Basic information
The Cisco IOS router contains the IOS version c2900-universalk9-mz.SPA.152-4.M4.bin.
Both Cisco ASA’s 5505 contains the ASA software version 8.0(5)
The Scenario will look like this:
First I will explain the configuration of the IOS router.
Cisco IOS 2921 configuration
First the vpn configuration (site to site). This configuration contains also a VPN Client configuration on the Main location.
crypto keyring Router01-to-ASA01
pre-shared-key address <remote address 1> key TunnelKEY01
crypto keyring Router01-to-ASA02
pre-shared-key address <remote address 2> key TunnelKEY02
crypto logging session
crypto logging ezvpn
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group VPNCLIENT
key VpnCl!ent
dns 192.168.0.1
domain <yourdomain>
pool ILP_CVPN_CLIENT
acl ACL_CVPN_CLIENT
save-password
crypto isakmp profile CIP_CVPN_CLIENT
match identity group VPNCLIENT
client authentication list CVPN
isakmp authorization list CVPN
client configuration address respond
crypto isakmp profile Router01-to-ASA01
keyring Router01-to-ASA01
match identity address <remote address 1> 255.255.255.255
crypto isakmp profile Router01-to-ASA02
keyring Router01-to-ASA02
match identity address <remote address 2> 255.255.255.255
!
!
crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set CIT_Router01-to-ASA01_VPN esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set CIT_Router01-to-ASA02_VPN esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map CDM_CVPN_CLIENT 10
set transform-set CIT_CVPN_CLIENT
set isakmp-profile CIP_CVPN_CLIENT
!
!
crypto map CMP_CVPN_CLIENT 1 ipsec-isakmp
set peer <remote address 1>
set transform-set CIT_Router01-to-ASA02_VPN
set isakmp-profile Router01-to-ASA01
match address 100
crypto map CMP_CVPN_CLIENT 2 ipsec-isakmp
set peer <remote address 2>
set transform-set CIT_Router01-to-ASA02_VPN
set isakmp-profile Router01-to-ASA02
match address 101
crypto map CMP_CVPN_CLIENT 65535 ipsec-isakmp dynamic CDM_CVPN_CLIENT
Interface GigabitEthernet 0/0
crypto map CMP_CVPN_CLIENT
To allow data traffic you need to add. The Access-lists (100 and 101). For each network I use a different access-list. To keep it straight if 1 remote office will be discontinued by the company. Than you can remove easily the access-list without getting the issue that the other remote office lose their connection to the main office.
access-list 100 remark Router01-to-ASA01
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark Router01-to-ASA02
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
With the IOS uses on the router you need to add a new rule to your static forwarder otherwise the static forwarded traffic for example SMTP won’t get through the VPN tunnel, you need to a route-map to the static forwarder like below.
ip nat inside source static tcp 192.168.0.2 25 interface GigabitEthernet0/0 25 route-map static-no-nat extendable
Create an Extended Access-list with deny to the remote networks.
ip access-list extended static-no-nat
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
permit ip any any
Create a route-map
route-map static-no-nat permit 10
match ip address static-no-nat
Cisco ASA 01 Configuration
The basic of the configuration for both Cisco ASA models. The only change is last part of the configuration and the IP addresses of course.
object-group network REMOTE-NETWORK
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group REMOTE-NETWORK
access-list outside_access_in extended permit ip object-group REMOTE-NETWORK 192.168.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group REMOTE-NETWORK
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer <main office ip address>
crypto map outside_map 2 set transform-set strong
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
tunnel-group <main office ip address> type ipsec-l2l
tunnel-group <main office ip address> ipsec-attributes
pre-shared-key TunnelKEY01
The tunnel will be online directly (as I noticed when I configured this to all objects. Sample Configurations will be added later to this blog post.