Morgan Stepp CCIE #12603 | [email protected]Page 1 of 15 Configuring Cisco VPN Overview A Virtual Private Network (VPN) securely extends network access to remote users. Cisco’s VPN offering comes in 4 major configurations; Site-to-Site, Easy VPN, Client, and SSL. The VPN deployment you choose will depend upon your connectivity requirements. This document will provide the configuration details of each by deploying and interconnecting all 4 VPN types for a single customer. The examples will cover both ASA and IOS configurations. The following diagram outlines our customer topology. 192.168.99.1 192.168.1.0/24 192.168.3.0/24 192.168.99.2 1.1.1.1 3.3.3.3 192.168.2.0/24 Site-to-Site VPN EzVPN Client VPN SSL VPN DSL Maui Oahu ASA 2911 Home Offices Kauai DSL Internet 871 871 Cisco Site-to-Site and Easy VPN Review Site-to-Site and Easy VPN provide remote office connectivity and eliminate the need for individual Desktop client VPN applications. Each solution supports split tunneling which allows Internet destined traffic to be sent unencrypted to the local ISP, while Corporate destined traffic is tunneled and encrypted. Site-to-Site VPN requires remote offices to maintain a Static Public IP and is the premier solution for permanent VPN connections. Examples of this are IPsec VPN, DMVPN, and GET VPN. Each VPN connection requires a separate Tunnel-Policy with the Remote Public IP configured. EzVPN can establish a VPN Tunnel using either DHCP or Static IP from an ISP. This is ideal for remote offices and teleworkers with dynamic internet access such as Cable or DSL. Configuration on EzVPN Clients (ASA/ISR) is minimal as security policies are delivered from a central EzVPN Server (ASA/ISR).
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Client and SSL VPN provide remote-access connectivity to individual user desktops. Remote users can access
Corporate Network Resources securely from any Internet enabled location. Both solutions support split
tunneling.
The Client VPN is pre-installed software that enables remote access using an IPsec-compliant implementation.
The client can be preconfigured for mass deployments and initial logins which require little user intervention.
VPN access policies and configurations are downloaded from the central gateway and pushed to the client
when a connection is established, allowing simple deployment and management.
Cisco’s AnyConnect SSL solution provides remote users with secure VPN connections using Secure Socket Layer (SSL) and Datagram Transport Layer Security (DTLS). SSL Authentication to AnyConnect is done via a Web Browser which can automatically download the Anyconnect client. The client can be installed on Windows, Linux (Multiple Distros) and MAC OS X.
VPN Configuration In our VPN example, the majority of network resources reside in Maui. However, additional resources have
been installed in Oahu and Kauai. As a result, we need to provide connectivity for all users to all locations. For
example, users in Oahu should be able to communicate with users in Kauai through the ASA. Home Offices
should be allocated IP’s in the 192.168.254.0/24 subnet and also be granted VPN access to all locations.
Step 1: ASA VPN Preparation - NAT Exemptions and Hairpinning NAT is the enemy of VPN’s. In the majority of implementations, the ASA provides NAT services for internal
sources behind the ASA to external sources outside the ASA. We need to ensure internal sources to VPN
destinations are not exposed to this NAT processing. For example, the Oahu 192.168.2.0/24 should appear to
all Corporate segments using its original IP range. First, we define the networks we do not want to NAT.
object-group network MAUI
network-object 192.168.1.0 255.255.255.0
!
object-group network OAHU
network-object 192.168.2.0 255.255.255.0
!
object-group network KAUAI
network-object 192.168.3.0 255.255.255.0
!
object-group network HOME-OFFICE
network-object 192.168.254.0 255.255.255.0
Next, we instruct the ASA (8.4 or later) to exclude NAT for traffic matching the listed source and destination.
The "static MAUI MAUI" segment instructs the ASA to NAT MAUI to MAUI (itself), which in effect disables
Drop-reason: (acl-drop) Flow is denied by configured rule
Step 2: ASA Security Associations ISAKMP is the negotiation protocol that lets two hosts agree on how to build an IPsec security association (SA). It provides a common framework for agreeing on the format of SA attributes. This includes negotiating with the peer about the SA, and modifying or deleting the SA. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IKE uses ISAKMP to setup the SA for IPsec to use. IKE creates the cryptographic keys used to authenticate peers. Transform Sets combines an encryption method and an authentication method. During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. A transform set protects the data flows for the access list specified in the associated crypto map entry.
Step 3: Site-to-Site IPsec VPN Configuration We will configure a Site-to-Site IPsec VPN between the Maui ASA and the Kauai 871. The subnets below will be enabled for IPsec protection.
1.1.1.1
Internet
Maui
ASA 871
Kauai
3.3.3.3
IPSEC Tunnel
192.168.1.0/24
192.168.2.0/24
192.168.254.0/24
192.168.3.0/24Tunneled Networks
Maui ASA Site-to-Site VPN Configuration Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. Kauai will use a Site-
to-Site IPsec tunnel which requires an extended ACL. The ACL on the Kauai 871 should mirror (reverse the
subnets) the ASA ACL below.
access-list KAUAI-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list KAUAI-VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list KAUAI-VPN extended permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
Crypto Maps pull together the elements of IPsec security associations. You must apply a crypto map set to the outside interface through which IPsec traffic travels. Applying the crypto map set to an interface instructs the ASA to evaluate all interface traffic against the crypto map set and to use the specified policy during connection or security association negotiations.
On the ASA, configure the crypto map “CMAP” and use sequence 10 to define IPsec security associations for
the Site-to-Site VPN tunnel to Kauai. The “address” keyword references the extended ACL above which
determines the traffic to tunnel.
crypto map CMAP 10 match address KAUAI-VPN
crypto map CMAP 10 set peer 3.3.3.3
crypto map CMAP 10 set ikev1 transform-set ESP-DES-MD5
Alternatively, we could reference multiple transform sets to allow flexibility for remote endpoints.
crypto map CMAP 10 set ikev1 transform-set ESP-DES-MD5 ESP-AES-256-SHA ESP-3DES-SHA
Assign the crypto map to the ASA outside interface. Only 1 crypto map may be applied per interface, which is
why we have chosen to use a generic name.
crypto map CMAP interface outside
Create an IPsec Tunnel Group matching the Public IP of the Kauai 871 and assign a psk password.
Kauai 871 Site-to-Site VPN Configuration Create a Transform Set to be used with Site-to-Site connections. Define ASA IPSec Peer IP and Password. crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto isakmp key Kauai! address 1.1.1.1 no-xauth
Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. Kauai will use a Site-
to-Site IPsec tunnel which requires an extended ACL. Notice the IOS ACL configuration is much different than
in the ASA. The IOS ACL permit statements are the reverse of those in the ASA ACL. In order to IPSEC
encrypt traffic between remote subnets, the crypto ACL’s used must mirror each other.
ip access-list extended MAUI-VPN
permit ip 192.168.3.0 255.255.255.0 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 255.255.255.0 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 255.255.255.0 192.168.254.0 0.0.0.255
Configure the crypto map “CMAP” and use sequence 10 to define IPsec security associations for the Site-to-
Site VPN tunnel to Kauai. We use the same crypto map name here as on the ASA, though this is not required.
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set ESP-DES-MD5
match address MAUI-VPN
Configure the isakmp policy to match ikev1 policy 10 on the ASA.
crypto isakmp policy 10
encr des
hash md5
authentication pre-share
group 2
Assign the crypto map to the ASA outside interface. Only 1 crypto map may be applied per interface, which is
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/78/80 ms
Step 4: Easy VPN Configuration We will configure Easy VPN between the Maui ASA and the Oahu 871. The subnets below will be enabled for IPsec protection.
1.1.1.1
Internet
Maui
ASA 871
Oahu
DSL
IPSEC Tunnel
192.168.1.0/24
192.168.3.0/24
192.168.254.0/24
192.168.2.0/24Tunneled Networks
Maui ASA Easy VPN Configuration We will use the previously defined Transform Set for our Easy VPN connection. crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
Create the dynamic crypto map “DMAP” and assign the transform set TS1. This dynamic crypto map will be
used for Easy VPN and Client VPN connections.
crypto dynamic-map DMAP 10 set ikev1 transform-set ESP-DES-MD5
Bind the dynamic crypto map “DMAP” to the previously defined crypto map “CMAP”. Notice the dynamic crypto
map is assigned the highest (last) possible sequence number. Ensure you do this to avoid Site-to-Site VPN
connections incorrectly matching the dynamic crypto map.
crypto map CMAP 65535 ipsec-isakmp dynamic dmap
Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. With EzVPN, policies
are downloaded automatically, so a matching ACL is not required on the Oahu 871.
access-list OAHU-VPN standard permit 192.168.1.0 255.255.255.0
access-list OAHU-VPN standard permit 192.168.3.0 255.255.255.0
access-list OAHU-VPN standard permit 192.168.254.0 255.255.255.0
Step 5: Client VPN Configuration We will configure Client VPN support on the Maui ASA for Home Office Users. Home Office User Authentication will be maintained locally on the ASA. Home Offices will be allocated IP’s in the 192.168.254.0/24 subnet and be granted VPN access to all Corporate locations. The subnets below will be enabled for IPsec protection.
1.1.1.1
Internet
Maui
ASA 871
Home Office Client VPN
DSL
IPSEC Tunnel
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.254.0/24Tunneled Networks
Configure the ASA to hand out Corporate routable IP space to Home Office VPN Clients.
ip local pool CLIENT-POOL 192.168.254.1-192.168.254.254 mask 255.255.255.0
Configure an ACL that determines which networks to Tunnel (encrypt) through the Home Office VPN.
access-list CLIENT-VPN standard permit 192.168.1.0 255.255.255.0
access-list CLIENT-VPN standard permit 192.168.2.0 255.255.255.0
access-list CLIENT-VPN standard permit 192.168.3.0 255.255.255.0
Configure a VPN Group Policy and supply the split-tunnel ACL. Configure DNS information for Corporate name
resolution.
group-policy CLIENTVPN-GP internal
group-policy CLIENTVPN-GP attributes
dns-server value 192.168.1.99 192.168.1.100
default-domain cisco.com
address-pools value CLIENT-POOL
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT-VPN
Configure a VPN User Account and associate this to the Client VPN Group Policy.
username john.smith password cisco!
username john.smith attributes
vpn-group-policy CLIENTVPN-GP
Configure a VPN Tunnel Group and bind the Group Policy. Associate the IP Pool for address assignment.