Cisco ASA S2S

dkingfx00 · ‎02-19-2015

Hi Everyone,

I've been asked to configure a site to site vpn on a cisca ASA 5505 and i've been asked to use a NON-RFC IP address/network because the other end using the 192,10,172 network on some of their devices. i went online to one of the subnet and network calculators and generated a network thats not 10.x.x.x, 172.x.x.x or 192.x.x.x. i'm really confuse with the NON-RFC and if generating a network with another number in front of it will work.

Network I generated for internal workstations.

162.10.1.0

subnet

255.255.255.192

gateway

162.10.1.1

broadcast

162.10.1.63

hostMin: 162.10.1.1

hostMax: 162.10.1.62

Remote_LAN Local_LAN

----- -----

192.168.0.0/24 |ASA|---------------------------|ASA| 162.10.1.0/26

----- -----

192.168.0.254 10.0.0.254

i've been ask to create a site-2-site tunnel that only will connect clients on the 162.10.1.0 network to TCP port 80 & 443 and TCP port 1494 when the asa detects one of those request. other wise route everything else the normal way.

i started messing with some config in GNS3 before i do anything to the real device.

ASA01

object network Local_LAN
subnet 162.10.1.0 255.255.255.192
object network Remote_LAN
subnet 192.168.102.0 255.255.255.0

access-list LAN_Traffic extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80

access-list LAN_Traffic extended permit tcp object-group Local_LAN object-group Remote_LAN eq 443

access-list LAN_Traffic extended permit tcp object-group Local_LAN object-group Remote_LAN eq 1494

Do I need another access list for clients on 162.10.1.0 to route any other normal traffic (internet, etc) that’s not destine to the Remote_LAN?

access-list Inside_NAT0_outbound extended permit ip 162.10.1.0 255.255.255.192 192.168.102.0 255.255.255.0

nat (Inside) 0 access-list Inside_NAT0_outbound

Jon Marshall · ‎02-19-2015

I don't understand what you mean by non RFC IP address.

The 162.10.x.x range is allocated to someone else so you can use these on the internet.

If the other end is using 10.x.x.x and 172.16 - 31.x.x and 192.168.x.x then they can't be using all the possible subnets in those ranges.

You need to talk to the people at the other end and agree on subnets you can use within one of the ranges above.

Jon

dkingfx00 · ‎02-19-2015

I was just as lost as you when i heard the Non-RFC ip address. as far as i thought only 172.x.x.x, 192.x.x. and 10.x.x.x(portions of course) can be use for internal network.

I figure 162.10.x.x is a public IP address so i won't be using it on the internet, what about for internal use only?

I don't see how they could be using every range of IP addresses in the 10, 172 and 192.

any comments on the ACL's and config above?

Thanks

Dan

Jon Marshall · ‎02-19-2015

Dan

See my last post re. use of those addresses.

They really can't be using all those IPs in all those ranges.

You don't need another acl for non VPN traffic because only traffic that matches your VPN acl will be sent down the tunnel.

Jon

dkingfx00 · ‎02-19-2015

so these ACL would do the trick?

access-list LAN_Traffic extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80

access-list LAN_Traffic extended permit tcp object-group Local_LAN object-group Remote_LAN eq 443

access-list LAN_Traffic extended permit tcp object-group Local_LAN object-group Remote_LAN eq 1494

Jon Marshall · ‎02-19-2015

Couple of things -

1) you don't need the same line twice ie. your first two lines are the same

2) when I was doing these the recommendation was not to use port numbers in the acls but just IP.

You can use VPN filters to actually control traffic within the VPN.

I can't remember whether this was a recommendation or a restriction to be honest.

Jon

dkingfx00 · ‎02-19-2015

ok. I saw a couple examples using filters but they seem to be just like an ACL or at least the code look identical. let me look into that. thanks for pointing it out.

dkingfx00 · ‎02-19-2015

Do you have any examples of vpn-filters?

Jon Marshall · ‎02-19-2015

Dan

VPN filters allow you control exactly what traffic is allowed through the tunnel.

So your crypto map acl could just permit IP and then you control it with a filter.

See this doc for an example -

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Jon

dkingfx00 · ‎02-20-2015

This is what i got so far, any commends?

access list/vpn filter

access-list VPN-FILTER extended permit tcp 162.10.1.0 255.255.255.192 eq 80 10.1.1.0 255.255.255.0
access-list VPN-FILTER extended permit tcp 162.10.1.0 255.255.255.192 eq 443 10.1.1.0 255.255.255.0
access-list VPN-FILTER extended permit tcp 162.10.1.0 255.255.255.192 eq 1494 10.1.1.2 255.255.248.0
access-list VPN-FILTER extended permit tcp 162.10.1.0 255.255.255.192 eq 1494 10.1.2.1 255.255.240.0
access-list VPN-FILTER extended permit tcp 162.10.1.0 255.255.255.192 eq 1494 10.1.3.1 255.255.248.0

phase 1

crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

phase 2

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map security-association lifetime 3600
crypto map outside_map 1 set peer 209.165.200.234
crypto map outside_map 1 set ikev1 transform-set AES-128
crypto map outside_map interface outside
crypto ikev1 enable outside

crypto-ipsec

crypto ipsec transform-set AES-128 esp-aes esp-sha-hmac

policy

group-policy GroupPolicy_209.165.200.234 internal
group-policy GroupPolicy_209.165.200.234 attributes
vpn-tunnel-protocol ikev1

tunnel

tunnel-group 209.165.200.234 type ipsec-l2l
tunnel-group 209.165.200.234 general-attributes
default-group-policy GroupPolicy_209.165.200.234
tunnel-group 209.165.200.234 ipsec-attributes
ikev1 pre-shared-key *****

dkingfx00 · ‎02-20-2015

i just noticed i had the old access list incorrect

crypto map outside_map 1 match address VPN-FILTER

dkingfx00 · ‎02-19-2015

The ASA will be facing the internet with its own public ip address by the way.

Jon Marshall · ‎02-19-2015

Technically you could use that range because presumably your ASA has a public IP on it's outside interface that you own so you could NAT all your clients to that IP when they go out to the internet.

But I still would recommend against it because -

1) if you make a mistake you will be using IPs on the internet that aren't yours

2) if any 162.10.x.x IPs you use are in use on the internet and the people at the other end of your tunnel want to access them they won't be able to do because traffic will come to you instead.

Jon