09-04-2012 09:00 AM
Hello,
We have 2 site-to-site VPN tunnels in our organization - both remote sites connect to the same firewall at our head office. All 3 firewalls are ASA5510's running 8.4 code.
We want to have VPN tunnel traffic separated from general internet access/web surfing. I'm trying to move the tunnels from the current interface on our head office firewall to a new interface. I thought this should be pretty easy - change the peer IP addresses and make sure that I've got a static routing entry set so that VPN tunnel traffic exits the proper interface, but I'm having a terrible time. I've been using the ASDM interface and I'm thinking that might be the source of my issue.
Can anyone confirm that what I want (move only the VPN tunnels from e0/0 to e0/2) is indeed possible? Any help on the actual configuration would be greatly appreciated as well.
Thanks!
Greg
HEAD OFFICE firewall
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 207.x.x.122 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
description Internet link for all tunnel traffic
speed 100
duplex full
nameif VPN_outside
security-level 0
ip address 206.y.y.202 255.255.255.248
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.254.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.254.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.30.0
subnet 192.168.30.0 255.255.254.0
object network obj-192.168.40.0
subnet 192.168.40.0 255.255.254.0
object network obj-192.168.250.0
subnet 192.168.250.0 255.255.254.0
object network Massey-Data
subnet 192.168.80.0 255.255.255.0
object network Massey-Voice
subnet 192.168.86.0 255.255.255.0
object network Stratford-Data
subnet 192.168.70.0 255.255.255.0
object-group network Massey_Traffic
network-object object Massey-Data
network-object object Massey-Voice
object-group network Stone_Traffic
network-object object obj-192.168.1.0
network-object object obj-192.168.10.0
network-object object obj-192.168.30.0
network-object object obj-192.168.40.0
network-object object obj-192.168.100.0
network-object object obj-192.168.250.0
network-object object obj-192.168.4.0
object-group network Stratford_Traffic
network-object object Stratford-Data
access-list VPN_outside_access_out extended permit ip any any
access-list outside_stratford extended permit ip object-group Stone_Traffic object-group Stratford_Traffic
access-list global_mpc extended permit ip any any
access-list outside_massey extended permit ip object-group Stone_Traffic object-group Massey_Traffic
nat (inside,outside) source static Stone_Traffic Stone_Traffic destination static Massey_Traffic Massey_Traffic no-proxy-arp route-lookup
nat (inside,outside) source static Stone_Traffic Stone_Traffic destination static Stratford_Traffic Stratford_Traffic no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface dns
access-group outside_access_out out interface outside
access-group inside_access_out out interface inside
access-group VPN_outside_access_out out interface VPN_outside
route outside 0.0.0.0 0.0.0.0 207.x.x.121 1
route VPN_outside 0.0.0.0 0.0.0.0 206.y.y.201 10
route inside 192.168.4.0 255.255.254.0 192.168.1.252 1
route inside 192.168.10.0 255.255.254.0 192.168.1.252 1
route inside 192.168.30.0 255.255.254.0 192.168.1.252 1
route inside 192.168.40.0 255.255.254.0 192.168.1.252 1
route inside 192.168.100.0 255.255.255.0 192.168.1.252 1
route inside 192.168.250.0 255.255.254.0 192.168.1.252 1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_stratford
crypto map outside_map 1 set peer 207.a.a.4
crypto map outside_map 1 set ikev2 ipsec-proposal AES
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_massey
crypto map outside_map 2 set peer 206.b.b.186
crypto map outside_map 2 set ikev2 ipsec-proposal AES AES192 AES256
crypto map outside_map interface outside
tunnel-group 207.a.a.4 type ipsec-l2l
tunnel-group 207.a.a.4 general-attributes
default-group-policy DfltGrpPolicy-Stratford
tunnel-group 207.a.a.4 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 206.b.b.186 type ipsec-l2l
tunnel-group 206.b.b.186 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto ikev2 policy 1
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 enable outside
RemoteSite 1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto map corvette 1 match address VPNtraffic
crypto map corvette 1 set peer 207.x.x.122
crypto map corvette 1 set ikev2 ipsec-proposal AES
crypto map corvette interface outside
nat (inside,outside) source static Stratford_Traffic Stratford_Traffic destination static Stone_Traffic Stone_Traffic no-proxy-arp route-lookup
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group StratfordVPN type remote-access
tunnel-group StratfordVPN general-attributes
default-group-policy StratfordPolicy
tunnel-group StratfordVPN webvpn-attributes
group-alias Stratford enable
tunnel-group 207.x.x.122 type ipsec-l2l
tunnel-group 207.x.x.122 general-attributes
default-group-policy StratfordPolicy
tunnel-group 207.x.x.122 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Solved! Go to Solution.
09-04-2012 01:41 PM
Your basic approach is on track. I believe you have a routing issue though.
I see your external routes setup with:
route outside 0.0.0.0 0.0.0.0 207.x.x.121 1
route VPN_outside 0.0.0.0 0.0.0.0 206.y.y.201 10
Since neither is more specific, what would force the ASA to route traffic destined for your VPN peer out the (higher metric!) VPN_Outside interface eth0/2?
I'd put a /32 route for each of your remote peers in place like:
route VPN_outside
09-04-2012 01:41 PM
Your basic approach is on track. I believe you have a routing issue though.
I see your external routes setup with:
route outside 0.0.0.0 0.0.0.0 207.x.x.121 1
route VPN_outside 0.0.0.0 0.0.0.0 206.y.y.201 10
Since neither is more specific, what would force the ASA to route traffic destined for your VPN peer out the (higher metric!) VPN_Outside interface eth0/2?
I'd put a /32 route for each of your remote peers in place like:
route VPN_outside
09-04-2012 02:03 PM
Routing is one thing to fix, next you need to enable ike on your new interface. Also bind your crypto map to the new interface, both are binded on your Interface outside
Sent from Cisco Technical Support Android App
09-04-2012 02:09 PM
There is no pat configured on your second outside Interface
Sent from Cisco Technical Support Android App
09-04-2012 02:14 PM
Good catch on the maps and ike, Frederic. I agree.
no crypto map outside_map interface outside
crypto map outside_map interface VPN_outside
no crypto ikev2 enable outside
crypto ikev2 enable VPN_outside
If he's not doing anything other than VPN traffic (wrapped in IPSec) out the new interface, there shouldn't be any need for NAT/PAT, yes?
09-04-2012 09:51 PM
Probably Not for ipsec itself, but it might be better to be able to reach the isp router from inside for monitoring and later needs. I would configure it allways on an outside interface.
Sent from Cisco Technical Support Android App
09-15-2012 10:00 PM
Thanks for the feedback, Frederic & Marvin. I'd forgotten the route statement to force VPN traffic out the other interface. Adding it fixed my issue.
Thanks!
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide