site to site vpn with internet access (hairpinning) - xerunetworks

2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks

http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 1/13

Search Search

XeruNetworks

Its all about networks

GNS3

Security

ASA

VPN

Routing & Switching

EIGRP

Stackwise

Tips

Voice

Call Manager

CME

Licencing

Wireless

Cisco StackWise 3750 Stacking Issue

Cisco 6500 Ignores NTP Requests

Dec 20

Site to Site VPN with Internet Access

(Hairpinning)

Categories:

GNS3, Security, VPN

by malikyounas

The primary purpose of this Lab is to test site to site VPN and to make

sure that users on remote site are able to access internet via main site.

You will see in the post that all of the configuration is similar to a

normal L2L config between a router and firewall however all you need

is an extra NAT statement and permit statement on ASA on main site

such that remote site users are able to be NAT'ed out of main site.

Internet Access through Site to Site VPN

CCIE Trainingwww.ine.com/CCIE-Training

We've Certified 3000+ CCIEs

More CCIEs than any other

company.



Site Setup

Following Devices are Considered to be at the Main Site

ASA1

R4

Following Devices are considered to be part of ISP

R2

R3

Following Devices to be considered as of Branch Office

R5

GNS3

I have built this LAB in GNS3 and mainly used following two links to get ASA working in GNS3

http://forum.gns3.net/topic4088.html

http://forum.gns3.net/topic2405.html

Configurations

******************************************************

A SA 1

******************************************************

ASA Version 8.0(2)

!

hostname asa1

Enable password is cisco

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.10.30.6 255.255.255.252

!


nameif inside

security-level 100

ip address 10.10.30.13 255.255.255.252

!




shutdown

no nameif

no security-level

no ip address

!


shutdown

no nameif

no security-level

no ip address

!


shutdown

no nameif

no security-level

no ip address

!


shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot config disk0:/.private/startup-config

ftp mode passive

The following command will make sure that traffic being received on the interface is permitted to be

out the same interface. Default behaviour is deny return traffic on same interface. This will be required

as L2L traffic will be received on outside interface and to go to internet it needs to leave out the same

interface. This command is not required if users just need to main site services and not to internet.

same-security-traffic permit intra-interface

Just two ACLs to allow traffic on interfaces, can be customised as per specific requirements

access-list inside-in extended permit ip any any log

access-list outside-in extended permit ip any any log

This ACL is used to bypass NAT all traffic that is leaving for remote site from main site.

access-list nonat extended permit ip any 10.10.20.0 255.255.255.0

This ACL will define interneting traffic which will encrypted and tunnel to Remote site over L2L VPN

access-list ipsec-conn extended permit ip any 10.10.20.0 255.255.255.0

This ACL will NAT traffic that wants to leave for internet and any other network

access-list nat-internal extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/.private/asdm-615.bin

no asdm history enable

arp timeout 14400



Enable NAT

nat-control

Enable outside interface to be used for NAT

global (outside) 1 interface

Now, this NAT statement actually tells that any IPs from remote network should be NATed if they

want they want out to internet or any other external networks.

nat (outside) 1 10.10.20.0 255.255.255.0

This NAT statement refers to ACL 'nonat' which will make sure that any IPs detined for remote

network are not NATed.

nat (inside) 0 access-list nonat

This NAT statement refers to ACL 'nat-internal' to NAT internal addresses which want to go out to

internet or external networks.

nat (inside) 1 access-list nat-internal

access-group outside-in in interface outside

access-group inside-in in interface inside

!

router eigrp 1

no auto-summary

network 10.10.30.4 255.255.255.252

!

route outside 0.0.0.0 0.0.0.0 10.10.30.5 1

route inside 10.10.40.0 255.255.255.0 10.10.30.14 1

route inside 10.11.40.0 255.255.255.0 10.10.30.14 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa local authentication attempts max-fail 16

http server enable

http 10.10.60.2 255.255.255.255 outside

http 10.10.20.2 255.255.255.255 outside

http 10.10.30.10 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

L2L VPN Config

crypto ipsec transform-set avalanche esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map forsberg 21 match address ipsec-conn

crypto map forsberg 21 set peer 10.10.30.10

crypto map forsberg 21 set transform-set avalanche

crypto map forsberg interface outside

crypto ca trustpoint localtrust

enrollment self

fqdn sslvpn.abc.com

subject-name CN=sslvpn.abc.com

crl configure

crypto ca trustpoint ASDM_TrustPoint0



enrollment self

subject-name CN=asa1

proxy-ldc-issuer

crl configure

L2L VPN Config

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

ssl trust-point localtrust outside

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

L2L VPN Config

tunnel-group 10.10.30.10 type ipsec-l2l

tunnel-group 10.10.30.10 ipsec-attributes

pre-shared-key cisco

prompt hostname context

Cryptochecksum:6439298ff5b8a24e6dd80fecfb87b428

: end



******************************************************

R5

******************************************************

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R5

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

L2L VPN Config

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 10.10.30.6

!

crypto ipsec transform-set sharks esp-des esp-md5-hmac

!

crypto map nolan 11 ipsec-isakmp

set peer 10.10.30.6

set transform-set sharks

match address 120

!

interface FastEthernet0/0

ip address 10.10.30.10 255.255.255.252

ip virtual-reassembly

duplex auto

speed auto

crypto map nolan

!


ip address 10.10.20.1 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

!

no ip http server

no ip http secure-server



ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.30.9

!

ACL Used L2L VPN Config

access-list 120 permit ip 10.10.20.0 0.0.0.255 any

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

end

******************************************************

R2

******************************************************

version 12.4




!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

!


!

archive

log config

hidekeys

!


ip address 10.10.30.5 255.255.255.252

duplex auto

speed auto

!


ip address 10.10.30.1 255.255.255.252

duplex auto

speed auto

!


ip address 10.10.30.9 255.255.255.252

duplex auto

speed auto



!


no ip address

shutdown

duplex auto

speed auto

!

router eigrp 1

network 10.10.30.0 0.0.0.3

network 10.10.30.4 0.0.0.3

network 10.10.30.8 0.0.0.3

no auto-summary

!

no ip http server


!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

!

end

******************************************************

R4

******************************************************

version 12.4




!

hostname R4

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

!


!

archive

log config

hidekeys

!

interface Loopback0

ip address 10.10.40.1 255.255.255.0



!

interface Loopback1

ip address 10.11.40.1 255.255.255.0

!


ip address 10.10.30.14 255.255.255.252

duplex auto

speed auto

!


no ip address

shutdown

duplex auto

speed auto

!

router eigrp 1

network 10.10.30.12 0.0.0.3

network 10.10.40.0 0.0.0.255

no auto-summary

!

no ip http server


ip route 0.0.0.0 0.0.0.0 10.10.30.13

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

!

end

******************************************************

R7

******************************************************

version 12.4




!

hostname R7

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

!




Share this:

Like this: Like

Be the first to like this.

!

archive

log config

hidekeys

!


ip address 10.10.30.18 255.255.255.252

duplex auto

speed auto

!


ip address 10.10.60.1 255.255.255.0

duplex auto

speed auto

!

router eigrp 1

network 10.10.30.16 0.0.0.3

network 10.10.60.0 0.0.0.255

no auto-summary

!

no ip http server

no ip http secure-server


!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

end

Related Posts

Telnet to Router Interface from outside

ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide Lab 1.4

ASA 8.3/8.4 NAT Migration Lab Guide Lab 1.3



Leave a Reply

Enter your comment here...

Search Search

Hide Your IP Address?find.youripfast.com

Hiding Your IP Is Easy! We Teach You How.



Recent Posts

Converting Prompts for UCCX 7

Duplex Mismatch How varying

Duplex/Speed settings can effect

connectivity?

Dont span high volume traffic to WS-

X6548-GE-TX or WS-X6148-GE-TX

oversubscribed line cards

Outlook.com Dont change your

primary email address and how to

revert back if you already did

Best Email App for Android ICS

Popular Posts

Cisco ASA 8.4 on GNS3 756 , 029 v iew s

ASA 8.4 with ASDM on GNS3

Step by Step Guide 416 , 752 v iew s

Connect GNS3 Network to Real

Networks / Other GNS3 Network 108 , 399

v iew s

Outlook.com Don't change your

primary email address and how to

revert back if you already did 92 , 939 v iew s

Cisco 5508 WLC Configuration LAB

WPA2, Guest Access, FlexConnect

(aka H-REAP) 91 , 083 v iew s

Sponsored Links

Categories

ASA

CME

EIGRP

GNS3

Licencing

Routing & Switching

Security

Stackwise

Tips

Uncategorized

Voice

VPN



Wireless

Archives

November 2012

August 2012

June 2012

May 2012

March 2012

February 2012

January 2012

December 2011

September 2011

August 2011

June 2011

March 2011

February 2011

November 2010

October 2010

July 2010

June 2010

May 2010

Recent Comments

Chandan Dey on ASA 8.4 with ASDM

on GNS3 Step by Step Guide

Paul Prijs on Call center calculator

Phi on ASA 8.4 with ASDM on GNS3

Step by Step Guide

Namasivayam on ASA 8.4 with ASDM

on GNS3 Step by Step Guide

Namasivayam on Cisco ASA 8.4 on

GNS3

Blog Calendar

December 2011

M T W T F S S

Sep Jan

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29 30 31

Meta

Log in

Entries RSS

Comments RSS

WordPress.org

Subscribe to Blog via Email

Enter your email address to subscribe to this



blog and receive notifications of new posts

by email.

Email Address

Subscribe

Copyright

2014 XeruNetworks.

Return to top

Powered by WordPress and the Graphene Theme.

site to site vpn with internet access (hairpinning) - xerunetworks

Documents

site vpnccie

main site services

remote site users

site setupfollowing

outside interface

permit statement

main sitesuch

return traffic