Site to Site and Client VPN

bilskya666 · ‎05-20-2013

Greetings,

We have a ASA5510 that has an existing client VPN that is running fine. We now have to add a site to site vpn in order to work with a new service provider. My question is do I add a new Outside IP address fot the Site to Site VPN or can I configure both the client and site to site on the existing Outside IP?

Thanks in advance!

Jouni Forss · ‎05-20-2013

Hi,

You can use the same IP address for both VPNs

Actually there is no other way currently on the ASA to do this.

If you can provide some configurations of the ASA we can give some examples on how to add the L2L VPN configuration.

- Jouni

bilskya666 · ‎06-03-2013

Thank you for your response. I've been away and just catching up to this. Here is my config. Thanks.

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 6tTixK/st.2XX63a encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.17.1 255.255.255.0 
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 74.3.119.226 255.255.255.240 
!
interface Ethernet0/2
 nameif backup
 security-level 0
 ip address 50.74.187.238 255.255.255.252 
!
interface Ethernet0/3
 nameif policy
 security-level 100
 ip address 10.0.10.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service VPN udp
 port-object eq isakmp
object-group service vpn udp
 group-object VPN
access-list outside_access_in extended permit tcp any 74.3.119.224 255.255.255.240 eq www 
access-list outside_access_in extended permit tcp any 74.3.119.224 255.255.255.240 eq https 
access-list outside_access_in extended permit udp any 74.3.119.224 255.255.255.240 eq isakmp 
access-list outside_access_in extended permit tcp 74.3.119.224 255.255.255.240 eq www any 
access-list outside_access_in extended permit tcp 74.3.119.224 255.255.255.240 eq https any 
access-list outside_access_in extended permit udp 74.3.119.224 255.255.255.240 any eq isakmp 
access-list outside_access_in extended permit ip any any 
access-list inside_nat0_outbound extended permit ip any 192.168.17.80 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.17.80 255.255.255.240 
access-list PRCH_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 
access-list PRCHVPN_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 
access-list PRCHVPN_splitTunnelAcl_1 standard permit 192.168.17.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
mtu policy 1500
mtu management 1500
ip local pool NYC 192.168.17.80-192.168.17.90 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (policy) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.8 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.8 https netmask 255.255.255.255 
static (inside,outside) tcp interface pptp 192.168.1.8 pptp netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.3.119.225 128 track 1
route backup 0.0.0.0 0.0.0.0 50.74.187.237 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
no vpn-addr-assign aaa
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.8 4.2.2.2
!
dhcpd dns 192.168.1.8 4.2.2.2 interface inside
dhcpd domain prchealth.local interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy PRCHVPN internal
group-policy PRCHVPN attributes
 wins-server value 192.168.17.8
 dns-server value 192.168.17.8 4.2.2.2
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PRCHVPN_splitTunnelAcl
 vlan none
username test password fHqnYIC4mrED6qR9 encrypted
username mimi password n5znYRnANWbrOBvN encrypted
username admin password 4livZ1sqwUube71o encrypted
username Libby password 5/cAyB3/B0iOpEgZ encrypted
username LTA_ password qNDhboahK4FHv8D8 encrypted
username Elinore password puM0LtXg2ulVwOa8 encrypted
username allan password ktd/24Ma6/QW/BI4 encrypted privilege 15
username Jenny password n0YHjBhni5wkcpph encrypted
tunnel-group PRCHVPN type remote-access
tunnel-group PRCHVPN general-attributes
 address-pool NYC
 default-group-policy PRCHVPN
tunnel-group PRCHVPN ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a8cf06a95cbad97dbc999e18324f93e4
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

Jouni Forss · ‎06-03-2013

Hi,

So naturally the parameter for your L2L VPN which you device with the remote end of the VPN connection ultimately decide what kind of configuration you are going to need

First you need the Phase 1 parameters which are configured with the "crypto isakmp policy xx". If you find a matching one in the above configuration then you dont have to configure a new one. If you dont find a matching one you will have to configure a policy with the matching parameters to the new connection.

Then you naturally need to configure the ACL that defines the networks at local and remote end which need to use the L2L VPN

For example

access-list L2LVPN Remark L2L VPN Encryption Domain

access-list L2LVPN permit ip 192.168.17.0 255.255.255.0

Then you need a matching NAT0 configuration for the above traffic. I use as an example your "inside" network which has an existing NAT0 configuration.

access-list inside_nat0_outbound permit ip 192.168.17.0 255.255.255.0

Then you need to insert L2L VPN related configurations to the existing "crypto map" you have.

crypto map outside_map 10 match address L2LVPN

crypto map outside_map 10 set peer

crypto map outside_map 10 set transform-set

The above are the minimum ones required. Dont worry about it if the ASA gives an warning that the "crypto map" entry isnt complete. It will warn about this until you have the final third parameter above set.

Then you need to define the "tunnel-group" for the L2L VPN connection which also has the PSK (Pre Shared Key) for the connetion which you also decide with the remote end.

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key

Naturally if you can provide with the actual information to us then we can give more specific information. We would need the Phase1 and Phase2 parameters of the L2L VPN you are going to build. We would also need to know all the local and remote networks related to this L2L VPN connection.

Hopefully this helps

Remember to mark the reply as the correct answer if it answered your question. Naturally ask more if you need more specific information.

- Jouni