| [HELP] IPSec VPN Tunnel Hi,
I am trying to setup a persistent IPSec VPN tunnel between 2 Cisco ASA firewalls. While this is pretty straight forward and I understand we need to exchange pre-share key, the encryption, end point public IP's and then route the interested traffic, I have a little different scenario. In this setup one of the ASA firewall is not the edge device. There is another firewall as the edge device and the ASA is like a second level firewall within the network. Yes, the ASA has a private IP for both inside and outside interfaces. The inside IP of the other firewall is also private and only the outside interface has a public IP. So now the scenario to setup a tunnel between a Cisco ASA with a public interface as an edge device and another Cisco ASA with private IP as it is the second firewall on the other side. My guess is we will need to forward some information like port numbers via the first firewall, but I am not sure what the complications of this is. Not sure how to proceed or what kind of traffic I need to allow on the edge firewall at the remote end. The more common scenario I guess is a router as the edge device where the VPN traffic is extended to the internal firewall.
I hope my question is clear and any suggestion or even better an example of the config would be appreciated.
Thanks |
|
| Can you post a diagram with the relavent devices and (proposed) IP addressing
You're planning for this setup? It'd help visualize exactly what you're planning / proposing.
Regards |
|
| reply to PS3
Attached is a simple representation of the proposed network diagram. Hope this helps understand what I am looking for.
The VPN Tunnel is between the ASA 's on both ends. However at the client end the edge device is a router which needs to allow the VPN tunnel to terminate on the ASA behind it. For this I wanted to know what ports need to be set to forward from router to the ASA. Is there anything else I need to know. Please note the outside IP of the ASA on Client side is a private IP Address. |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1
2 edits | reply to PS3
said by PS3:My guess is we will need to forward some information like port numbers via the first firewall, but I am not sure what the complications of this is. Not sure how to proceed or what kind of traffic I need to allow on the edge firewall at the remote end. Your scenario is pretty much typical in a lot of organizations. Yes, you are correct that the edge (first) firewall must pass through necessary IP protocols needed for IPSec. Typical IPSec VPN tunnel use Protocol 50 (ESP), Protocol 51 (AH), UDP 500 (ISAKMP), and UDP 4500 (IPsec NAT-Traversal). In addition, the first firewall needs to do static NAT between unused Public IP address and the IPSec VPN concentrator Private IP address (the second firewall) should the first firewall do NAT/PAT for your network.
When the first firewall has the static NAT and has open protocols and ports, then you should be in good shape. If you need to open more ports or protocols, you can always packet sniff and go from there. |
|
| reply to PS3
So for the pseudoconfigs:
ASA(10.10.10.9):
- crypto peer 30.40.50.60, etc, etc, etc
ROUTER:
- inbound ACL : permit udp 30.40.50.60 any eq 50, 51, 500, 4500
- ip nat inside source static udp 10.10.10.14 50, 51, 500, 4500 int 50, 51, 500, 4500
ASA(30.40.50.60):
- crypto peer -- not sure you set the peer address as 20.30.40.50 or 10.10.10.x
...I figured I'd do some learning here myself 
Regards |
|
| reply to PS3
Thanks guys for the suggestions. I will try this out and hopefully it should go well. |
|
|
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to HELLFIRE
said by HELLFIRE:ASA(30.40.50.60): - crypto peer -- not sure you set the peer address as 20.30.40.50 or 10.10.10.x ...I figured I'd do some learning here myself The peer address should be 20.30.40.50 (whatever Public IP address of the ASA that is visible on the Internet) |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to HELLFIRE
said by HELLFIRE:ROUTER: - ip nat inside source static udp 10.10.10.14 50, 51, 500, 4500 int 50, 51, 500, 4500 Note that ESP and AH protocols do not have concept of port numbers unlike TCP and UDP. Therefore in site-to-site IPSec VPN, you can't really use static PAT. This is the reason why there should be a dedicated Public IP address that is only used for the IPSec VPN.
Assuming the dedicated Public IP address for the IPSec VPN is 20.30.40.50 and assuming the ASA outside interface IP address is 10.10.10.9, then the static NAT configuration on the router should look like the following
ip nat inside source static 10.10.10.9 20.30.40.50
said by HELLFIRE:ROUTER: - inbound ACL : permit udp 30.40.50.60 any eq 50, 51, 500, 4500 The ACL does not need to permit UDP ports 50 and 51. You do need to open up Protocols 50 (ESP) and 51 (AH). As FYI, you may find on the ASA configuration that the ASA typically uses ESP instead of AH.
With that in mind, the inbound ACL should look like the following
permit 50 host 30.40.50.60 host 20.30.40.50
permit 51 host 30.40.50.60 host 20.30.40.50
permit udp host 30.40.50.60 host 20.30.40.50 eq 500
permit udp host 30.40.50.60 host 20.30.40.50 eq 4500 |
|
| reply to PS3
Hence why I said it was a pseudoconfig... I thought I had most of it down,
but thanks for catching me on the NAT static stuff aryoba, I KNEW it was
one or the other but I was in a hurry at the time I posted that up 
I think you can also construct the ACL entry for ESP/AH as:
quote:
permit (src) (dst) eq ESP
permit (src) (dst) eq AH
I'll have to dig up a lab router to test that.
Regards |
|
