Cisco ASA Spoke-to-Spoke IPSec VPN – Strike One

Well, I have recently swept my notes and came across one of my documents I thought I might share with you guys. It’s about spoke-to-spoke IPSec VPN implementation with Cisco ASA devices. One of them is, of course, the hub, which is our HQ or data center and others are remote locations. Ours or from our partner. Before I go any further it is good time to note that spokes could be IOS routers as well, but in this scenario they are just ASAs.

First, the topology:

As you can see this is (almost) the simplest topology that can be for what we want to achieve. We have ASA1, which is our HQ and ASA2 and ASA3 which are spokes. Behind each of these ASAs one router sits. Each router acts as a PC, Server or any other device that needs to communicate. I’m using routers because I don’t like VPCs in GNS3 topology. Routers will do just fine.

While we are talking about routers, let’s see configuration snipps:

RHQ

!
hostname RHQ
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.0.0.254
!

R1

!
hostname R1
!
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.0.1.254
!

R2

!
hostname R2
!
interface FastEthernet0/0
ip address 10.0.2.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.0.2.254
!

So, nothing special here. We are not interested in them anyway… But ASAs… That’s another story!

Let’s take a look at the ASA2 and ASA3 configs first:

ASA2
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.252 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
!
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list CRYPTOAB extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list CRYPTOAB extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!

pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set TS1 esp-aes-256 esp-sha-hmac
!
crypto map MAP 1000 match address CRYPTOAB
crypto map MAP 1000 set peer 192.168.1.254
crypto map MAP 1000 set transform-set TS1
crypto map MAP interface outside
!
crypto isakmp enable outside
!
crypto isakmp policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!

no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
!
tunnel-group 192.168.1.254 type ipsec-l2l
tunnel-group 192.168.1.254 ipsec-attributes
pre-shared-key spop123
!

prompt hostname context
end

ASA3
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.253 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.2.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
!
access-list NONAT extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list NONAT extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list CRYPTOAB extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list CRYPTOAB extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
!

pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set TS1 esp-aes-256 esp-sha-hmac
!
crypto map MAP 1000 match address CRYPTOAB
crypto map MAP 1000 set peer 192.168.1.254
crypto map MAP 1000 set transform-set TS1
crypto map MAP interface outside
!
crypto isakmp enable outside
!
crypto isakmp policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!

no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
!
tunnel-group 192.168.1.254 type ipsec-l2l
tunnel-group 192.168.1.254 ipsec-attributes
pre-shared-key spop123
!

prompt hostname context
end

Lots of defaults here, but we should pay attention to those lines colored blue. Those lines pertain to VPN configuration.

Several things are worth noting here. First, we only make IPSec tunnel from ASA2 to ASA1 and from ASA3 to ASA1. You can see that from the “tunnel-group” configurations on spoke ASAs. We don’t build ASA2 to ASA2 tunnel. Second, let’s take a look at the ASA2 proxy or crypto ACL:

access-list CRYPTOAB extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list CRYPTOAB extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

First of two ACEs says: “Please, ASA dear, encrypt all traffic from our local (spoke) LAN 10.0.1.0/24 to remote (spoke) LAN 10.0.2.0/24”. This is for spoke-to-spoke encryption. Second line applies the same rule for the spoke-to-hub traffic.

Of course, we may need to exempt these traffic patterns from NAT:

access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

On the ASA3 we have the opposite situation:

access-list NONAT extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list NONAT extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
!
access-list CRYPTOAB extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list CRYPTOAB extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0

Other highlighted lines are, I believe, obvious. Now the hub asa, ASA1:

ASA1
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
!
same-security-traffic permit intra-interface
!

!
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list NONAT extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
!
access-list CRYPTOAB extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list CRYPTOAB extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list CRYPTOBA extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list CRYPTOBA extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
!

pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.0.1.0 255.255.255.0 192.168.1.252 1
route outside 10.0.2.0 255.255.255.0 192.168.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set TS1 esp-aes-256 esp-sha-hmac
!
crypto map MAP 1000 match address CRYPTOBA
crypto map MAP 1000 set peer 192.168.1.252
crypto map MAP 1000 set transform-set TS1
!
crypto map MAP 2000 match address CRYPTOAB
crypto map MAP 2000 set peer 192.168.1.253
crypto map MAP 2000 set transform-set TS1
crypto map MAP interface outside
!
crypto isakmp enable outside
!
crypto isakmp policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!

no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
!
tunnel-group BranchA type ipsec-l2l
tunnel-group 192.168.1.252 type ipsec-l2l
tunnel-group 192.168.1.252 ipsec-attributes
pre-shared-key spop123
!
tunnel-group 192.168.1.253 type ipsec-l2l
tunnel-group 192.168.1.253 ipsec-attributes
pre-shared-key spop123
!

prompt hostname context
end

What we need to know about this configuration? It has two IPSec tunnels, one for each spoke. It has two proxy ACLs, one for each spoke:

1. access-list CRYPTOAB extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
2. access-list CRYPTOAB extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
!
3. access-list CRYPTOBA extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
4. access-list CRYPTOBA extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

First line says: encrypt all traffic from BranchA to BranchB. Second line says: encrypt all traffic from HQ to BranchB. These lines mirror crypto ACEs on ASA3. The 3rd and 4th line do the same but with the BranchA and BranchB swapped.

Here we have NAT exemption as well:

1. access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
2. access-list NONAT extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
3. access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
4. access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0

We don’t do NAT for traffic going from HQ to spokes (lines 3 and 4) and we don’t do NAT for traffic going from BranchA to BranchB (line 1) and vice verse (line 2).

Now, the most important line is colored red. This line looks like:

!
same-security-traffic permit intra-interface
!

Basically this says: allow all traffic that is coming to the outside interface and is going out the same interface! No this command – no spoke-to-spoke traffic!

Ok, I think this is it! In the next article (hope I will do it tomorrow) I will do some tests and debugs. Until then…

Advertisements
This entry was posted in ASA, Cisco, VPN and tagged , , , , . Bookmark the permalink.

3 Responses to Cisco ASA Spoke-to-Spoke IPSec VPN – Strike One

  1. Pingback: Cisco ASA Spoke-to-Spoke IPSec VPN – Strike Two | popravak

  2. andrey says:

    it works

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s