Site to Site VPN With Internet Access (Hairpinning) - XeruNetworks

Published on December 2016 | Categories: Documents | Downloads: 56 | Comments: 0 | Views: 418
of 13
Download PDF   Embed   Report

Comments

Content


2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 1/13

Search Search
XeruNetworks
Its all about networks…
GNS3
Securi ty
ASA
VPN
Routi ng & Swi tchi ng
EIGRP
Stackwise
Ti ps
Voi ce
Call Manager
CME
Licencing
Wi rel ess

« Cisco StackWise – 3750 Stacking Issue
Cisco 6500 Ignores NTP Requests »
Dec 20
Site to Site VPN with Internet Access
(Hairpinning)
Categories:
GNS3, Security, VPN
by malikyounas
The primary purpose of this Lab is to test site to site VPN and to make
sure that users on remote site are able to access internet via main site.
You will see in the post that all of the configuration is similar to a
normal L2L config between a router and firewall however all you need
is an extra NAT statement and permit statement on ASA on main site
such that remote site users are able to be NAT'ed out of main site.
Internet Access through Site to Site VPN
CCIE Training
www.ine.com/CCIE-Training
We've Certified 3000+ CCIEs
More CCIEs than any other
company.
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 2/13
Si te Setup
Following Devices are Considered to be at the Main Site
ASA1
R4
Following Devices are considered to be part of ISP
R2
R3
Following Devices to be considered as of Branch Office
R5
GNS3
I have built this LAB in GNS3 and mainly used following two links to get ASA working in GNS3
http://forum.gns3.net/topic4088.html
http://forum.gns3.net/topic2405.html
Confi gurati ons

******************************************************
ASA1
******************************************************
ASA Version 8.0(2)
!
hostname asa1
Enable password is cisco
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.30.6 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.30.13 255.255.255.252
!
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 3/13
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
The following command will make sure that traffic being received on the interface is permitted to be
out the same interface. Default behaviour is deny return traffic on same interface. This will be required
as L2L traffic will be received on outside interface and to go to internet it needs to leave out the same
interface. This command is not required if users just need to main site services and not to internet.
same-security-traffic permit intra-interface
Just two ACLs to allow traffic on interfaces, can be customised as per specific requirements
access-list inside-in extended permit ip any any log
access-list outside-in extended permit ip any any log
This ACL is used to bypass NAT all traffic that is leaving for remote site from main site.
access-list nonat extended permit ip any 10.10.20.0 255.255.255.0
This ACL will define interneting traffic which will encrypted and tunnel to Remote site over L2L VPN
access-list ipsec-conn extended permit ip any 10.10.20.0 255.255.255.0
This ACL will NAT traffic that wants to leave for internet and any other network
access-list nat-internal extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/.private/asdm-615.bin
no asdm history enable
arp timeout 14400
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 4/13
Enable NAT
nat-control
Enable outside interface to be used for NAT
global (outside) 1 interface
Now, this NAT statement actually tells that any IPs from remote network should be NATed if they
want they want out to internet or any other external networks.
nat (outside) 1 10.10.20.0 255.255.255.0
This NAT statement refers to ACL 'nonat' which will make sure that any IPs detined for remote
network are not NATed.
nat (inside) 0 access-list nonat
This NAT statement refers to ACL 'nat-internal' to NAT internal addresses which want to go out to
internet or external networks.
nat (inside) 1 access-list nat-internal
access-group outside-in in interface outside
access-group inside-in in interface inside
!
router eigrp 1
no auto-summary
network 10.10.30.4 255.255.255.252
!
route outside 0.0.0.0 0.0.0.0 10.10.30.5 1
route inside 10.10.40.0 255.255.255.0 10.10.30.14 1
route inside 10.11.40.0 255.255.255.0 10.10.30.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 16
http server enable
http 10.10.60.2 255.255.255.255 outside
http 10.10.20.2 255.255.255.255 outside
http 10.10.30.10 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
L2L VPN Config
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside
crypto map forsberg 21 match address ipsec-conn
crypto map forsberg 21 set peer 10.10.30.10
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.abc.com
subject-name CN=sslvpn.abc.com
crl configure
crypto ca trustpoint ASDM_TrustPoint0
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 5/13
enrollment self
subject-name CN=asa1
proxy-ldc-issuer
crl configure
L2L VPN Config
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl trust-point localtrust outside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
L2L VPN Config
tunnel-group 10.10.30.10 type ipsec-l2l
tunnel-group 10.10.30.10 ipsec-attributes
pre-shared-key cisco
prompt hostname context
Cryptochecksum:6439298ff5b8a24e6dd80fecfb87b428
: end
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 6/13
******************************************************
R5
******************************************************

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
L2L VPN Config
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.10.30.6
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer 10.10.30.6
set transform-set sharks
match address 120
!
interface FastEthernet0/0
ip address 10.10.30.10 255.255.255.252
ip virtual-reassembly
duplex auto
speed auto
crypto map nolan
!
interface FastEthernet0/1
ip address 10.10.20.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 7/13
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.30.9
!
ACL Used L2L VPN Config
access-list 120 permit ip 10.10.20.0 0.0.0.255 any
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
******************************************************
R2
******************************************************
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
ip address 10.10.30.5 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.30.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.10.30.9 255.255.255.252
duplex auto
speed auto
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 8/13
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.10.30.0 0.0.0.3
network 10.10.30.4 0.0.0.3
network 10.10.30.8 0.0.0.3
no auto-summary
!
no ip http server
ip forward-protocol nd
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

******************************************************
R4
******************************************************
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface Loopback0
ip address 10.10.40.1 255.255.255.0
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 9/13
!
interface Loopback1
ip address 10.11.40.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.10.30.14 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.10.30.12 0.0.0.3
network 10.10.40.0 0.0.0.255
no auto-summary
!
no ip http server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.30.13
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
******************************************************
R7
******************************************************
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 10/13
Share this:
Like this:
Like
Be the first to like this.

!
archive
log config
hidekeys
!
interface FastEthernet0/0
ip address 10.10.30.18 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.60.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.10.30.16 0.0.0.3
network 10.10.60.0 0.0.0.255
no auto-summary
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
Related Posts
Telnet to Router Interface from outside
ASA 8.3 / 8.4 Double NAT / Source Destination NAT Migration Lab Guide – Lab 1.4
ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.3
ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.2
ASA 8.3/8.4 NAT Migration Lab Guide – Lab 1.1
Leave a Reply
Enter your comment here...
Search Search
Hide Your IP Address?
find.youripfast.com
Hiding Your IP Is Easy! We Teach You How.
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 11/13
Recent Posts
Converting Prompts for UCCX 7
Duplex Mismatch – How varying
Duplex/Speed settings can effect
connectivity?
Don’t span high volume traffic to WS-
X6548-GE-TX or WS-X6148-GE-TX
oversubscribed line cards
Outlook.com – Don’t change your
primary email address and how to
revert back if you already did
Best Email App for Android ICS
Popular Posts
Cisco ASA 8.4 on GNS3 756, 029 v i ew s
ASA 8.4 with ASDM on GNS3 –
Step by Step Guide 416, 752 v i ew s
Connect GNS3 Network to Real
Networks / Other GNS3 Network 108, 399
v i ew s
Outlook.com – Don't change your
primary email address and how to
revert back if you already did 92, 939 v i ew s
Cisco 5508 WLC Configuration LAB
– WPA2, Guest Access, FlexConnect
(aka H-REAP) 91, 083 v i ew s
Sponsored Links
Categories
ASA
CME
EIGRP
GNS3
Licencing
Routing & Switching
Security
Stackwise
Tips
Uncategorized
Voice
VPN
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 12/13
Wireless
Archives
November 2012
August 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
September 2011
August 2011
June 2011
March 2011
February 2011
November 2010
October 2010
July 2010
June 2010
May 2010
Recent Comments
Chandan Dey on ASA 8.4 with ASDM
on GNS3 – Step by Step Guide
Paul Prijs on Call center calculator
Phi on ASA 8.4 with ASDM on GNS3 –
Step by Step Guide
Namasivayam on ASA 8.4 with ASDM
on GNS3 – Step by Step Guide
Namasivayam on Cisco ASA 8.4 on
GNS3
Blog Calendar
December 2011
M T W T F S S
« Sep Jan »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
Subscribe to Blog via Email
Enter your email address to subscribe to this
2/20/2014 Site to Site VPN with Internet Access (Hairpinning) - XeruNetworks
http://www.xerunetworks.com/2011/12/site-to-site-vpn-with-internet-access/ 13/13
blog and receive notifications of new posts
by email.
Email Address
Subscribe
Copyright
© 2014 XeruNetworks.
Return to top
Powered by WordPress and the Graphene Theme.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close