• Advertisement

VPN on ASA5510

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

VPN on ASA5510

Postby Guest » Fri Dec 31, 2010 7:40 am

We have 2 locations with ASA5510 and would like to configure VPN tunnel for data.  Right now we have mpls that we like get rid of.

 

I see in our configuration there is already VPN tunnel configured but its not working.  Because we stoped mpls and data between both sides stop working.

 

Following is he configs from one of ASA5510, please let me know if you see VPN configured...i am new to firewall...

 

Please help...

 
ASA Version 8.03
!
hostname home
domain-name none.com
names

 

name 10.10.10.10 Exchange2010
name 1.1.1.1.1 Exchange2010outside
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address Exchange2010outside 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.2255.255.255.0
!
interface Ethernet0/2
nameif mpls
security-level 100
ip address 10.10.10.2 255.255.255.240
!
interface Ethernet0/3
nameif temp
security-level 0
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!

 

ftp mode passive
dns server-group DefaultDNS
domain-name none.com
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-list 101 extended permit tcp any interface outside eq 3392
access-list 101 extended permit tcp any interface outside eq 3393
access-list 101 extended permit tcp any interface outside eq 3394
access-list 101 extended permit tcp any interface outside eq 3395
access-list 101 extended permit tcp any interface outside eq 3396
access-list 101 extended permit tcp any interface outside eq 3397
access-list 101 extended permit tcp any interface outside eq 3398
access-list 101 extended permit tcp any interface outside eq 3399
access-list 101 remark OWA 2010
access-list 101 extended permit tcp any host Exchange2010outside eq 3389
access-list 101 extended permit tcp any host Exchange2010outside eq www
access-list 101 extended permit tcp host 64.92.220.155 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.156 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.157 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.158 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.159 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.160 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.161 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.162 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.163 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.164 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.165 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.166 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.85 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.86 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.87 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.88 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.89 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.90 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.91 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.92 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.245 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.246 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.247 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.248 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.249 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.250 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.251 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.252 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp 64.18.0.0 255.255.240.0 host Exchange2010out
side eq smtp
access-list 101 extended permit tcp any host Exchange2010outside eq https
access-list 101 extended permit object-group TCPUDP any host Exchange2010 eq www

 

access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255
.255.0
access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255
.255.0
access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255
.255.0
access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.14.0 255.255
.255.0
access-list cap extended permit tcp any eq 3391 any
access-list cap extended permit tcp any eq 3394 any
access-list home-remoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 25
5.255.255.0
access-list home-remoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.12.0 25
5.255.255.0
access-list Home-RemoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 25
5.255.255.0
access-list Home-RemoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.14.0 25
5.255.255.0
access-list cap1 extended permit tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mpls 1500
mtu temp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Home-RemoteNONAT
nat (inside) 1 10.10.1.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.2.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.3.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.4.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.5.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.6.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.7.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.8.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.9.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.10.0 255.255.255.0 tcp 50 20

static (inside,outside) tcp interface smtp Exchange2010 smtp netmask 255.255.255

.255
static (inside,outside) tcp interface https Exchange2010 https netmask 255.255.2
55.255

 

access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.11.111 1 (side note 111.111.11.111 believe is isp gateway)
route inside 10.10.4.0 255.255.255.0 10.10.4.1 1
route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
route inside 10.10.6.0 255.255.255.0 10.10.6.1 1
route inside 10.10.7.0 255.255.255.0 10.10.7.1 1
route inside 10.10.8.0 255.255.255.0 10.10.8.1 1
route inside 10.10.9.0 255.255.255.0 10.10.9.1 1
route mpls 10.10.11.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.12.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.13.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.14.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.21.0 255.255.255.0 10.10.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Home_Tunnel esp-aes-256 esp-sha-hmac
crypto map maptoREMOTE 10 match address Home-Remote
crypto map maptoREMOTE 10 set transform-set Home_Tunnel
crypto map maptoREMOTE interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
username admin password id6XqXzHqVdjWpuR encrypted privilege 15
tunnel-group 38.1.1.1 type ipsec-l2l ( side note this is remote asa ip address)
tunnel-group 38.1.1.1 ipsec-attributes (side note this is remote asa ip address)
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
match port tcp eq pptp
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map pptp_policy
class pptp-port
  inspect pptp
policy-map pptp-policy
class pptp-port
  inspect pptp
!
service-policy global_policy global
service-policy pptp_policy interface outside
prompt hostname context

Guest
 

Advertisement

Re:VPN on ASA5510

Postby Guest » Fri Dec 31, 2010 9:18 am

Hi Gurpreet,

 

From the configuration, i see that there is a vpn configuration for a site to site tunnel, but it is incomplete. the missing statement are marked in RED:

 

crypto ipsec transform-set Home_Tunnel esp-aes-256 esp-sha-hmac

crypto map maptoREMOTE 10 set peer <ip address of the remote site>
crypto map maptoREMOTE 10 match address Home-Remote
crypto map maptoREMOTE 10 set transform-set Home_Tunnel
crypto map maptoREMOTE interface outside

 

--Now i see a tunnel group configuration with ip address 38.1.1.1, so most probably this is the ip address of your remote peer. So please verify if this is the ip address of your remote site, and then apply this ip address in the above config set to complete the vpn configuration. So following is probably is what needs ot be addred

 

crypto map maptoREMOTE 10 set peer 38.1.1.1

 

But as i said, apply the set peer only after you are sure this ip address is that of your intended remote site. Rest of the vpn config seems fine.

 

Let me know if this helps,

 

Cheers,

Rudresh V

Guest
 

Re:VPN on ASA5510

Postby Guest » Fri Dec 31, 2010 10:34 am

Thanks Rudresh,

 

I have made that change.  Now i am checking my remote asa configs and see tunnel is ponting to our old ISP(home isp) ip address and that need be changed:

 

following are lines i am seeing pointing to old ip address that need to be changed.  I don want to make mistake please advise how should i chagne them.  Also if you see anything else need to changed in there.  Again thank you very much.

 

crypto map outside_map 20 set peer 64.1.1.1

 

tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes

 

 

 

sh runm  
: Saved
:
ASA Version 8.0(4)
!
hostname ASA-home
domain-name none.com

 

names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 38.1.1.1255.255.255.224
!
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.10.11.250 255.255.255.0
!
interface Ethernet0/2
nameif mpls
security-level 100
ip address 10.10.1.1255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name none.com
same-security-traffic permit inter-interface
access-list 100 extended permit tcp any host 38.1.1.2eq www
access-list 100 extended permit tcp any host 38.1.1.2eq https
access-list 100 extended permit tcp any host 38.1.1.2eq 3389
access-list 100 extended permit tcp any host 38.1.1.2range 3230 3235
access-list 100 extended permit tcp any host 38.1.1.2eq h323
access-list 100 extended permit udp any host 38.1.1.2range 3230 3253
access-list vpn extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn extended permit ip 10.10.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list remote-homeNONAT extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list remote-homeNONAT extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list remote-homeNONAT extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list remote-homeNONAT extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list remote-home extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list remote-home extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list remote-home  extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0
access-listremote-home  extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mpls 1500
ip local pool Remote-Pool 192.168.10.1-192.168.10.25 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list remote-homeNONAT
nat (inside) 1 10.10.11.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.12.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.13.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.14.0 255.255.255.0 tcp 50 20
static (inside,outside) 38.1.1.2 10.10.1.15 netmask 255.255.255.255
static (inside,outside) 10.10.11.154 38.1.1.3netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 38.1.1.0 1
route mpls 10.10.1.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.2.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.3.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.4.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.5.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.6.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.7.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.8.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.9.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.10.0 255.255.255.0 10.10.21.1 1
route inside 10.10.12.0 255.255.255.0 10.10.12.1 1
route inside 10.10.13.0 255.255.255.0 10.10.13.1 1
route inside 10.10.14.0 255.255.255.0 10.10.14.1 1
route mpls 10.10.20.0 255.255.255.0 10.10.21.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.11.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set NJ_Tunnel esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime secon
ds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilob
ytes 4608000
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map maptohome 10 match address remote-home
crypto map maptohome 10 set transform-set remote_home
crypto map maptohome 10 set security-association lifetime seconds 28800
crypto map maptohome 10 set security-association lifetime kilobytes 4608000
crypto map maptohome interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet 10.10.12.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password id6XqXzHqVdjWpuR encrypted privilege 15
tunnel-group Supp0Rt type remote-access
tunnel-group Supp0Rt general-attributes
address-pool Remote-Pool
tunnel-group Supp0Rt ipsec-attributes
pre-shared-key *
tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context

 

: end

Guest
 

Re:VPN on ASA5510

Postby Guest » Fri Dec 31, 2010 11:52 am

Hi Gurpreet,

 

Yes, following vpn configuration will work:

 

crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1

 

tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes
pre-shared-key *

 

--Now in the above config, we are missing the access-list defining the interesting traffic, for this you need to identify the interesting traffic (probably) by checking the remote vpn end point configuration, and apply this here. We also need to apply the crypto map to the interface. So the complete vpn config should look like this:

 

 

crypto map outside_map 20 match address <crypto-access-list>

crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1

 

tunnel-group 64.1.1.1 type ipsec-l2l

tunnel-group 64.1.1.1 ipsec-attributes

pre-shared-key  <passwored same as on remote side>

 

crypto map outside_map interface outside

 

Cheers,

Rudresh V

Guest
 

Re:VPN on ASA5510

Postby Guest » Fri Dec 31, 2010 12:15 pm

Thank you very much, Rudres.  Its working now.

Guest
 



  • Advertisement


Similar topics

VPN on ASA5510 from Static to Multiple Dynamic peers.
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0

Using SCP on an ASA5510
Forum: Cisco Security
Author: Anonymous
Replies: 0

MTU path issue when VPNed in to ASA5510 8.0(4)
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0

ASA5510 firmware upgrade for Active/Standby set up
Forum: Cisco Security
Author: Anonymous
Replies: 4

configration of ASA5510
Forum: Cisco Security
Author: Anonymous
Replies: 5


Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 5 guests