If you don’t already know, site to site VPNs can be a cost-effective way for remote sites to connect to HQ resources instead of a lease line like using MPLS or Metro-E circuits. We can instead use a standard internet connection with a static IP, this is usually cheaper than a dedicated circuit. Our next steps are purchasing a firewall for the remote site (assuming you already have one at HQ) and setup a site to site VPN connection to make the connection.
In this guide, I’ll demo a site to site VPN with a pair of ASAs as well as some additional commands to allow DHCP across the tunnel so that your HQ DHCP server can hand out addresses instead of configuring a local DHCP server at the remote site. The table below goes over the agreed settings and what networks are protected. Also note that the “public” IP addresses listed in this example are from RFC 5737 and are not publicly available.
Since this is a VPN connection we must agree on some common settings before traffic is allowed across it. We will be tunneling the entire address range for both sites and no need to NAT anything because its Acme’s network. Reference the table below:
|Acme Corp.||Acme Branch.|
|Peer IP Address: 192.0.2.10||Peer IP Address: 203.0.113.10|
|Phase 1: AES 256 SHA (Group 2)||Phase 1: AES 256 SHA (Group 2)|
|Phase 2: AES 128 SHA||Phase 2: AES 128 SHA|
|PFS: No||PFS: No|
|Preshared Key: cisco||Preshared Key: cisco|
Here is the topology below for reference:
Let’s start building the tunnel on the Acme Corp side first by creating object groups:
object network VPN-REMOTE-ACME-BRANCH-NET-1 subnet 10.1.2.0 255.255.255.0 object network VPN-REMOTE-ACME-BRANCH-NET-2 subnet 10.1.3.0 255.255.255.0 object network ACME-CORP-NET subnet 10.1.1.0 255.255.255.0 object network VPN-REMOTE-ACORP-BRANCH-NET-1 subnet 10.1.2.0 255.255.255.0 object network VPN-REMOTE-ACORP-BRANCH-NET-2 subnet 10.1.3.0 255.255.255.0 object-group network VPN-LOCAL-ACMECORP-NET network-object object ACME-CORP-NET object-group network VPN-LOCAL-ACORP network-object object ACME-CORP-NET object-group network VPN-REMOTE-ACORP-BRANCH network-object object VPN-REMOTE-ACORP-BRANCH-NET-1 network-object object VPN-REMOTE-ACORP-BRANCH-NET-2
Next we need to create an access control list to match the traffic we want protected over the tunnel.
access-list ACL-VPN-ACORP-ACORP-BRANCH extended permit ip object-group VPN-LOCAL-ACORP object-group VPN-REMOTE-ACORP-BRANCH
We have to create some NAT exemption rules as we don’t want to NAT these networks when we are crossing over the VPN. On line one (1) I’m creating a single static NAT entry to reference Acme’s Branch networks going to Acme’s local networks.In line two (2) just reversing so that Acme’s local network can reach Acme’s Branch.
❗ Notice: I’m not changing the source or destination address for these NAT rules.
nat (Outside,Inside) source static VPN-REMOTE-ACORP-BRANCH VPN-REMOTE-ACORP-BRANCH destination static VPN-LOCAL-ACORP VPN-LOCAL-ACORP no-proxy-arp nat (Inside,Outside) source static VPN-LOCAL-ACMECORP-NET VPN-LOCAL-ACMECORP-NET destination static VPN-REMOTE-ACORP-BRANCH VPN-REMOTE-ACORP-BRANCH no-proxy-arp
Create a VPN Group Policy for Acme and Acme’s Branch VPN connection:
group-policy GP-VPN-ACORP-ACORP-BRANCH internal group-policy GP-VPN-ACORP-ACORP-BRANCH attributes vpn-tunnel-protocol ikev1
Create the tunnel:
tunnel-group 203.0.113.10 type ipsec-l2l tunnel-group 203.0.113.10 general-attributes default-group-policy GP-VPN-ACORP-ACORP-BRANCH tunnel-group 203.0.113.10 ipsec-attributes ikev1 pre-shared-key cisco isakmp keepalive disable
Build the cryptomap:
crypto map CM-ACORP-ACORP-BRANCH 1 match address ACL-VPN-ACORP-ACORP-BRANCH crypto map CM-ACORP-ACORP-BRANCH 1 set peer 203.0.113.10 crypto map CM-ACORP-ACORP-BRANCH 1 set ikev1 transform-set ESP-AES-128-SHA crypto map CM-ACORP-ACORP-BRANCH interface Outside
Let’s jump to Acme’s Branch ASA and configure it to get this tunnel up. Let’s create some object-groups.
object network ACME-BRANCH-NET-1 subnet 10.1.2.0 255.255.255.0 object network ACME-BRANCH-NET-2 subnet 10.1.3.0 255.255.255.0 object network VPN-REMOTE-ACME subnet 10.1.1.0 255.255.255.0 object-group network VPN-LOCAL-ACME-BRANCH network-object object ACME-BRANCH-NET-1 network-object object ACME-BRANCH-NET-2 object-group network VPN-REMOTE-ACORP network-object object VPN-REMOTE-ACME
Create the access control list to match the traffic we want protected on Acme’s branch.
access-list ACL-VPN-ACORP-BRANCH-ACORP extended permit ip object-group VPN-LOCAL-ACME-BRANCH object-group VPN-REMOTE-ACORP
Just like before we have to create some NAT exemption rules, Acme’s Branch has two networks that need to go over the tunnel so we’ll add them here. Line one (1) and two (2) is one network of Acme’s Branch. Line three (3) and four (4) is another network that Acme’s Branch has and with these two networks we are allowing both an inbound and outbound connection from the VPN
nat (Inside,Outside) source static ACME-BRANCH-NET-1 ACME-BRANCH-NET-1 destination static VPN-REMOTE-ACORP VPN-REMOTE-ACORP no-proxy-arp nat (Outside,Inside) source static VPN-REMOTE-ACORP VPN-REMOTE-ACORP destination static ACME-BRANCH-NET-1 ACME-BRANCH-NET-1 no-proxy-arp nat (Outside,Inside-2) source static VPN-REMOTE-ACORP VPN-REMOTE-ACORP destination static ACME-BRANCH-NET-2 ACME-BRANCH-NET-2 no-proxy-arp nat (Inside-2,Outside) source static ACME-BRANCH-NET-2 ACME-BRANCH-NET-2 destination static VPN-REMOTE-ACORP VPN-REMOTE-ACORP no-proxy-arp
Create a VPN Group Policy for Acme’s Branch and Acme Corp VPN connection:
group-policy GP-VPN-ACORP-BRANCH-ACORP internal group-policy GP-VPN-ACORP-BRANCH-ACORP attributes vpn-tunnel-protocol ikev1
Create the tunnel:
tunnel-group 192.0.2.10 type ipsec-l2l tunnel-group 192.0.2.10 general-attributes default-group-policy GP-VPN-ACORP-BRANCH-ACORP tunnel-group 192.0.2.10 ipsec-attributes ikev1 pre-shared-key cisco isakmp keepalive disable
Build the cryptomap:
crypto map CM-ACORP-BRANCH-ACORP 1 match address ACL-VPN-ACORP-BRANCH-ACORP crypto map CM-ACORP-BRANCH-ACORP 1 set peer 192.0.2.10 crypto map CM-ACORP-BRANCH-ACORP 1 set ikev1 transform-set ESP-AES-128-SHA crypto map CM-ACORP-BRANCH-ACORP interface Outside
We now have configured everything for the tunnel to come up but we are missing DHCP, in this example since I don’t have Windows DHCP server available I have configured an IOS router to do DHCP, which is on the Acme Corp network (10.1.1.20). To make DHCP available over the tunnel we only have to focus on Acme’s Branch ASA and add in the following configuration:
dhcprelay server 10.1.1.20 Outside dhcprelay enable Inside dhcprelay enable Inside-2 dhcprelay timeout 60
We should be able to get an IP adderess from Acme’s DHCP server, if I jump over to one of the Windows hosts on the Acme Branch and issue ipconfig /all we can see that this windows host was able to reach the DHCP server 10.1.1.20 which is over the VPN:
C:\Documents and Settings\VIRL>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : VIRL-D3D4EE00AA Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter Physical Address. . . . . . . . . : FA-16-3E-59-67-A3 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.1.2.61 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.2.1 DHCP Server . . . . . . . . . . . : 10.1.1.20 Lease Obtained. . . . . . . . . . : Sunday, April 09, 2017 5:29:25 PM Lease Expires . . . . . . . . . . : Monday, April 10, 2017 5:29:25 PM C:\Documents and Settings\VIRL>
If you want to try this out I have attached the running-configs of both firewalls at the end of this post. If you are using Cisco VIRL here is a link on GitHub to the file I was working with.
❗ Note: When working with this file I noticed sometimes that the network switches on both sides don’t always hold a MAC address table when we first start them. The workaround I found is you just copy the configuration delete the switch and add it back and plug everything back in order.
There is a subtype that is added in this configuration which was the Windows XP image I was working with. You can find more information about import Windows VMs and other 3rd Party systems into VIRL by checking out a previous post: Cisco VIRL and Windows VMs