site to site vpn with internet connection in same time

Home Forums Networking Cisco Security – PIX/ASA/VPN site to site vpn with internet connection in same time

This topic contains 33 replies, has 2 voices, and was last updated by Avatar Anonymous 7 years, 1 month ago.

Viewing 30 posts - 1 through 30 (of 34 total)
  • Author
    Posts
  • Avatar
    gogi100
    Member
    #159294

    i configured site to site VPN beetwen the asa 5505 (asa 8.4.2) and the asa 5510 (asa 8.4.4). how i can configure that the users from one side use internet and site to site vpn in same time? the outside interface of asa5505 have address 10.15.100.8, the gateway for this network(10.15.100.0/24) is 10.15.100.1. this address of asa is nat-ed on public ip address.before LAN (10.15.100.0/24) has had many computers and used internet over the gateway 10.15.100.1 and now all computers must be move on behind asa5505. i configured the site to site vpn but internet doesn’t work.
    pls help me.
    thanks

    ps: this option is split tunneling? how it configure?

    Avatar
    Anonymous
    #373299

    Re: site to site vpn with internet connection in same time

    Your Proxy ACL defines what traffic is encrypted and sent across the tunnel. It should be as specific as possible. If your internal hosts will be natted out to the internet then you need to use a nat exemption rule telling the nat process not to nat the traffic crossing the vpn. With 8.4 you do this with Twice Nat or Manual Nat however you want to call it. If you post a config I can take a look.

    Avatar
    gogi100
    Member
    #334950

    Re: site to site vpn with internet connection in same time

    i configured site to site vpn on asa5505 over the site to site wizard. I have not change the settings.no, outside interface of asa5505 will be natted out to internet.

    Avatar
    Anonymous
    #373301

    Re: site to site vpn with internet connection in same time

    If you can’t give a sanitized config, then there isn’t much I can do as I dont know what the configuration looks like now.

    Avatar
    gogi100
    Member
    #334951

    Re: site to site vpn with internet connection in same time

    my config file is on asa 5505

    Quote:
    ASA Version 8.4(2)
    !
    hostname ciscoasa
    enable password csq7sfr0bQJqMGET encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.15.100.8 255.255.255.0
    !
    ftp mode passive
    object service ParagrafLex1
    service tcp source eq 6190
    description Odlazni
    object service paragraf
    service tcp destination eq 6190
    description dolazni
    object network server
    host 192.168.0.2
    object network NETWORK_OBJ_192.168.0.0_24
    subnet 192.168.0.0 255.255.255.0
    object network NETWORK_OBJ_192.168.2.0_24
    subnet 192.168.2.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object ip
    service-object tcp
    service-object icmp echo-reply
    service-object tcp destination eq domain
    service-object tcp destination eq echo
    service-object tcp destination eq ldap
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object udp
    protocol-object tcp
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_5
    service-object ip
    service-object icmp echo-reply
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
    access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp outside 10.13.74.1 000d.bd64.a8e2
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.15.100.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 10.15.100.0 255.255.255.0 outside
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 178.254.133.178
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    dhcpd auto_config outside
    !
    dhcpd address 192.168.2.2-192.168.2.128 inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.x.x internal
    group-policy GroupPolicy_x.x.x.x attributes
    vpn-tunnel-protocol ikev1 ikev2
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x general-attributes
    default-group-policy GroupPolicy_x.x.x.x
    tunnel-group x.x.x.x ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map type inspect ftp paragraf
    parameters
    policy-map global_policy
    class inspection_default
    inspect dns
    inspect icmp
    inspect ip-options
    inspect netbios
    inspect tftp
    inspect h323 h225
    inspect h323 ras
    inspect ftp
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:b6f6c923f233ac9974a733f82ad17fea
    : end

    Avatar
    Anonymous
    #373304

    Re: site to site vpn with internet connection in same time

    Thanks for the config. Is there anything else in front of the ASA?

    Avatar
    gogi100
    Member
    #334952

    Re: site to site vpn with internet connection in same time

    yes provider gateway, router i don’t know on address 10.15.100.1. outside interface of asa5505 is natted in public ip

    Avatar
    Anonymous
    #373305

    Re: site to site vpn with internet connection in same time

    So the provider router is doing nat?

    Avatar
    gogi100
    Member
    #334953

    Re: site to site vpn with internet connection in same time

    yes, provider router is doing nat

    Avatar
    Anonymous
    #373306

    Re: site to site vpn with internet connection in same time

    Is the site to site vpn working? Since they are both cisco devices on both ends then they should negotiate NAT-Traversal as the 5505 is behind a Nat device. With the 5505 behind a nat device then you will only be able to initiate the tunnel from the 5505 and not from the 5510. I would move you public ip space onto the 5505 and run nat directly on the ASA. This will give you more control of what is natted and what is not. Then just add a static default route to the providers gateway.

    Avatar
    gogi100
    Member
    #334954

    Re: site to site vpn with internet connection in same time

    i can’t move my public ip space onto the 5505 because of my provider has such a policy. i need that my users behind asa5505 have access Lan behind asa5510. it does not matter who initiates the tunnel but the access to lan behind asa5510 and the access to internet of the users bihind the asa 5505

    Avatar
    Anonymous
    #373307

    Re: site to site vpn with internet connection in same time

    Try this:

    group-policy GroupPolicy_x.x.x.x attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value outside_cryptomap

    Avatar
    gogi100
    Member
    #334955

    Re: site to site vpn with internet connection in same time

    what do you think about this:

    VPN Traffic
    ========

    VPN traffic will check the inside_to_outside acl and then it comes to crypto acl and it goes out…..

    Internet traffic
    ==========
    all other traffic you mentioned other than vpn will get away as internet traffic…

    access-list inside_to_outside extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 (VPN)
    access-list inside_to_outside extended permit internet filtered traffic permits
    access-list inside_to_outside extended deny ip any any
    !
    access-group inside_to_outside in interface inside
    !

    Avatar
    Anonymous
    #373308

    Re: site to site vpn with internet connection in same time

    That ACL only filters traffic coming in the inside interface. Thats great if you want filter what goes out but has nothing to do with the vpn traffic as that is filtered with the Proxy ACL specified in the split tunnel list.

    Avatar
    gogi100
    Member
    #334956

    Re: site to site vpn with internet connection in same time

    i think that split tunneling work in remote access vpn. i think that filtering vpn traffic work acces-list crypto. i have access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

    Avatar
    Anonymous
    #373309

    Re: site to site vpn with internet connection in same time

    Oops sorry, yeah the group-policy is for a remote access vpn. I do see the the proxy acl being matched in your config:

    crypto map outside_map 1 match address outside_cryptomap – Traffic matched here will be encrypted and sent across the tunnel.

    So that ACL will be used to determine what is encrypted over the tunnel. This is still a split tunnel as we are choosing what to encrypt. The term proxy acl and split tunnel mean the same thing. Split tunneling can be applied to any type of vpn, not just remote-access.

    Avatar
    gogi100
    Member
    #334957

    Re: site to site vpn with internet connection in same time

    i tested site to site vpn but site to site doesn’t work. i can’t ping lan bihind asa5510 but not bihind asa5505. when i put command
    sh crypto isakmp sa

    There are no IKEv1 SAs

    IKEv2 SAs:

    Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

    Tunnel-id Local Remote Status Role
    159733105 10.15.100.8/4500 x.x.x.x/4500 READY INITIATOR
    Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
    Life/Active Time: 86400/113 sec
    Child sa: local selector 192.168.5.0/0 – 192.168.5.255/65535
    remote selector 192.168.0.0/0 – 192.168.0.255/65535
    ESP spi in/out: 0x8825e2c3/0x86e50a36

    when i put
    asa-siv(config)# show crypto ip sa
    interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 10.15.100.8

    access-list outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0
    local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
    current_peer: x.x.x.x

    #pkts encaps: 78, #pkts encrypt: 78, #pkts digest: 78
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 78, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: 10.15.100.8/4500, remote crypto endpt.: 178.254.133.178/4500
    path mtu 1500, ipsec overhead 82, media mtu 1500
    current outbound spi: 86E50A36
    current inbound spi : 8825E2C3

    inbound esp sas:
    spi: 0x8825E2C3 (2284184259)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, NAT-T-Encaps, }
    slot: 0, conn_id: 8192, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4331520/28524)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    outbound esp sas:
    spi: 0x86E50A36 (2263157302)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, NAT-T-Encaps, }
    slot: 0, conn_id: 8192, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4101111/28524)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001

    asa-siv(config)#

    when i put
    debug cry isa

    debug cry isa
    debug cry ipsec

    i don’t receive nothing

    what ido?

    Avatar
    Anonymous
    #373310

    Re: site to site vpn with internet connection in same time

    If you have no IKE phase 1 SA’s then you need to look at your configuration.

    local crypto endpt.: 10.15.100.8/4500

    Local endpoint shows its private ip address. Is this the 5505 ASA?

    If the 5505 is behind nat then you have a few options. You can use “wildcard” preshared keys on the other end with a dynamic crypto map or initiate aggressive mode on the device behind nat and then use fqdn’s as your IKE id. Either way since this device is behind nat it will always be the initiator of the tunnel. NAT-T will be negotiated between the peers.

    Avatar
    gogi100
    Member
    #334958

    Re: site to site vpn with internet connection in same time

    local crypto endpt.: 10.15.100.8/4500

    ip 10.15.100.10.8 is ip address outside interface of asa5505 which natted on public ip address

    Avatar
    gogi100
    Member
    #334959

    Re: site to site vpn with internet connection in same time

    Quote:
    You can use “wildcard” preshared keys on the other end with a dynamic crypto map or initiate aggressive mode on the device behind nat and then use fqdn’s as your IKE id. Either way since this device is behind nat it will always be the initiator of the tunnel. NAT-T will be negotiated between the peers.

    how configure this option pls?
    thanks

    Avatar
    gogi100
    Member
    #334960

    Re: site to site vpn with internet connection in same time

    configuration from asa5505 is

    ASA Version 8.4(2)
    !
    object network obj_any
    subnet 192.168.5.0 255.255.255.0
    object network NETWORK_OBJ_192.168.0.0_24
    subnet 192.168.0.0 255.255.255.0
    object network NETWORK_OBJ_192.168.5.0_24
    subnet 192.168.5.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object ip
    service-object tcp
    service-object icmp echo-reply
    object-group service DM_INLINE_SERVICE_2
    service-object ip
    service-object tcp
    service-object icmp echo-reply
    service-object udp
    access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
    access-list outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list inside_to_outside extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list inside_to_outside extended permit object-group DM_INLINE_SERVICE_2 192.168.5.0 255.255.255.0 any
    access-list inside_to_outside extended deny ip any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
    access-group inside_to_outside in interface inside
    route outside 0.0.0.0 0.0.0.0 10.15.100.1 1
    route inside 192.168.0.0 255.255.255.0 192.168.5.1 2
    route outside 192.168.0.0 255.255.255.0 10.15.100.1 3
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer x.x.133.178
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside vpnclient-wins-override
    dhcpd address 192.168.5.2-192.168.5.128 inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_x.x.133.178 internal
    group-policy GroupPolicy_x.x.133.178 attributes
    vpn-tunnel-protocol ikev1 ikev2
    tunnel-group x.x.133.178
    type ipsec-l2l
    tunnel-group x.x.133.178 general-attributes
    default-group-policy GroupPolicy_x.x.133.178
    tunnel-group x.x.133.178 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    configuration from asa 5510
    hostname asa5510
    object network NETWORK_OBJ_192.168.5.0_24
    subnet 192.168.5.0 255.255.255.0
    object network NETWORK_OBJ_192.168.0.0_24
    subnet 192.168.0.0 255.255.255.0
    object network 192.168.0.10
    host 192.168.0.10
    object-group network PAT-SOURCE-NETWORKS
    description Source networks for PAT
    network-object 192.168.0.0 255.255.255.0
    access-list INSIDE-IN remark Allow traffic from LAN
    access-list INSIDE-IN extended permit ip 192.168.0.0 255.255.255.0 any
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL

    nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup

    nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

    access-group INSIDE-IN in interface inside

    route outside 0.0.0.0 0.0.0.0 178.254.133.177 1

    route inside 192.168.5.0 255.255.255.0 192.168.0.10 1
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

    crypto ipsec ikev2 ipsec-proposal DES

    protocol esp encryption des

    protocol esp integrity sha-1 md5

    crypto ipsec ikev2 ipsec-proposal 3DES

    protocol esp encryption 3des

    protocol esp integrity sha-1 md5

    crypto ipsec ikev2 ipsec-proposal AES

    protocol esp encryption aes

    protocol esp integrity sha-1 md5

    crypto ipsec ikev2 ipsec-proposal AES192

    protocol esp encryption aes-192

    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 195.222.96.223
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

    Avatar
    Anonymous
    #373311

    Re: site to site vpn with internet connection in same time

    If the 5505 is behind a nat device and you want to do “wildcard” pre-shared keys then you make that change on the 5510. Just set a strong key when using a wild card. I know the syntax changed with 8.4 so just work around it. They use the ikev1 commands in place of isakmp.

    tunnel-group 0.0.0.0 0.0.0.0 type ipsec-l2l
    pre-shared-key cisco

    crypto dynamic-map DYNAMIC set transform-set ” ” (Your transform-set)
    crypto dynamic-map DYNAMIC match address ” ” (Your Proxy ACL)
    Notice you dont specify the peer address here, hence using the dynamic crypto map

    Then just tie the dynamic crypto map to your crypto map:

    crypto map VPN 65535 ipsec-isakmp dynamic DYNAMIC

    Avatar
    Anonymous
    #373312

    Re: site to site vpn with internet connection in same time

    Also make sure the upstream router is allowing udp 500 and udp 4500 through to the endpoint.

    Avatar
    gogi100
    Member
    #334961

    Re: site to site vpn with internet connection in same time

    therefore i must put those commands on asa5510

    Quote:
    tunnel-group 0.0.0.0 0.0.0.0 type ipsec-l2l
    pre-shared-key cisco

    crypto dynamic-map DYNAMIC set transform-set ” ” (Your transform-set)
    crypto dynamic-map DYNAMIC match address ” ” (Your Proxy ACL)
    crypto map VPN 65535 ipsec-isakmp dynamic DYNAMIC

    anything change on asa5505?

    I noticed the same thing that when i put
    sh crypto isa
    sh crypto isakmp sa

    i receive ‘There are no IKEv1 SAs’

    the tunneling must go in on ikev2 or ikev1

    Avatar
    Anonymous
    #373313

    Re: site to site vpn with internet connection in same time

    No changes should need to be made on the 5505. The syntax I posted is an example so modify it to fit your needs.

    Avatar
    gogi100
    Member
    #334962

    Re: site to site vpn with internet connection in same time

    when i put
    sh crypto isa
    sh crypto isakmp sa

    i receive ‘There are no IKEv1 SAs’

    the tunneling must go in on ikev2 or ikev1?

    Avatar
    Anonymous
    #373314

    Re: site to site vpn with internet connection in same time

    As I said the syntax change:

    show crypto ikev1 sa

    You should be using ikev1

    Avatar
    gogi100
    Member
    #334963

    Re: site to site vpn with internet connection in same time

    can you explain how configure on asa 5505

    Quote:
    initiate aggressive mode on the device behind nat and then use fqdn’s as your IKE id.

    can i disable ikev2 on asdm from asa5505 and 5510

    Avatar
    Anonymous
    #373315

    Re: site to site vpn with internet connection in same time

    The commands on the 5505 would be:

    crypto map [TAG] [SEQ#] set phase1-mode aggressive

    When using this you would be using hostnames on your tunnel-groups which means that you endpoints would need dns resolution to resolve the names. I would get it working with the wild card preshared key first and then once that is working you can think about using aggressive mode and hostname for IKE ID’s.

    There is no real reason to disable ikev2 as your not using it. I would leave it be.

    If both of your ASA’s are version 8.4(1) then you could try ikev2 as with this new version there is no concept of main mode and aggressive mode. I would look at the 8.4 documentation before trying it though.

    Avatar
    gogi100
    Member
    #334964

    Re: site to site vpn with internet connection in same time

    can you explain where i can find [TAG] and [SEQ#]?

Viewing 30 posts - 1 through 30 (of 34 total)

You must be logged in to reply to this topic.

Register for this Petri Webinar!

Software-Defined Unlimited Backup Storage

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By