ip nat inside source static X Z /24 [route-map RMAP1]
Route-map I can use to make sure this translation is only done when going from X to Y.
And when specifying interesting traffic for VPN I woud do on A:
permit ip Z Y
while on B:
permit ip Y Z
Scenario 2)
On B:
ip nat outside source static X Z /24
ACL for VPN on A:
permit X Y
ACL for VPN on B:
permit Y X
Let me know if this answers your question, I might have gotten your scneario wrong.
Marcin
11-30-2011 02:28 PM
Hi Marcin,
Thanks for your reply,
I think i expolian myself not very clear. The site-to-site VPN with nat is already in use , that part is ok. The problem that i have is that i Also set up the router as an Easy VPN for remote users.
The traffic of these remote uses is the one that i want to route to site B through the site-to-site VPN.
So remote uses traffic has to be natted into xxxxx in orden to be accepted by site B.
VPN-Site-to-Site
(Remote users-10.0.1.0/24) -----Easy VPN----ROUTER (site A) --------(nat xxxxxx)---------SITE B
The principal problem that i have is that i don't know where to do the nat for the remote users VPN traffic to be translated into address xxxxxx when is routing to site B.
I am not sur e if this escenario is possible.
Alejandro
12-01-2011 12:12 AM
Alejandro,
Gotcha, much more clear now.
What I would suggest is switching to DVTI deployment on router A in your topology.
This will allow you to enable "ip nat inside" on virtual-template and then use normal source NAT for remote users going out to the internet or to site B.
Example confrim (- NAT) is here:
(I made the assumption you have "ip nat outside" on your WAN-facing interface)
Marcin
12-01-2011 12:38 PM
Marcin,
The DVTI was the answer, thank you so much.
Best regards,
11-30-2011 10:25 AM
Firesotrmnet,
From your description it could be a problem with ISP, although I can tell you that it's rare nowadays.
My immediate suggestion is to perform a sniffer trace (wireshark or whathaveyou) on the interface associated with 3g dongle.
You should ESP or UDP/4500 packets leaving, but we're interested if you see anything going back.
What CAN be a problem is the packets coming back but are corrupted (not that uncommon over cellular networks).
If you don't see any return packets coming in you can confirm on the ASA that that you see encapsulations and decapsulations in "show crypto ipsec sa peer IP_ADD_RE_SS". If the values are non-zero it mean that we're processing traffic, if any (or both) are zero, we have some problem on the ASA or on the route to ASA.
Marcin
11-30-2011 11:43 AM
Hi Marcin
I want to assign static IPs to users that login to IPSec VPN using Group Authentication in ASA 8.2. They authenticate through a Windows RADIUS server. Right now, they are connecting just fine and pulling an IP from the pool I have configured in the IPSec policy.
What would the best way to assign static IPs through VPN??
Thank you,
Corey
11-30-2011 02:38 PM
Corey,
Truth be told, assigning statically to everyone does not scale for large deployments, although it's a neat control mechanism in small and medium setups.
You need to modify/double check two settings.
1) You need to make sure ASA can accept IP addresses for VPN users from AAA servers.
vpn-addr-assign aaa
2) Framed-IP-address RADIUS attribute can be sent from RADIUS as an AV pair (
IETF-Radius-Framed-IP-Address).
For more information about supported attributes on ASA.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html
You can also check how you can assign statically from ASA itself (with local AAA auth)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
Hope this helps,
Marcin
11-30-2011 07:51 PM
Good day Marc.
Please I have a problem that needs urgent help. I have a T1 card installed on my 1841 router but my providers are giving me an E1 link and their complain is that it will not work with the E1 line. But i think it should be possible to use an E1 link with a T1 interface card depending on the configuration. Am really lost. Can you help me?
12-01-2011 01:02 AM
Good day marc,
i have three asa 5505 and they all share the same problem, vpn over ipsec does work sometimes for week very good, but suddenly it can stop working (clients can always connect but cant ping or connect to remote recourses).
Two of asa's are running 7.2 and yesterday i updated one to 8.42, but no help.
Most of the time when vpn is not working, client can only ping once a remote server. No matter if client is using 3g or wired connection.
Ping statistics for 192.168.100.2:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms
then suddenly, after 5min or 2 days..vpn connection all the time open or after reconnect,
Ping statistics for 192.168.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 16ms, Average = 13ms
Client use xp and windows 7...no difference.
Second problem is that remote dns name's does not work, so i cannot use for example mapped home folder with server name, i have to use those with server's ip..
Running configuration (of 8.42)
Result of the command: "sh run"
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name domain
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
name 213.139.x.x ulkoip description gw
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 213.139.x.x 255.255.255.248
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.2
name-server 62.241.198.245
domain-name domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object-group network obj_any
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list as extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.192
access-list domainVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list domainVPN_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list domainVPN_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list kissa_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Sisaverkko standard permit 192.168.100.0 255.255.255.0
access-list tunneliryhma_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any any
access-list inside_test extended permit icmp any host 192.168.100.2
access-list Outside_In extended permit icmp any any unreachable
access-list Outside_In extended permit icmp any any time-exceeded
access-list Outside_In extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNpooli2 192.168.100.20-192.168.100.29 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit host 192.168.100.21 inside
icmp permit any outside
icmp permit host 192.168.100.21 outside
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.100.0 obj-192.168.100.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp
nat (inside,inside) source static any any no-proxy-arp route-lookup
!
object network obj_any-01
nat (inside,outside) dynamic interface
object network obj_any-02
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-04
nat (dmz,outside) dynamic obj-0.0.0.0
route outside 0.0.0.0 0.0.0.0 ulkoip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
url-cache dst 10
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd domain domain
!
dhcpd address 192.168.100.20-192.168.100.149 inside
dhcpd dns 192.168.100.2 62.241.198.246 interface inside
dhcpd wins 192.168.100.2 interface inside
dhcpd domain domain interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy domainVPN internal
group-policy domainVPN attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Sisaverkko
address-pools none
username Vantaa password *** encrypted
username Vantaa attributes
service-type remote-access
username Hannes password *** encrypted privilege 15
username Hannes attributes
vpn-group-policy domainVPN
username poysant password *** encrypted
username poysant attributes
vpn-group-policy domainVPN
tunnel-group domainVPN type remote-access
tunnel-group domainVPN general-attributes
address-pool (inside) VPNpooli2
address-pool VPNpooli2
default-group-policy domainVPN
tunnel-group domainVPN ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
compression anyconnect-ssl
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cb5f8ee4bdc6a10462fe89b5a2c4d313
: end
12-01-2011 04:11 AM
Hannes,
Neither of the questions is really on best practices in IPsec VPN, but I can give this a shot.
Problem 1)
I would suggest opening a TAC case to get to the bottom of this, but here are a few things you can check on your own:
- Check if clients behind NAT and clients with public IP address are affected in the same way.
- Check if ASA is processing those packets and sending replies (show crypto ipsec sa, is a good place to start).
- Since the problem persists between two very distinct ASA versions and on three devices, I would be also interested if same ISP involved.
- Are all clients affected when the problem starts or only a few ones?
- Is there anything in topology that might try to understand ESP or UDP/4500 packets (some firewalls and broadband routers are known to "inspect" VPN flows).
Problem 2)
It's not clear to me whether you have problems with name resolution or with connection after name resolution is done.
For example did you check if the names resolve properly in "nslookup" and whethere there is a difference when looking up "server" and "server.mydomain.tld". If you inspect "ipconfig /all" do you see proper DNS and domain suffic applied to interface?
HTH,
Marcin
12-01-2011 04:18 AM
Nelson,
The problem you mention is not related to IPsec VPN best practices :-)
What I would suggest is to open up a TAC case specifying:
1) Information about WIC/module you're using for E1/T1?
2) Purpose of E1/T1 (uplink to ISP for data, voice trunk)?
3) software information about router.
4) "show diag", "show inv", "show logg", "show tech outputs".
Marcin
12-03-2011 09:52 PM
Hi Marcin,
I have been a regular viewer of your documents in the forum and appreciate your contribution . Can you please throw some light on how to evaluate performance or calculate the throughput across Site to Site VPN .For eg: usually we calculate the throughput of firewall (ASA) from the output of show interface and using the statistics over there (bytes / sec , pps etc) .But how do we know how much VPN traffic is contributing and if the firewall is getting overwhelmed because of the VPN traffic and not because of the clear text traffic
Regards
Jayesh
12-05-2011 02:26 AM
Jayesh,
Thanks for interest in our docs, I hope you're getting meaningful information out of it :-)
Now regarding your question I see several levels here.
1) Are IPsec flows contributing to any soft of "oversubscription" of the ASA.
The answer is "yes, they can". IPsec packets will still occupy interface buffers. But it's treated like any other frame in the buffer.
Packet encryption and decryption is handled by special accelerator engine, so that part should not overwhelm the CPU (which is the shared resource for entire platform).
The best way to monitor whether it is IPsec that is causing the problems is monitor the connection table, to see if there is not abnormally high amount of connections related to particular tunnel.
For example:
show conn detail address 192.168.1.1-192.168.1.254
2) Now regarding calculating of throughput.
There are two possible answers here.
a) Maximum throughput.
In which case I suggest running a iperf with UDP of 1400 bytes which should give you a good enough max throughput via tunnel.
Link to iperf http://sourceforge.net/projects/iperf/
b) Plotting current throughput of IPsec and IKE on ASA.
Best to monitor:
cipSecTunOutOctetscipSecTunInOctetscikeTunOutOctets
cikeTunInOctets
Reference:
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-IPSEC-FLOW-MONITOR-MIB.my
(Please note that tunnel index is not persitent - I can't find related enhancement request, will update this post when/if found)
Note that if you want to know what OIDs are supported on ASA you can do.
show snmp-server oidlist !it's a hidden command.
c) Plotting current throughput on IOS.
We already recommend using virtual interfaces. (Tunnel, DVTI or SVTI).
You can monitor tunnel bandwidth by reading interface stats.
Remember to make ifindex persistent over reload
PE2_872(config)#snmp-server ifindex persist
Please note that we can probably write a whole book chapter on this topic I just wanted to provide you a place to start.
HTH,
Marcin
12-05-2011 12:32 PM
Hello Marcin,
I have an question.
My written security policy says that vpn client should be able to connect just from known locations.
namely:
Home office,
Specific branch,
customers host network.
I know IPs (ranges, IP addresses aso.) but I dont know how to limit this user to connect from his home office, and another from another home office network.
So my questions are:
1. How to limit ability to login into VPN (IPsec or better SSL VPN) just from specific IPs.
2. How to limit ability to login into VPN just from specific IPs, specified per user.
Thank you,
Tomas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: