Hi Everyone,
In this post, I am going to do a small lab for a Site to Site VPN using Cisco ASA @ both ends with Identical LAN subnets.
Configuration Section:
FW-A-Site1
==============
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
object network inlan
subnet 10.0.0.0 255.255.255.0
object network natlan
subnet 192.168.1.0 255.255.255.0
object network endsitelan
subnet 192.168.2.0 255.255.255.0
!
access-list crypto_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp
!
route outside 0 0 1.1.1.2
!
crypto ipsec ikev1 transform-set CISCO esp-3des esp-md5-hmac
crypto map outside_map 20 match address crypto_acl
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key test
!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Router as Host @ Site A Configs
================================
enable secret <password>
username <name> secret <password>
aaa new-model
!
int fas 0/0
ip add 10.0.0.10 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
#############################################################################################################
FW-B-Site2
===========
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
object network inlan
subnet 10.0.0.0 255.255.255.0
object network natlan
subnet 192.168.2.0 255.255.255.0
object network endsitelan
subnet 192.168.1.0 255.255.255.0
!
access-list crypto_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!
nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp
!
route outside 0 0 1.1.1.1
!
crypto ipsec ikev1 transform-set CISCO esp-3des esp-md5-hmac
crypto map outside_map 20 match address crypto_acl
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key test
!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Router as Host @ Site N Configs
================================
enable secret <password>
username <name> secret <password>
aaa new-model
!
int fas 0/0
ip add 10.0.0.10 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
#####################################################################################################################
Testing the network:
site-a-host#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/44 ms
site-a-host#
site-b-host#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/44 ms
site-b-host#
vpnfw-site-a# ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/20 ms
vpnfw-site-a# ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/66/110 ms
vpnfw-site-a#
s2s-fw-site-b# ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
s2s-fw-site-b# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/170 ms
s2s-fw-site-b#
So Everything seems to be okay. Ping from the local host to its connected firewall and between the peers.... It's connecting.
Establish the Site to Site VPN between both the sites:
Pinging the Site B Host - 192.168.2.10 (10.0.0.10) from Site A Host (10.0.0.10) 192.168.1.10
site-a-host#ping 192.168.2.10 rep
site-a-host#ping 192.168.2.10 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
.!!!!!!!!!
Success rate is 90 percent (9/10), round-trip min/avg/max = 48/71/108 ms
site-a-host#
vpnfw-site-a# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
vpnfw-site-a# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 1.1.1.1
access-list crypto_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 1.1.1.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: A43BDEB5
current inbound spi : 1C4D9E26
inbound esp sas:
spi: 0x1C4D9E26 (474848806)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0xA43BDEB5 (2755387061)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
vpnfw-site-a#
Other Site FW logs
s2s-fw-site-b# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
s2s-fw-site-b#
s2s-fw-site-b# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 1.1.1.2
access-list crypto_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9F06A7D4
current inbound spi : 6FB62F56
inbound esp sas:
spi: 0x6FB62F56 (1874210646)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373998/28725)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00007FFF
outbound esp sas:
spi: 0x9F06A7D4 (2668013524)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373998/28725)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Explaination:
When you have identical local LAN subnets @ both sites, then you cannot make an encryption domain with an usual way. Here you have to do NATing to achieve it. Make sure you NAT at both the ends to get this work... if you do at one end will not give you the desired result.
Please post your queries if any.
Please do comment if you like this post!!!
Cheers
Karthik
Cuckoo Networks
In this post, I am going to do a small lab for a Site to Site VPN using Cisco ASA @ both ends with Identical LAN subnets.
FW-A-Site1
==============
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
object network inlan
subnet 10.0.0.0 255.255.255.0
object network natlan
subnet 192.168.1.0 255.255.255.0
object network endsitelan
subnet 192.168.2.0 255.255.255.0
!
access-list crypto_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp
!
route outside 0 0 1.1.1.2
!
crypto ipsec ikev1 transform-set CISCO esp-3des esp-md5-hmac
crypto map outside_map 20 match address crypto_acl
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key test
!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Router as Host @ Site A Configs
================================
enable secret <password>
username <name> secret <password>
aaa new-model
!
int fas 0/0
ip add 10.0.0.10 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
#############################################################################################################
FW-B-Site2
===========
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
object network inlan
subnet 10.0.0.0 255.255.255.0
object network natlan
subnet 192.168.2.0 255.255.255.0
object network endsitelan
subnet 192.168.1.0 255.255.255.0
!
access-list crypto_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!
nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp
!
route outside 0 0 1.1.1.1
!
crypto ipsec ikev1 transform-set CISCO esp-3des esp-md5-hmac
crypto map outside_map 20 match address crypto_acl
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key test
!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Router as Host @ Site N Configs
================================
enable secret <password>
username <name> secret <password>
aaa new-model
!
int fas 0/0
ip add 10.0.0.10 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
#####################################################################################################################
Testing the network:
site-a-host#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/44 ms
site-a-host#
site-b-host#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/44 ms
site-b-host#
vpnfw-site-a# ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/20 ms
vpnfw-site-a# ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/66/110 ms
vpnfw-site-a#
s2s-fw-site-b# ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
s2s-fw-site-b# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/170 ms
s2s-fw-site-b#
So Everything seems to be okay. Ping from the local host to its connected firewall and between the peers.... It's connecting.
Establish the Site to Site VPN between both the sites:
Pinging the Site B Host - 192.168.2.10 (10.0.0.10) from Site A Host (10.0.0.10) 192.168.1.10
site-a-host#ping 192.168.2.10 rep
site-a-host#ping 192.168.2.10 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
.!!!!!!!!!
Success rate is 90 percent (9/10), round-trip min/avg/max = 48/71/108 ms
site-a-host#
vpnfw-site-a# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
vpnfw-site-a# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 1.1.1.1
access-list crypto_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 1.1.1.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: A43BDEB5
current inbound spi : 1C4D9E26
inbound esp sas:
spi: 0x1C4D9E26 (474848806)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0xA43BDEB5 (2755387061)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
vpnfw-site-a#
Other Site FW logs
s2s-fw-site-b# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
s2s-fw-site-b#
s2s-fw-site-b# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 1.1.1.2
access-list crypto_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9F06A7D4
current inbound spi : 6FB62F56
inbound esp sas:
spi: 0x6FB62F56 (1874210646)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373998/28725)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00007FFF
outbound esp sas:
spi: 0x9F06A7D4 (2668013524)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373998/28725)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Explaination:
When you have identical local LAN subnets @ both sites, then you cannot make an encryption domain with an usual way. Here you have to do NATing to achieve it. Make sure you NAT at both the ends to get this work... if you do at one end will not give you the desired result.
Please post your queries if any.
Please do comment if you like this post!!!
Cheers
Karthik
Cuckoo Networks
No comments:
Post a Comment