Cisco ASA Overlapping Networks – VPN

Previously we talked about Cisco ASA Overlapping Networks and demonstrated telnet from one company to another when both share the same subnet. It could be anything, but we show telnet and came to conclusion that it should be protected with VPN. So, let’s modify our configurations according to the requirement that all traffic between overlapping networks should be protected by means of VPN.

The topology is the same:

There is only one important thing to remember in this scenario. We should use NATed networks when writing crypto ACLs! So on the ASA1
crypto ACL should look like:

access-list CRYPTOA1A2 extended permit ip 20.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0

And on ASA2:

access-list CRYPTOA2A1 extended permit ip 20.0.2.0 255.255.255.0 20.0.1.0 255.255.255.0

REMEMBER: Always use NATed networks!!!

Let’s verify…

ASA1#
ASA1# show vpn-ses l2l
INFO: There are presently no active sessions

ASA1#

R1#
R1#ping 20.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.2.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/36/60 ms
R1#

ASA1#
ASA1# show vpn-ses l2l

Session Type: LAN-to-LAN

Connection : 4.2.2.2
Index : 8 IP Addr : 20.0.2.0
Protocol : IKE IPsec
Encryption : AES256 Hashing : SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 00:33:18 UTC Tue Nov 30 1999
Duration : 0h:00m:21s
ASA1#

ASA1#
ASA1# show cry ipsec sa | i encap|decap
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
ASA1#

R1#
R1#ping 20.0.2.1 rep 6

Type escape sequence to abort.
Sending 6, 100-byte ICMP Echos to 20.0.2.1, timeout is 2 seconds:
!!!!!!
Success rate is 100 percent (6/6), round-trip min/avg/max = 20/34/76 ms
R1#

ASA1#
ASA1# show cry ipsec sa | i encap|decap
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
ASA1#

ASA2#
ASA2# show cry ipsec sa | i encap|decap
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
ASA2#

So, we are good!

There is one tiny thing I should investigate a little deeper. There is no usual “NAT exemption” on ASAs in this case and even with it on ASAs everything behaves exactly the same. I will dig into this later.

Finally, configs:

ASA1
!
hostname ASA1
domain-name popravak.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 4.2.2.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name popravak.com
access-list O_I extended permit tcp 20.0.2.0 255.255.255.0 20.0.1.0 255.255.255.0 eq telnet
access-list O_I extended permit icmp 20.0.2.0 255.255.255.0 20.0.1.0 255.255.255.0
access-list CRYPTOA1A2 extended permit ip 20.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 4.2.2.11-4.2.2.20
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 20.0.1.0 10.0.1.0 netmask 255.255.255.0
access-group O_I in interface outside
route outside 0.0.0.0 0.0.0.0 4.2.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TS1 esp-aes-256 esp-sha-hmac
crypto map E0-0 100 match address CRYPTOA1A2
crypto map E0-0 100 set peer 4.2.2.2
crypto map E0-0 100 set transform-set TS1
crypto map E0-0 interface outside
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
tunnel-group 4.2.2.2 type ipsec-l2l
tunnel-group 4.2.2.2 ipsec-attributes
pre-shared-key spop123
prompt hostname context
end

ASA2
!
hostname ASA2
domain-name vidovic.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 4.2.2.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name vidovic.com
access-list O_I extended permit tcp 20.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0 eq telnet
access-list O_I extended permit icmp 20.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
access-list CRYPTOA2A1 extended permit ip 20.0.2.0 255.255.255.0 20.0.1.0 255.255.255.0
pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 4.2.2.21-4.2.2.30 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 20.0.2.0 10.0.1.0 netmask 255.255.255.0
access-group O_I in interface outside
route outside 0.0.0.0 0.0.0.0 4.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TS1 esp-aes-256 esp-sha-hmac
crypto map E0-0 100 match address CRYPTOA2A1
crypto map E0-0 100 set peer 4.2.2.1
crypto map E0-0 100 set transform-set TS1
crypto map E0-0 interface outside
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
tunnel-group 4.2.2.1 type ipsec-l2l
tunnel-group 4.2.2.1 ipsec-attributes
pre-shared-key spop123
prompt hostname context
end

Thanks for reading!

Advertisements
This entry was posted in ASA, Cisco, NAT, VPN and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s