ASA doesn't support tunnel interfaces, however we still can setup route-based IPsec VPNs and that is what I am going to show.
As we don't have tunnel interfaces available, we have to dedicate a physical interface or create a logical subinterface for this scenario, then we will have one outside interface for general internet access and another outside interface only for route-based VPN tunnels. I'm going to explain how to setup route-based VPNs on ASA using the following topology:
Interfaces settings on local-asa:
interface Ethernet0/0
no shutdown
!
interface Ethernet0/0.100
vlan 100
nameif outside
security-level 0
ip address 172.16.100.2 255.255.255.0
!
interface Ethernet0/0.200
vlan 200
nameif vpn
security-level 0
ip address 172.16.200.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
no shutdown
The ACL used for traffic encryption should match any packet sent through the vpn interface. It's the only difference between a policy-based VPN and a route-based one:
access-list enc-domain extended permit ip any any
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto map VPN 1 match address enc-domain
crypto map VPN 1 set peer 172.31.200.2
crypto map VPN 1 set transform-set esp-3des-sha
crypto map VPN interface vpn
crypto isakmp enable vpn
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 172.31.200.2 type ipsec-l2l
tunnel-group 172.31.200.2 ipsec-attributes
pre-shared-key cisco
We need a static route to the remote peer via vpn interface, otherwise the tunnel would be established on the outside interface. Also we add static routes for any remote subnet that we need to reach through the VPN tunnel:
route outside 0.0.0.0 0.0.0.0 172.16.100.1 1
route vpn 172.31.200.2 255.255.255.255 172.16.200.1 1
route vpn 10.2.0.0 255.255.255.0 172.31.200.2 1
route vpn 10.20.0.0 255.255.255.0 172.31.200.2 1
Interfaces settings on remote-asa:
interface Ethernet0/0
no shutdown
!
interface Ethernet0/0.100
vlan 100
nameif outside
security-level 0
ip address 172.31.100.2 255.255.255.0
!
interface Ethernet0/0.200
vlan 200
nameif vpn
security-level 0
ip address 172.31.200.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.0.1 255.255.255.0
no shutdown
VPN policy on remote-asa:
access-list enc-domain extended permit ip any any
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto map VPN 1 match address enc-domain
crypto map VPN 1 set peer 172.16.200.2
crypto map VPN 1 set transform-set esp-3des-sha
crypto map VPN interface vpn
crypto isakmp enable vpn
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 172.16.200.2 type ipsec-l2l
tunnel-group 172.16.200.2 ipsec-attributes
pre-shared-key cisco
Static routes on remote-asa:
route outside 0.0.0.0 0.0.0.0 172.31.100.1 1
route vpn 172.16.200.2 255.255.255.255 172.31.200.1 1
route vpn 10.1.0.0 255.255.255.0 172.16.200.2 1
route vpn 10.1.0.0 255.255.255.0 172.16.200.2 1
route inside 10.20.0.0 255.255.255.0 10.2.0.2 1
IPsec SA on local-asa:
local-asa(config)# sh ipsec sa
interface: vpn
Crypto map tag: VPN, seq num: 1, local addr: 172.16.200.2
access-list enc-domain permit ip any any
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 172.31.200.2
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.200.2, remote crypto endpt.: 172.31.200.2
...
Routing table on local-asa:
local-asa(config)# sh route
Gateway of last resort is 172.16.100.1 to network 0.0.0.0
C 172.16.200.0 255.255.255.0 is directly connected, vpn
C 172.16.100.0 255.255.255.0 is directly connected, outside
S 172.31.200.2 255.255.255.255 [1/0] via 172.16.200.1, vpn
S 10.2.0.0 255.255.255.0 [1/0] via 172.31.200.2, vpn
C 10.1.0.0 255.255.255.0 is directly connected, inside
S 10.20.0.0 255.255.255.0 [1/0] via 172.31.200.2, vpn
S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.100.1, outside
asa(config)# end
asa# wr mem
Interesting thought process. I was curious if you'd ever pairing an ASA with an IOS based configuration. Something tells me there would be some issue with the proxy IP. I truly wished we would get VTI on the ASA.
ReplyDeletewhat is 172.16.200.1?
ReplyDeleteThe IP assigned to the sub-interface of the ISP router. This is used as the gateway for the VPN interface.
DeleteThis is only static routes, am I correct in assuming that this would not work if you wanted to run dynamic routing (which is what every piece of documentation I've ever found says)
ReplyDeleteYes, it is possible. I will post an article explaining how it works with OSPF
Deletehttp://packetsneverlie.blogspot.com.br/2013/03/route-based-ipsec-vpn-with-ospf.html
DeleteHow would I configure it for multiple IPSec tunnels?
DeleteSomething like that?
access-list enc-domainX extended permit ip any subnetX
access-list enc-domainY extended permit ip any subnetY
crypto map VPN 1 match address enc-domainX
crypto map VPN 1 set peer 172.16.200.2
crypto map VPN 1 set transform-set esp-3des-sha
crypto map VPN 2 match address enc-domainY
crypto map VPN 2 set peer z.z.z.z
crypto map VPN 2 set transform-set esp-3des-sha
route vpn 172.16.200.2 255.255.255.255 172.31.200.1 1
route vpn z.z.z.z 255.255.255.255 172.31.200.1 1
route vpn y.y.y.y 255.255.255.0 z.z.z.z 1
You have to create one sub-interface for each peer and use the same "permit ip any any" encryption domain. The other steps are the same.
DeleteSo would the "vpn" subIF have to be an actual public ip or would I get away with just a public IP on the outside interface and then using an internal subnet dedicated for the endpoints?
ReplyDeleteThe idea is, if I have 5 offices, I don't want to (or can't) have 6 public IPs to use for vpn endpoints.
You need a public IP assigned to each sub-interface, because it is the peer IP address that will be configured on the remote side. And you need one subif per tunnel.
DeleteAlthough we can setup route-based VPNs on ASAs, it's not a scalable solution. For multiple offices, the best options are L2L IPsec (on ASAs), and DMVPN or GETVPN (on IOS routers).
Thanks Rentao, that's what I kind of figured, I just wanted to be sure! We were hoping to leverage some existing hardware to connect to some offices that use policy based vpn devices instead (and allow for a single 0.0.0.0/0 encryption).
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIt looks like it's trying to build the request to the outside interface and not the vpn interface.. any ideas?
ReplyDeleteSep 09 2013 16:38:08: %ASA-7-710005: UDP request discarded from 192.168.100.2/500 to outside:192.168.255.2/500
Make sure you have the crypto map bound to the 'vpn' interface. Show me your config if the crypto map is correctly applied.
Deletethanks again. it was a route on my end. The only odd thing I noticed about doing it this way is, I can't ping the "vpn" interface gateway or the actual remote peer external IP. I'm assuming this is because of the 0.0.0.0/0 crypto acl.
Deleteotherwise I can ping through the tunnel just fine.
interface Ethernet0/0.100
ReplyDeletevlan 100
nameif outside
security-level 0
ip address 192.168.200.2 255.255.255.252
!
interface Ethernet0/0.200
vlan 200
nameif vpn
security-level 0
ip address 192.168.255.2 255.255.255.252
crypto ipsec transform-set TEST esp-3des esp-md5-hmac
crypto map VPN 1 match address enc-domain
crypto map VPN 1 set peer 192.168.100.2
crypto map VPN 1 set transform-set TEST
crypto map VPN interface vpn
crypto isakmp enable vpn
tunnel-group 192.168.100.2 type ipsec-l2l
tunnel-group 192.168.100.2 ipsec-attributes
pre-shared-key *
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
route vpn 192.168.1.0 255.255.255.0 192.168.100.2 1
route vpn 192.168.100.2 255.255.255.255 192.168.200.1 1
I think I see .. I have the vpn 192.168.100.2 going to the outside gw instead of the "vpn" gw.. Sorry to bother you! I'm going to assume that's it. Sometimes it's the simple things.
ReplyDeleteAn advantage of VTI is that the output interface that is used can be made independent of the virtual interface. This allows routing to select the appropriate interface to get to the tunnel destination (ie selecting between a WAN and internet interface). Is there a means of achieving this with your technique?
ReplyDeleteIf you enable the crypto map on more than one interface, the ASA will use the routing table to find the best path to the remote peer and establish the tunnel.
DeleteCan we do this if we want to have route based VPN between Cisco ASA and Cisco 2921 Router ?
ReplyDeleteYes. Using VTI on the router side.
DeleteI was just looking at this as an option for connecting to a VPN. Looking at your config, my ISP would have to allow me to have to different subnets and 2 different VLANs to make this work, correct?
ReplyDeleteThat's right
DeleteIs it possible to achieve this without a router sitting between your ASA and the internet? I have my ISP plugged directly into my ASA. The problem with this method is that the entire IP subnet block from my ISP must be assigned to my outside interface, so I can't pick out one public IP for another interface since it overlaps. I would REALLY love to make this work so that I can connect to an Azure dynamic gateway using my ASA.
ReplyDeleteYou don't need a router if you have an ethernet link with the ISP. Can't you split the range into small subnets?
DeleteI have the same problem
DeleteI am connected directly to my ISP and only have a limited number of IP addresses (Less than the number of remote sites)
Is there any other way than to have one IP per remote site?
In your case, you will need to use standard policy based VPN or replace the ASA with a device that supports route-based (e.g. IOS router).
DeleteHello,
ReplyDeleteI have followed the same IP addressing as above except am using a physical interface for vpn instead of a sub-interface however am facing an issue.
interface Ethernet0/2
nameif vpn
security-level 0
ip address 172.16.200.2 255.255.255.0
route vpn 172.31.200.2 255.255.255.255 172.16.200.1 1
route vpn 10.2.0.0 255.255.255.0 172.31.200.2 1
I can see traffic coming in from inside interface but the firewall as per routes above is sending ARPs for 172.16.200.1 on the interface vpn. However I can see the phase-1 being attempted but stuck in MM_WAIT_MSG2. I have checked on the remote firewall and am not seeing any connection attempts.
Please advise.
Regards,
Abid Ghufran
It sounds like a routing problem between the peers. Do you see IKE traffic on the local gateway?
DeleteHello,
ReplyDeleteI can not ping inside of ASA (10.1.0.1 255.255.255.0) from hosts within 10.2.0.0/24 network and ping hosts within 10.2.0.0/24 directly from ASA (10.1.0.1 255.255.255.0).
What's wrong?
Have you enabled "management access" command and added icmp rules?
Deletehttp://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_management.html#wp1064497
I found it (management-access inside) and this is not help.
DeleteCheck the logs. You must find something useful there, otherwise you will need to troubleshoot using debugs and ASP type captures.
DeleteI thing that icmp acl's for interfaces are unnecessary, because all the traffic is tunnelled (thanks to cryptomap). Icmp traffic between LANs of sites is working correctly.
DeleteDo you have NAT rules? Check this bug report: CSCtr16184
Deleteno, I do not use NAT rules, because it is "route-based VPN".
ReplyDeletebut, I created NAT statements for test:
ReplyDeleteobject network any-network
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source static any-network any-network destination static any-network any-network no-proxy-arp route-lookup
nat (outside,inside) source static any-network any-network destination static any-network any-network no-proxy-arp route-lookup
problem is exist still. Do you can test such communication in your lab-environment?