06-12-2012 02:13 PM
ASA-SiteA-
Outside int: 4.5.6.7
inside int:10.1.1.1
dmz:192.168.0.1 255.255.255.0
routes onASA-SiteA----
route outside 0.0.0.0 0.0.0.0 4.5.6.7 ----------default route
route inside 172.10.1.0 255.255.255.0 10.1.1.1---route to reach the ASA-SiteB- inside interface
ASA-SiteB-
Outside int- 50.1.2.3
inside int:172.10.1.1
dmz:192.168.87.1 255.255.255.0
routes on ASA-SiteB----
route outside 0.0.0.0 0.0.0.0 50.1.2.3 ----------default route
route inside 10.1.1.0 255.255.255.0 172.10.1.1---route to reach the ASA-SiteA- inside interface
The inside interfaces of the two ASAs can reach each other through MPLS circuit.We want to create a VPN tunnel between the two DMZ networks so that the trafic goes through a tunnel through the LAN.Can you check the below config and suggest if any changes are needed.
1.For the VPN tunnel to work, does the traffic needs to match a route on the ASA or it just needs to match the access-list(interesting traffic) for example after configuring the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 IP does it bring up the tunnel since it matches the interesting traffic or the packets go to 4.5.6.7 since they match the default route?
2.Under normal Site-to-Site VPN scenarios traffic initiates on the high security interface (DMZ or Inside) and goes to low security interface (Outside) but in the above case traffic intiates on the low security interface (DMZ) and goes to the High security interface (Inside) which usually gets blocked unless there is an access-list entry to allow that traffic. So de we have to have an IP any any( on the access-list applied to the DMZ interface) entry between the two dmz networks
Config on ASA-SiteA---
ikev1 policy
ASA-SiteA(config)#crypto ikev1 enable inside ----- Does enabling ikev1 on the interface interrupts traffic?
ASA-SiteA(config)# crypto ikev1 policy 100
ASA-SiteA(config-ikev1-policy)#authentication pre-share
ASA-SiteA(config-ikev1-policy)#encryption 3des
ASA-SiteA(config-ikev1-policy)#hash sha
ASA-SiteA(config-ikev1-policy)#group 2
ASA-SiteA(config-ikev1-policy)#lifetime 86400
IPSEC tunnel
ASA-SiteA(config)# crypto ipsec ikev1 transform-set VPN-MPLS esp-3des esp-sha-hmac
ASA-SiteA(cfg-crypto-trans)#mode transport
Tunnel Group
ASA-SiteA(config)# tunnel-group172.10.1.1 type ipsec-l2l
ASA-SiteA(config)# tunnel-group172.10.1.1 ipsec-attributes
ASA-SiteA(config-tunnel-ipsec)# pre-shared-key test
Interesting Traffic
ASA-SiteA(config)#object network Site-A-DMZ
ASA-SiteA(config-network-object)#subnet 192.168.0.0 255.255.255.0
ASA-SiteA(config)#object network Site-B-DMZ
ASA-SiteA(config-network-object)#subnet 192.168.87.0 255.255.255.0
ASA-SiteA(config)#access-list VPN-INTERESTING-TRAFFIC extended permit ip object Site-A-SN object Site-B-SN
ASA-SiteA(config)#nat (dmz,inside) source static Site-A-DMZ Site-A-DMZ destination static Site-B-DMZ Site-B-DMZ
Crypto MAP
ASA-SiteA(config)# crypto map VPN-LAN 100 ipsec-isakmp
ASA-SiteA(config-crypto-map)# match address VPN-INTERESTING-TRAFFIC
ASA-SiteA(config-crypto-map)# set pfs group2
ASA-SiteA(config-crypto-map)#set peer 172.10.1.1
ASA-SiteA(config-crypto-map)#set transform-set ESP-3DES-SHA
ASA-SiteA(config-crypto-map)#crypto map VPN-LAN interface inside
Solved! Go to Solution.
06-12-2012 08:28 PM
Yes, you would need the correct route otherwise it will just route via the default gateway.
So on Site A, you should have:
route inside 192.168.87.0 255.255.255.0 10.1.1.x --> x should be the next hop from the ASA inside interface
On Site B, you should have:
route inside 192.168.0.0 255.255.255.0 172.10.1.x --> x should be the next hop from the ASA inside interface
Then remove "mode transport" from both ASA.
To answer your questions:
1. Yes, it would need to match a route otherwise it will be routed through the default gateway.
2. Yes, you would need to have access-list to allow traffic from low to high security level. If you want full IP access, then you can configure permit IP between the 2 LANs.
06-14-2012 09:36 PM
1. Yes, correct, leave the IPSec in the default tunnel mode. Transport mode is normally used for L2TP over IPSec, or GRE over IPSec. For just pure LAN-to-LAN tunnel, it is just tunnel mode.
2. No, enabling IKEv1 on the inside interface will not interrupts any traffic. It simply is enabling it so it can terminate IPSec tunnel.
06-12-2012 08:28 PM
Yes, you would need the correct route otherwise it will just route via the default gateway.
So on Site A, you should have:
route inside 192.168.87.0 255.255.255.0 10.1.1.x --> x should be the next hop from the ASA inside interface
On Site B, you should have:
route inside 192.168.0.0 255.255.255.0 172.10.1.x --> x should be the next hop from the ASA inside interface
Then remove "mode transport" from both ASA.
To answer your questions:
1. Yes, it would need to match a route otherwise it will be routed through the default gateway.
2. Yes, you would need to have access-list to allow traffic from low to high security level. If you want full IP access, then you can configure permit IP between the 2 LANs.
06-13-2012 08:08 AM
Thanks Jennifer, I have few more questions
1."Then remove "mode transport" from both ASA."
Did you mean we have to leave the IPSEC in the default tunnel mode instead of transport?
2. When we enable ikev1 on the inside interface (crypto ikev1 enable inside) does it interrupts any traffic.
06-14-2012 12:58 PM
Anyone?
06-14-2012 09:36 PM
1. Yes, correct, leave the IPSec in the default tunnel mode. Transport mode is normally used for L2TP over IPSec, or GRE over IPSec. For just pure LAN-to-LAN tunnel, it is just tunnel mode.
2. No, enabling IKEv1 on the inside interface will not interrupts any traffic. It simply is enabling it so it can terminate IPSec tunnel.
06-15-2012 06:47 AM
Thanks Jennifer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide