06-18-2012 05:11 AM
Hi Guys,
I'm trying to setup a VPN connection for the two PC's in the graphic below. I have the link between the two locations setup and secured, now I just need help with the routing elements.
Can someone let me know what I need to add to the firewall config in order to get this to work? Appreciate any help!
Here is what I have:
SITE A
------
access-list mpls_vpn_sitea extended permit ip host 172.168.199.1 host 172.168.199.2
access-list mpls_vpn_sitea extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0
crypto map mpls_vpn 1 match address mpls_vpn_sitea
crypto map mpls_vpn 1 set peer 172.168.199.2
crypto map mpls_vpn 1 set transform-set ESP-3DES-SHA
crypto map mpls_vpn interface MPLS
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
SITE B
------
access-list mpls_vpn_siteb extended permit ip host 172.168.199.2 host 172.168.199.1
access-list mpls_vpn_siteb extended permit ip TEST-LOCAL 255.255.255.0 TEST-REMOTE 255.255.255.0
crypto map mpls_vpn 1 match address mpls_vpn_siteb
crypto map mpls_vpn 1 set peer 172.168.199.1
crypto map mpls_vpn 1 set transform-set ESP-3DES-SHA
crypto map mpls_vpn interface MPLS
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
do I need to specify a route between the two networks? What do I need to have for NAT statements?
thanks!
06-18-2012 05:59 AM
You can't encrypt the end point that terminates the VPN tunnel, so the first line of your crypto ACL needs to be removed.
You would also need ISAKMP policy and also configure pre-shared key.
NAT exemption needs to be configured, assuming that you are running version 8.2 or below, then here is the config:
access-list nonat permit ip
nat (TestNetwork) 0 access-list nonat
Lastly, yes, you would need to route it towards MPLS interface next hop if MPLS is not your default gateway.
06-18-2012 06:12 AM
Thanks for the reply Jennifer!
So to confirm, I need to remove this line: crypto map mpls_vpn 1 match address mpls_vpn_sitea on SITE1 and crypto map mpls_vpn 1 match address mpls_vpn_siteb on SITE2.
I will add in the 2 x NAT statements that you have above onto both ASA firewalls.
I already have this route setup on SITE1's ASA (including a default route) - is this correct?
route outside 0.0.0.0 0.0.0.0 87.198.182.145 1
route MPLS TEST-REMOTE 255.255.255.0 172.168.199.2 1
I dont have a route yet on the SITE2's ASA, but assuming the above is correct should it be:
route MPLS TEST-REMOTE 255.255.255.0 172.168.199.1 1
I have the following ISAKMP policies defined on the ASA's.
SITE1:
crypto isakmp enable outside
crypto isakmp enable MPLS
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp enable outside
crypto isakmp enable MPLS
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 172.168.199.1 type ipsec-l2l
tunnel-group 172.168.199.1 ipsec-attributes
pre-shared-key *
tunnel-group 172.168.199.2 type ipsec-l2l
tunnel-group 172.168.199.2 ipsec-attributes
pre-shared-key *
crypto isakmp enable outside
crypto isakmp enable MPLS
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 172.168.199.2 type ipsec-l2l
tunnel-group 172.168.199.2 ipsec-attributes
pre-shared-key *
SITE 2:
crypto isakmp enable outside
crypto isakmp enable MPLS
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 172.168.199.1 type ipsec-l2l
tunnel-group 172.168.199.1 ipsec-attributes
pre-shared-key *
06-18-2012 06:19 AM
No no..
you would need to remove the following:
Site A:
access-list mpls_vpn_sitea extended permit ip host 172.168.199.1 host 172.168.199.2
Site B:
access-list mpls_vpn_siteb extended permit ip host 172.168.199.2 host 172.168.199.1
Don't remove "crypto map mpls_vpn 1 match address" command, you need that.
The rest looks good to me.
BTW, is the ASA point to point through the MPLS link?
06-18-2012 06:22 AM
Ok, thanks for clarifying.
In relation to the ASA being point-to-point through the MPLS link - what do you mean?
I have a private MPLS link that is provided by my telecoms provider that I am using to create the VPN between both offices - does that answer your question?
thanks again for your help!
Rowan.
06-18-2012 06:24 AM
btw - this is my name statements for the networks - they ok?
name 192.168.200.0 TEST-LOCAL
name 192.168.199.0 TEST-REMOTE
06-18-2012 06:30 AM
I assume that the above name is at Site2, and you have the opposite configured at Site1?
Meaning the 2 ASA MPLS interface is in the same subnet, right?
06-18-2012 06:33 AM
good spot - yes those names are opposite on SITE1.
Yes, the 2 x ASA MPLS interfaces on same subnet and I can ping the alternate MPLS interface from each of the ASA units.
Ok, I'll give that a try and see if it works!
06-19-2012 08:48 AM
Jennifer,
I did the commands and I can see the logs doing the teardown, for example if I ping the SITE-2 test gateway (192.168.200.1) from the SITE-1 test host (192.168.199.2) I get the following on the SITE-2 ASA
Jun 19 2012 16:30:25 302021 192.168.199.2 512 192.168.200.1 0 Teardown ICMP connection for faddr 192.168.199.2/512 gaddr 192.168.200.1/0 laddr 192.168.200.1/0
But I can’t get traffic through - pings / remote desktop etc
When I ping host to host, I see the SITE-1 ASA building the packet
Jun 19 2012 16:36:07 302020 192.168.199.2 512 192.168.200.2 0 Built outbound ICMP connection for faddr 192.168.200.2/0 gaddr 192.168.199.2/512 laddr 192.168.199.2/512
But I get the following error message on the SITE-2 ASA
Jun 19 2012 16:35:28 106023 192.168.200.2 192.168.199.2 Deny icmp src inside:192.168.200.2 dst MPLS:192.168.199.2 (type 0, code 0) by access-group "inside_access_in" [0x0, 0x0]
So I’m wondering if the problem is that the TEST interface (192...) is not seen as an “inside” interface.
thoughts?
06-20-2012 07:22 AM
Any further thoughts?
06-20-2012 07:31 AM
What interfaces should it be passing through? I thought it should be MPLS and TestNetwork, how come it is going through inside interface?
Can you post the full config from both sites.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide