Solved: VPN ASA to ASA with dynamic IP in the Branch Office

sergios · ‎05-23-2012

Hi,

I'd like to connect through a VPN the HQ office to a Branch using two ASAs.

I have a 5520 in the HQ and 5505 in the Branch Office.

My problem is in the Branch office where I have a dynamic IP (ADSL).

I couldn't find a example this kind of configuration.

Can you help me?

Regards,

Sergio Santos

Gustavo Medina · ‎05-23-2012

Hi Sergio,

Well you have two options:

Dynamic to Static L2L tunnel:

On the 5520 you need to configure a dynamic crypto map because you dont know the IP address the 5505 will have and even if you do the IP address could change. So:

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route
crypto map mymap 10 IPSec-isakmp dynamic mymap
crypto map mymap interface outside

If you already have other tunnels already configured them just change the crypto map name I used above with the one you already have, in the example I used a sequence number of 10 because I dont have more tunnels in place but you need no make sure that the crypto map where you tie the dynamic crypto map has the higher value! Id recommend you using a value such as 65535 which is the highest you can use, this will allow you to configure static tunnels in the future without the need of reconfiguring the one you tied to the dynamic.

Besides that you need to configure the tunnel-group...but as you might know for L2L tunnels with PSKs in MainMode the tunnel-group name MUST be the peer IP address and in this case we dont know it, dont worry we can configure the PSK under the DefaultL2LGroup

tunnel-group DefaultL2LGroup IPSec-attributes
pre-shared-key *

Thats all you need on the 5520, besides the basic PH1 configuration for building a tunnel.

On the 5505 all you need to do is to configure a regular tunnel because from the 5505 perspective we know the IP address of the 5520 and that one will not change:

crypto map MYMAP 1 IPSec-isakmp
set peer X.X.X.X
set transform-set myset
match address MYCRYPTOACL

tunnel-group X.X.X.X IPSec-attributes
pre-shared-key *

The other option will be to configure EzVPN as you are using a 5505

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html

HTH!

View solution in original post

Gustavo Medina · ‎05-23-2012

Hi Sergio,

Well you have two options:

Dynamic to Static L2L tunnel:

On the 5520 you need to configure a dynamic crypto map because you dont know the IP address the 5505 will have and even if you do the IP address could change. So:

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route
crypto map mymap 10 IPSec-isakmp dynamic mymap
crypto map mymap interface outside

If you already have other tunnels already configured them just change the crypto map name I used above with the one you already have, in the example I used a sequence number of 10 because I dont have more tunnels in place but you need no make sure that the crypto map where you tie the dynamic crypto map has the higher value! Id recommend you using a value such as 65535 which is the highest you can use, this will allow you to configure static tunnels in the future without the need of reconfiguring the one you tied to the dynamic.

Besides that you need to configure the tunnel-group...but as you might know for L2L tunnels with PSKs in MainMode the tunnel-group name MUST be the peer IP address and in this case we dont know it, dont worry we can configure the PSK under the DefaultL2LGroup

tunnel-group DefaultL2LGroup IPSec-attributes
pre-shared-key *

Thats all you need on the 5520, besides the basic PH1 configuration for building a tunnel.

On the 5505 all you need to do is to configure a regular tunnel because from the 5505 perspective we know the IP address of the 5520 and that one will not change:

crypto map MYMAP 1 IPSec-isakmp
set peer X.X.X.X
set transform-set myset
match address MYCRYPTOACL

tunnel-group X.X.X.X IPSec-attributes
pre-shared-key *

The other option will be to configure EzVPN as you are using a 5505

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html

HTH!

sergios · ‎05-27-2012

Hi Gustavo,

I'm surprised for a so very complete answer so fast!!!

Thanks a lot Gustavo!

I'll test from next monday and I'll let you know what will happen

Everything you said makes sense to me, so I'm very hopeful it will work.

Although I'll probably implement the first option, I have a question about the second one, I think if I use EasyVPN, all traffic from 5505 to main site will be "NATed" then I can have trouble(or I'll need many additional rules) to access some hosts from HQ to Branch office. Is it correct?

Do you speak portuguese? I'm from Niteroi-RJ-Brasil.

Certainlly you help me a lot!!

Thanks a lot again!!!

Sergio Santos

PS: I'm sorry for my poor english.

Erik-234577235 · ‎05-27-2012

hi Gustavo,

no, this doesn't work!

In my case the branch-asa is missing the IKEv2 configuration. How do I disable it, when it is nowhere enabled?

Most of the time I work with the gui because the cli gives me not enough overview, I know about the 100s of bugs in the gui. But I expect that IKEv2 is nowhere used when I don't see settings for it. In the tunnel-group I only see IKEv1 enabled. Why does the asa try to use v2?

thx

Denise

sergios · ‎05-27-2012

Hi Gustavo,

I'm surprised for a so very complete answer so fast!!!

Thanks a lot Gustavo!

I'll test from next monday and I'll let you know what will happen

Everything you said makes sense to me, so I'm very hopeful it will work.

Although I'll probably implement the first option, I have a question about the second one, I think if I use EasyVPN, all traffic from 5505 to main site will be "NATed" then I can have trouble(or I'll need many additional rules) to access some hosts from HQ to Branch office. Is it correct?

Do you speak portuguese? I'm from Niteroi-RJ-Brasil.

Certainly you help me a lot!!

Thanks a lot again!!!

Sergio Santos

PS: I'm sorry for my poor english.

Gustavo Medina · ‎05-28-2012

Hello Segio and Denise,

Man I wish I could speak portuguese but as of now I only speak english and spanish...Let's see if I can learn some Portuguese for the Brasil2014!!!!!! hopefully Costa Rica will make it to the world cup!!

Let me answer your question, when it comes to EzVPN we have two modes of operation! well actually three but the third one is some sort of combination of the first two then I'm going to explain you the first two.

Client Mode: This is the one you were talking about because it performs NAT! PAT to be more specific...On the headend you will configure a pool of addresses that will be assigned to the clients when they connect; so all the computers behind the 5505 will get translated to the address that the headend assigned to the 5505...of course only the computers behind the 5505 will be able to initiate traffic towards the headend because the 5505 is translating multiple IPs to a single IP (many to one) and it does this by assigning an specific port for each IP so the return traffic will go to that specific port and the 5505 will know what IP address the packet should be sent to.

NEM: Network extension mode, this mode of operation is very similar as a regular LAN to LAN tunnel, we don't do NAT here so computers behind the 5505 are able to reach computers behind the headend endpoint without performing NAT...the security association will be from network to network! and because of this, either side is able to initiate the connections.

Denise,

Why do you say the ASA is trying to use IKEv2? like you said, if it's not configured then it won't be used. If you want you can share your config and I'll give you a hand.

Regards,

sergios · ‎05-28-2012

Hi Gustavo,

I'm sorry. Because thy name I thought you were a Brazilian! No problem, but meanwhile you'll have to put up with my poor "English"...

Currently already exists in the main site a ASA5510. We have about 14 static to static L2L VPNs connected and some remote access through VPN client. It is the first time we need to handle dynamic IP.

I need to get access from the main site to a branch office, then I could understand I can use a regular site-to-site(dynamic to static) or a EzVPN in NEM mode, is it correct?

Do you have any example how to build a EzVPN in NEM mode?

What do you think would be the best option in my case, regular VPN site-to-site or EzVPN NEM mode?

I know the process in order to go up the tunnel in both cases has to initiate from branch office(dynamic IP) but I need to keep the tunnel always up. Is there something I can configure to starting and keeping the tunnel up automatically from branch office?

Thanks in advance

Sergio Santos

PS: Regarding the World Cup, do you intend to watch the world cup in Brazil? I hope Costa Rica can reach here in Brazil, but I hope this time we win! Brazil Hexa Champion!!!!!!!!!!!!!!!!

Gustavo Medina · ‎05-28-2012

Hello Sergio,

You are right, in order to fulfill your requirements you could either use a Dynamic-to-Static tunnel or go with the EzVPN NEM option.

Here is an EzVPN in NEM example, the headend here is a PIX 515E but it will be practically the exact same thing:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

In your case both solutions work fine so I'll let you make the decision but you are going to have more arguments with the answer to your next question.

Probably you need to keep the tunnel always UP because you don’t have someone behind the 5505 to bring up the tunnel in case it goes down or simply because you want users behind the headend to be able to initiate connections without asking the branch users to start sending traffic first; well if you set the "idle-timeout" to none this will not address the issue, I mean if a rekey occurs and there is not traffic passing at that moment the only way to bring up the tunnel is by sending traffic again from the device with the dynamic IP (5505) same thing if the tunnel goes down for an unexpected reason…DPDs, etc…

If you want to keep the tunnel up you need to keep sending traffic across the tunnel...there are different ways to acomplish...

You could setup a script on a computer behind the 5505 that sends traffic all the time towards the headend but the downside of this is that you may want to turn that computer off at nights for example.

If your were using a Router instead of a 5505 you could do an IP SLA as a workaround in order to keep SA up all the time, however with the ASAs we cannot do it as we cannot specify the source of those pings but we can use the call-home feature instead…

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn29607

The SCH feature is not designed for this but we could use it as a workaround on the 5505...the 5505 will generate a ping at a regular interval so this will mantain the SA up.

service call-home

call-home

no alert-group inventory

alert-group-config snapshot

add-command "ping inside 192.168.50.1" (here you will put an IP address that is behind the headend)

contact-email-addr crtac@cisco.com

mail-server 1.1.1.1 priority 1

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile TAVO

destination address email crvpn@cisco.com

destination transport-method email

subscribe-to-alert-group snapshot periodic interval 1

Now...with EzVPN in NEM you can configure the 5505 with auto-connect so the client will be always trying to connect even if the tunnel goes down the client will try to re-connect so this could accomplish what you want too.

For the World Cup!!Im going to start saving money so I can make it there that's the plan!! and I hope Brazil wins too! I always root for Brazil in World Cups. Actually last october Brazil came here to CR and played at our new National Stadium...the players shared with the fans and were VERY humble DINHO specially....but two months ago Argentina came down to play at the Stadium inaguration....the Star Players didn't even play...Messi didn't even say Hello to the fans...no interviews no nothing! I went to the stadium and what a waste of money I also rooted for Argentina in WorldCups but since that day I said I won't anymore hehe

Regards,

lemonsweater · ‎10-29-2015

Gustavo,

EZVPN NEM is only available in ASA. I cant do this if the tuneel is ASA-IOS router?

lemonsweater · ‎10-27-2015

Hi Gustavo,

Since you mentioned that Dynmap should have the highest sequence, how many dynmap is allowed in ASA 5510? In my case, I am planning to put up 4 dynamic map site to site VPN to our remote office. Thank you

Dinesh Moudgil · ‎10-27-2015

Hello,

You can have maximum of 65535 dynamic maps configured on the ASA.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Gustavo Medina · ‎10-28-2015

Hello,

There is no need to configure a separate dynamic-map for each branch. They can all use the same.

-Gustavo

lemonsweater · ‎10-28-2015

how about the policy for each map?