Академический Документы
Профессиональный Документы
Культура Документы
net
1 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
(/)
Initial Configurations
F1:
4/16/2015 10:59 AM
2 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
interface Vlan1
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.252
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
F2:
interface Vlan1
nameif outside
security-level 0
ip address 172.16.2.2 255.255.255.252
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
exit
outside
4/16/2015 10:59 AM
3 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
4/16/2015 10:59 AM
4 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
The tunnel group configuration on F2 is identical except that its name changes to 172.16.1.2 (F1's outside
interface):
Then we set the VPN peer and IPsec transform set to use:
All that's left now is to apply the crypto map to the outside interface on each firewall:
4/16/2015 10:59 AM
5 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
Testing
Our LAN-to-LAN VPN won't actually establish until one of the firewalls detects traffic matching our crypto
map's access list (10.0.1.0/24 to 10.0.2.0/24 or vice versa). To initiate the VPN, we can ping from one LAN
host to another:
Notice that the far-end LAN client appears to be directly connected to the local client:
0 msec
We can see information about the ISAKMP and IPsec SAs between F1 and F2 with the commands
show isakmp sa and show ipsec sa :
4/16/2015 10:59 AM
6 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
Role
State
: initiator
: MM_ACTIVE
If your ISAKMP SA never progresses past the MM_WAIT_MSG state, you most likely have a connectivity
issue between the two VPN endpoints. See more troubleshooting tips here (http://www.cisco.com/en/US
/products/ps6120/products_tech_note09186a00807e0aca.shtml).
The VPN traffic generated by the ping above looks like this (http://media.packetlife.net/media
/blog/attachments/615/L2L_VPN.cap). The first ICMP request across the VPN triggers the building of the
VPN and is discarded. The remaining four ICMP requests and responses are encrypted in the eight ESP
packets at the end of the capture.
4/16/2015 10:59 AM
7 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
Jeremy Stretch is a network engineer living in the RaleighDurham, North Carolina area. He is known for his blog and cheat
sheets here at Packet Life. You can reach him by email
(/contact/) or follow him on Twitter (http://twitter.com/packetlife).
(http://www.amazon.com/gp/prime/signup/videos?tag=packetlnet-20)
Comments
Deksta (guest)
July 11, 2011 at 4:05 a.m. UTC
Hello,
I have 2 questions for you :
1/ Do you know any possibility to monitor your VPN ? Like SNMP trapping or anything else to check remotly
if it's alive ?
2/ Do you know a way to check since when the VPN goes on ?
emilio1973 (/users/emilio1973/)
July 11, 2011 at 8:28 a.m. UTC
MattG (guest)
July 11, 2011 at 10:10 a.m. UTC
It's probably worth mentioning that these type of connections are typically done through the ASDM as it
reduces the risk of entering a typo.
Also, anyone who attempts this in a live environment should check that traffic directed at the peer isn't
caught by a route that points the traffic at the internal interface of the ASA. I've seen this a few times and its
4/16/2015 10:59 AM
8 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
easily missed.
Nice article, an example with NAT would be interesting as well.
Dinger (guest)
July 11, 2011 at 1:10 p.m. UTC
Note that in order to bring the VPN up, you must ping from a CLIENT from behind the ASA; by default, just
pinging from the ASA itself won't do it (unless you specify the source interface, otherwise it routes externally)
RossC (guest)
July 11, 2011 at 2:56 p.m. UTC
I hate the way the ASDM creates site-to-site VPNs. I think its messy and confusing and much prefer to
create them via a template in notepad or similar and use the cli.
Another thing to consider which also catches some people out is to make sure that if there are global NAT
rules in place for certain ranges that need access to the internet, make sure you create a NAT exempt rule
for the interesting traffic.
Gabriel (guest)
July 11, 2011 at 7:52 p.m. UTC
s/pre-shred/pre-shared
Very nice. Just a few days ago I posted a video tutorial on how do do this using a GRE tunnel between two
routers connected to the internet. Glad to see that the basic steps are the same using ASA or a router.
eoghancullen (/users/eoghancullen/)
July 11, 2011 at 10:02 p.m. UTC
Also note that the ASA's may be performing NAT between inside and outside. Because NAT will be
performed before checking the crypto ACL, the traffic won't actually match the crypto ACL and won't be sent
across the VPN. In this situation, you'll generally configure NAT exemption (i.e. don't NAT 'this traffic').
EDIT: From the documentation at the start of the article: http://www.cisco.com/en/US/docs/security
/asa/asa82/configuration/guide/nat_bypassing.html#wp1080803
Smail (guest)
July 12, 2011 at 7:00 a.m. UTC
IanJf (guest)
July 12, 2011 at 11:34 a.m. UTC
4/16/2015 10:59 AM
9 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
Isn't it recommended to Run DH Group 5 when using AES 256 bit encryption as group 2 and lower can
sometimes run into problems with the sizes of AES 256...
eoghancullen (/users/eoghancullen/)
July 12, 2011 at 6:43 p.m. UTC
@IanJf
I had read as well alright. A quick google search hasn't returned any recommendations though and I'm too
lazy right now to check my books. :)
abester1 (/users/abester1/)
July 12, 2011 at 7:34 p.m. UTC
Might worth nothing that PFS (Perfect Forward Secrecy) option can be enabled in the crypto map along with
various idle and session timer lengths parameters which are configurable in both the crypto map section and
the isakmp policy section.
Additionally, running debug, it would be very helpful to point out that Phase 1 of the tunnel refers to ISAKMP
policy, while Phase 1.5 is the preshared key, and Phase 2 is IPSec configuration which is managed by the
crypto map statement. Those are key information when debugging a failed vpn session and trying to figure
out which phase you failed on and examine the configuration closer...
Jeremy, its a great post!!! Thanks
Kris (guest)
July 12, 2011 at 9:07 p.m. UTC
nola (/users/nola/)
July 13, 2011 at 5:24 p.m. UTC
jw21 (guest)
July 14, 2011 at 2:35 p.m. UTC
@Kris it is probably better to take l2tpv3 out of the comparison as it is a different service all together - layer 2
delivery over a l3 cloud.
@nola you are correct when it comes to switches, it is a completely different ideology on ASAs. The vlan
should be well protected with access-lists for permissions.
4/16/2015 10:59 AM
10 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
andremta (/users/andremta/)
July 19, 2011 at 6:18 a.m. UTC
j1 (guest)
July 31, 2011 at 1:17 a.m. UTC
@nola @jw21 vlan1 on access ports is only a bad idea if vlan1 is the native vlan on your trunks.
Marius (/users/Marius/)
October 6, 2011 at 8:59 a.m. UTC
A Question. If there is LAN-to-LAN VPN using the pair of ASA 5505s between 2 sites. Can you have a
subnetwork within one of the sites and connect to the subnetwork from a client?
I am typacillty thinking, Headoffice to branch VPN as described in the article. Then there is a project LAN
that is (only) connected to the headoffice LAN via an ASA device. So, in the Headoffice you have to VPN
from a client PC to the project network and at the branch you do the same, provided that the branch is
connected via it's VPN to the head office.
A guest
October 6, 2011 at 1:42 p.m. UTC
I have one site with multi site connections through WAN. I have done similar configurations, but got two
problem.
1. From one of the branches I can initiate, but from the main site I cann't.
2. The same configuration done on the 2nd site but I cann't initiate from that site. WAN link is ok.
Please sugest
A guest
October 6, 2011 at 2:11 p.m. UTC
A Question. I connect LAN-to-LAN VPN using the ASA 5510 at the main site ASA5505 at the other sites
through WAN. I have done similar configuration on the main site and two other sites. Ican ping and intiate
from the inside of one of the sites, but I canon't ping and intiate from the main site. on the other hand
eventhough the same configuration is done, I can ping the outside network of the main site, but I cann't ping
and initiate the inside network of the main site.
Please comment
iono (guest)
October 27, 2011 at 10:18 a.m. UTC
I'm running into some trouble with the ASA 5520. I have two identical units for the purpose of failover, the
problem is that if I were to displace the cable for an uplink to the switch, it will not failover to the second
ASA. However, if I were to power down the ASA completely it will switchover to the secondary ASA. Any
help on this would greatly appreciated.
iaps (guest)
January 20, 2012 at 2:30 p.m. UTC
4/16/2015 10:59 AM
11 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
av8rgeek (guest)
January 30, 2012 at 11:27 p.m. UTC
I like the article, but it doesn't really discuss a scenario where NAT translation is needed or wanted. For
example:
Local Networks needing VPN access (on "inside" interface):
192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24
Public IP address (on "outside" interface): 1.1.1.1/24
Public IP address (some vendor firewall): 1.1.1.2/24
Vendor's network on "inside" interface: 10.10.10.0/25
Server A: 10.10.10.10
Server B: 10.10.10.20
In this scenario, I do not want my local workstations to connect to 10.10.10.10. I want them to connect to
some translated IP, like 172.16.0.10. Also, I want the vendor to see my source IP as 172.16.x.x.
Example: Workstation A, 192.168.10.100 wants to Connect to Server A. However, they should not connect
to 10.10.10.10, but 172.16.0.10 instead. When looking at the logs on Server A, the source IP of the
connection should not be 192.168.0.10, but some translated IP.
I know this is easily possible, I'm just muddy on how to do it.
gogi100 (/users/gogi100/)
July 12, 2012 at 8:23 p.m. UTC
i configured site to site VPN beetwen the asa 5505 (asa 8.4.2) and the asa 5510 (asa 8.4.4). how i can
configure that the users from one side use internet and the site to site vpn in same time? the outside
interface of asa5505 have address 10.15.100.8, the gateway for this network(10.15.100.0/24) is
10.15.100.1. this address of asa is nat-ed on public ip address.before LAN (10.15.100.0/24) has had many
computers and used internet over the gateway 10.15.100.1 and now all computers must be move on behind
asa5505. i configured the site to site vpn but internet doesn't work.
pls help me.
thanks
ps: this option is split tunneling? how it configure?
drazenmd (guest)
September 14, 2012 at 11:09 a.m. UTC
Hi,
I have a problem! I am configuring Site-to-Site VPN with another company. I already make a couple of
tunnels but with this one I have a problem. They I already using on their side my local network
192.168.10.0/24 (server is 192.168.10.10) so we need to use imaginary network 172.16.0.5 as server
address. Now I need to do NAT 172.16.0.5 to 192.168.10.10 but I am not so good in that.
4/16/2015 10:59 AM
12 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
Can anyone help me? I am using Cisco ASA 5510 (8.4)and ASDM 6.4
Ryan (guest)
January 25, 2013 at 7:07 a.m. UTC
Hey can this be done using dynamic ip addresses between the peers . Would be nice if you could put a
dyndns alias as the peer address .
sydflyer (guest)
March 25, 2013 at 4:05 a.m. UTC
Good Article! But may anyone tell me functionality wise, what would be the difference between this and a
normal site-to-site ipsec vpn?
TK (guest)
May 9, 2013 at 4:04 p.m. UTC
Does LAN A and LAN B have to be directly connected to the Inside interfaces on the routers/firewalls
(F1/F2) for this configuration to work? I have the following topology that is not, and it's failing.
(LAN A)-(L3 SW)-(Subnet X)-(F1)-(L3 SW)-(F2)-(Subnet Y)-(L3 SW)-(LAN B)
GMAF (guest)
November 4, 2013 at 4:04 p.m. UTC
Will this configuration work is the two ASAs are directly connected with an ethernet cable. I have completed
the above configuration and I am still unable to get any traffic to travel between my ASAs.
cedric (guest)
April 6, 2014 at 12:25 a.m. UTC
Hi all
I struggle with Cisco but this article has really helped. Here's another tip - use a Cisco VPN configuration
generator to start your configuration off, and then tweak it from there. Here's a good one I use http://www.whyaws.com/tools/cisco_gen.htm (http://www.whyaws.com/tools/cisco_gen.htm)
Tom
New2ASA (guest)
February 18, 2015 at 10:19 p.m. UTC
4/16/2015 10:59 AM
13 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
the above configuration and I am still unable to get any traffic to travel between my ASAs.
Meatwagon (guest)
March 14, 2015 at 12:41 a.m. UTC
New2ASA - if you follow the diagram/config exactly, you'll need some device (router, L3 switch) to represent
the cloud - as the outside interfaces on each ASA are on different subnets and cannot route to each other.
Leave a Comment
Guest name
Guest name
Guest email
Guest email
Optional; will not be displayed publicly or given out.
Guest URL
Guest URL
No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
Comment
Comment
Challenge
_____ is a secure alternative to Telnet.
Challenge
Save
Preview
4/16/2015 10:59 AM
14 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
4/16/2015 10:59 AM
15 of 15
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/
4/16/2015 10:59 AM