ASA Site to Site VPN (DHCP)

If you don’t already know, site to site VPNs can be a cost-effective way for remote sites to connect to HQ resources instead of a lease line like using MPLS or Metro-E circuits. We can instead use a standard internet connection with a static IP, this is usually cheaper than a dedicated circuit. Our next steps are purchasing a firewall for the remote site (assuming you already have one at HQ) and setup a site to site VPN connection to make the connection.

In this guide, I’ll demo a site to site VPN with a pair of ASAs as well as some additional commands to allow DHCP across the tunnel so that your HQ DHCP server can hand out addresses instead of configuring a local DHCP server at the remote site. The table below goes over the agreed settings and what networks are protected. Also note that the “public” IP addresses listed in this example are from RFC 5737 and are not publicly available.

Since this is a VPN connection we must agree on some common settings before traffic is allowed across it. We will be tunneling the entire address range for both sites and no need to NAT anything because its Acme’s network. Reference the table below:

Acme Corp. Acme Branch.
Peer IP Address: 192.0.2.10 Peer IP Address: 203.0.113.10
Phase 1: AES 256 SHA (Group 2) Phase 1: AES 256 SHA (Group 2)
Phase 2: AES 128 SHA Phase 2: AES 128 SHA
PFS: No PFS: No
Protected Networks:
10.1.1.0/24
Protected Networks:
10.1.2.0/24
Preshared Key: cisco Preshared Key: cisco

Here is the topology below for reference:

site-site-vpn-dhcp

Let’s start building the tunnel on the Acme Corp side first by creating object groups:

object network VPN-REMOTE-ACME-BRANCH-NET-1
 subnet 10.1.2.0 255.255.255.0
object network VPN-REMOTE-ACME-BRANCH-NET-2
 subnet 10.1.3.0 255.255.255.0
object network ACME-CORP-NET
 subnet 10.1.1.0 255.255.255.0
object network VPN-REMOTE-ACORP-BRANCH-NET-1
 subnet 10.1.2.0 255.255.255.0
object network VPN-REMOTE-ACORP-BRANCH-NET-2
 subnet 10.1.3.0 255.255.255.0
object-group network VPN-LOCAL-ACMECORP-NET
 network-object object ACME-CORP-NET
object-group network VPN-LOCAL-ACORP
 network-object object ACME-CORP-NET
object-group network VPN-REMOTE-ACORP-BRANCH
 network-object object VPN-REMOTE-ACORP-BRANCH-NET-1
 network-object object VPN-REMOTE-ACORP-BRANCH-NET-2

Next we need to create an access control list to match the traffic we want protected over the tunnel.

access-list ACL-VPN-ACORP-ACORP-BRANCH extended permit ip object-group VPN-LOCAL-ACORP object-group VPN-REMOTE-ACORP-BRANCH

We have to create some NAT exemption rules as we don’t want to NAT these networks when we are crossing over the VPN. On line one (1) I’m creating a single static NAT entry to reference Acme’s Branch networks going to Acme’s local networks.In line two (2) just reversing so that Acme’s local network can reach Acme’s Branch.

Notice: I’m not changing the source or destination address for these NAT rules.

nat (Outside,Inside) source static VPN-REMOTE-ACORP-BRANCH VPN-REMOTE-ACORP-BRANCH destination static VPN-LOCAL-ACORP VPN-LOCAL-ACORP no-proxy-arp
nat (Inside,Outside) source static VPN-LOCAL-ACMECORP-NET VPN-LOCAL-ACMECORP-NET destination static VPN-REMOTE-ACORP-BRANCH VPN-REMOTE-ACORP-BRANCH no-proxy-arp

Create a VPN Group Policy for Acme and Acme’s Branch VPN connection:

group-policy GP-VPN-ACORP-ACORP-BRANCH internal
group-policy GP-VPN-ACORP-ACORP-BRANCH attributes
 vpn-tunnel-protocol ikev1

Create the tunnel:

tunnel-group 203.0.113.10 type ipsec-l2l
tunnel-group 203.0.113.10 general-attributes
 default-group-policy GP-VPN-ACORP-ACORP-BRANCH
tunnel-group 203.0.113.10 ipsec-attributes
 ikev1 pre-shared-key cisco
 isakmp keepalive disable

Build the cryptomap:

crypto map CM-ACORP-ACORP-BRANCH 1 match address ACL-VPN-ACORP-ACORP-BRANCH
crypto map CM-ACORP-ACORP-BRANCH 1 set peer 203.0.113.10
crypto map CM-ACORP-ACORP-BRANCH 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CM-ACORP-ACORP-BRANCH interface Outside

Let’s jump to Acme’s Branch ASA and configure it to get this tunnel up. Let’s create some object-groups.

object network ACME-BRANCH-NET-1
 subnet 10.1.2.0 255.255.255.0
object network ACME-BRANCH-NET-2
 subnet 10.1.3.0 255.255.255.0
object network VPN-REMOTE-ACME
 subnet 10.1.1.0 255.255.255.0
object-group network VPN-LOCAL-ACME-BRANCH
 network-object object ACME-BRANCH-NET-1
 network-object object ACME-BRANCH-NET-2
object-group network VPN-REMOTE-ACORP
 network-object object VPN-REMOTE-ACME

Create the access control list to match the traffic we want protected on Acme’s branch.

access-list ACL-VPN-ACORP-BRANCH-ACORP extended permit ip object-group VPN-LOCAL-ACME-BRANCH object-group VPN-REMOTE-ACORP

Just like before we have to create some NAT exemption rules, Acme’s Branch has two networks that need to go over the tunnel so we’ll add them here. Line one (1) and two (2) is one network of Acme’s Branch. Line three (3) and four (4) is another network that Acme’s Branch has and with these two networks we are allowing both an inbound and outbound connection from the VPN

nat (Inside,Outside) source static ACME-BRANCH-NET-1 ACME-BRANCH-NET-1 destination static VPN-REMOTE-ACORP VPN-REMOTE-ACORP no-proxy-arp
nat (Outside,Inside) source static VPN-REMOTE-ACORP VPN-REMOTE-ACORP destination static ACME-BRANCH-NET-1 ACME-BRANCH-NET-1 no-proxy-arp
nat (Outside,Inside-2) source static VPN-REMOTE-ACORP VPN-REMOTE-ACORP destination static ACME-BRANCH-NET-2 ACME-BRANCH-NET-2 no-proxy-arp
nat (Inside-2,Outside) source static ACME-BRANCH-NET-2 ACME-BRANCH-NET-2 destination static VPN-REMOTE-ACORP VPN-REMOTE-ACORP no-proxy-arp

Create a VPN Group Policy for Acme’s Branch and Acme Corp VPN connection:

group-policy GP-VPN-ACORP-BRANCH-ACORP internal
group-policy GP-VPN-ACORP-BRANCH-ACORP attributes
 vpn-tunnel-protocol ikev1

Create the tunnel:

tunnel-group 192.0.2.10 type ipsec-l2l
tunnel-group 192.0.2.10 general-attributes
 default-group-policy GP-VPN-ACORP-BRANCH-ACORP
tunnel-group 192.0.2.10 ipsec-attributes
 ikev1 pre-shared-key cisco
 isakmp keepalive disable

Build the cryptomap:

crypto map CM-ACORP-BRANCH-ACORP 1 match address ACL-VPN-ACORP-BRANCH-ACORP
crypto map CM-ACORP-BRANCH-ACORP 1 set peer 192.0.2.10
crypto map CM-ACORP-BRANCH-ACORP 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CM-ACORP-BRANCH-ACORP interface Outside

We now have configured everything for the tunnel to come up but we are missing DHCP, in this example since I don’t have Windows DHCP server available I have configured an IOS router to do DHCP, which is on the Acme Corp network (10.1.1.20). To make DHCP available over the tunnel we only have to focus on Acme’s Branch ASA and add in the following configuration:

dhcprelay server 10.1.1.20 Outside
dhcprelay enable Inside
dhcprelay enable Inside-2
dhcprelay timeout 60

We should be able to get an IP adderess from Acme’s DHCP server, if I jump over to one of the Windows hosts on the Acme Branch and issue ipconfig /all we can see that this windows host was able to reach the DHCP server 10.1.1.20 which is over the VPN:

C:\Documents and Settings\VIRL>ipconfig /all
Windows IP Configuration

        Host Name . . . . . . . . . . . . : VIRL-D3D4EE00AA
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
        Physical Address. . . . . . . . . : FA-16-3E-59-67-A3
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.1.2.61
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.1.2.1
        DHCP Server . . . . . . . . . . . : 10.1.1.20
        Lease Obtained. . . . . . . . . . : Sunday, April 09, 2017 5:29:25 PM
        Lease Expires . . . . . . . . . . : Monday, April 10, 2017 5:29:25 PM

C:\Documents and Settings\VIRL>

If you want to try this out I have attached the running-configs of both firewalls at the end of this post. If you are using Cisco VIRL here is a link on GitHub to the file I was working with.

Note: When working with this file I noticed sometimes that the network switches on both sides don’t always hold a MAC address table when we first start them. The workaround I found is you just copy the configuration delete the switch and add it back and plug everything back in order.

There is a subtype that is added in this configuration which was the Windows XP image I was working with. You can find more information about import Windows VMs and other 3rd Party systems into VIRL by checking out a previous post: Cisco VIRL and Windows VMs

Running-Config-Firewalls

Advertisements

Leave a Reply...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s