Help with VPN setup on Cisco ASA5505 with multiple VLANs

Sudo91112 · ‎06-18-2012

Hi Guys,

I'm trying to setup a VPN connection for the two PC's in the graphic below. I have the link between the two locations setup and secured, now I just need help with the routing elements.

Can someone let me know what I need to add to the firewall config in order to get this to work? Appreciate any help!

Here is what I have:

SITE A
------
access-list mpls_vpn_sitea extended permit ip host 172.168.199.1 host 172.168.199.2
access-list mpls_vpn_sitea extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0
crypto map mpls_vpn 1 match address mpls_vpn_sitea
crypto map mpls_vpn 1 set peer 172.168.199.2
crypto map mpls_vpn 1 set transform-set ESP-3DES-SHA
crypto map mpls_vpn interface MPLS
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

SITE B
------
access-list mpls_vpn_siteb extended permit ip host 172.168.199.2 host 172.168.199.1
access-list mpls_vpn_siteb extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0
crypto map mpls_vpn 1 match address mpls_vpn_siteb
crypto map mpls_vpn 1 set peer 172.168.199.1
crypto map mpls_vpn 1 set transform-set ESP-3DES-SHA
crypto map mpls_vpn interface MPLS
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

do I need to specify a route between the two networks? What do I need to have for NAT statements?

thanks!

Jennifer Halim · ‎06-18-2012

You can't encrypt the end point that terminates the VPN tunnel, so the first line of your crypto ACL needs to be removed.

You would also need ISAKMP policy and also configure pre-shared key.

NAT exemption needs to be configured, assuming that you are running version 8.2 or below, then here is the config:

access-list nonat permit ip 255.255.255.0 255.255.255.0

nat (TestNetwork) 0 access-list nonat

Lastly, yes, you would need to route it towards MPLS interface next hop if MPLS is not your default gateway.

Sudo91112 · ‎06-18-2012

Thanks for the reply Jennifer!

So to confirm, I need to remove this line: crypto map mpls_vpn 1 match address mpls_vpn_sitea on SITE1 and crypto map mpls_vpn 1 match address mpls_vpn_siteb on SITE2.

I will add in the 2 x NAT statements that you have above onto both ASA firewalls.

I already have this route setup on SITE1's ASA (including a default route) - is this correct?

route outside 0.0.0.0 0.0.0.0 87.198.182.145 1

route MPLS TEST-REMOTE 255.255.255.0 172.168.199.2 1

I dont have a route yet on the SITE2's ASA, but assuming the above is correct should it be:

route MPLS TEST-REMOTE 255.255.255.0 172.168.199.1 1

I have the following ISAKMP policies defined on the ASA's.

SITE1:

crypto isakmp enable outside

crypto isakmp enable MPLS

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp enable outside

crypto isakmp enable MPLS

crypto isakmp policy 70

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 172.168.199.1 type ipsec-l2l

tunnel-group 172.168.199.1 ipsec-attributes

pre-shared-key *

tunnel-group 172.168.199.2 type ipsec-l2l

tunnel-group 172.168.199.2 ipsec-attributes

pre-shared-key *

crypto isakmp enable outside
crypto isakmp enable MPLS
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 172.168.199.2 type ipsec-l2l
tunnel-group 172.168.199.2 ipsec-attributes
pre-shared-key *

SITE 2:

crypto isakmp enable outside
crypto isakmp enable MPLS
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 172.168.199.1 type ipsec-l2l
tunnel-group 172.168.199.1 ipsec-attributes
pre-shared-key *

Jennifer Halim · ‎06-18-2012

No no..

you would need to remove the following:

Site A:

access-list mpls_vpn_sitea extended permit ip host 172.168.199.1 host 172.168.199.2

Site B:

access-list mpls_vpn_siteb extended permit ip host 172.168.199.2 host 172.168.199.1

Don't remove "crypto map mpls_vpn 1 match address" command, you need that.

The rest looks good to me.

BTW, is the ASA point to point through the MPLS link?

Sudo91112 · ‎06-18-2012

Ok, thanks for clarifying.

In relation to the ASA being point-to-point through the MPLS link - what do you mean?

I have a private MPLS link that is provided by my telecoms provider that I am using to create the VPN between both offices - does that answer your question?

thanks again for your help!

Rowan.

Sudo91112 · ‎06-18-2012

btw - this is my name statements for the networks - they ok?

name 192.168.200.0 TEST-LOCAL

name 192.168.199.0 TEST-REMOTE

Jennifer Halim · ‎06-18-2012

I assume that the above name is at Site2, and you have the opposite configured at Site1?

Meaning the 2 ASA MPLS interface is in the same subnet, right?

Sudo91112 · ‎06-18-2012

good spot - yes those names are opposite on SITE1.

Yes, the 2 x ASA MPLS interfaces on same subnet and I can ping the alternate MPLS interface from each of the ASA units.

Ok, I'll give that a try and see if it works!

Sudo91112 · ‎06-19-2012

Jennifer,

I did the commands and I can see the logs doing the teardown, for example if I ping the SITE-2 test gateway (192.168.200.1) from the SITE-1 test host (192.168.199.2) I get the following on the SITE-2 ASA

Jun 19 2012 16:30:25 302021 192.168.199.2 512 192.168.200.1 0 Teardown ICMP connection for faddr 192.168.199.2/512 gaddr 192.168.200.1/0 laddr 192.168.200.1/0

But I can’t get traffic through - pings / remote desktop etc

When I ping host to host, I see the SITE-1 ASA building the packet

Jun 19 2012 16:36:07 302020 192.168.199.2 512 192.168.200.2 0 Built outbound ICMP connection for faddr 192.168.200.2/0 gaddr 192.168.199.2/512 laddr 192.168.199.2/512

But I get the following error message on the SITE-2 ASA

Jun 19 2012 16:35:28 106023 192.168.200.2 192.168.199.2 Deny icmp src inside:192.168.200.2 dst MPLS:192.168.199.2 (type 0, code 0) by access-group "inside_access_in" [0x0, 0x0]

So I’m wondering if the problem is that the TEST interface (192...) is not seen as an “inside” interface.

thoughts?

Sudo91112 · ‎06-20-2012

Any further thoughts?

Jennifer Halim · ‎06-20-2012

What interfaces should it be passing through? I thought it should be MPLS and TestNetwork, how come it is going through inside interface?

Can you post the full config from both sites.