Configuring Cisco VPN

Morgan Stepp CCIE #12603 | morgstepp@gmail.
com Page 1 of 15
Configuring Cisco VPN

Overview
A Virtual Private Network (VPN) securely extends network access to remote users. Ciscos VPN offering
comes in 4 major configurations; Site-to-Site, Easy VPN, Client, and SSL. The VPN deployment you choose
will depend upon your connectivity requirements.
This document will provide the configuration details of each by deploying and interconnecting all 4 VPN types
for a single customer. The examples will cover both ASA and IOS configurations. The following diagram
outlines our customer topology.
192.168.99.1
192.168.1.0/24
192.168.3.0/24
192.168.99.2
1.1.1.1
3.3.3.3
192.168.2.0/24
Site-to-Site
VPN
EzVPN
Client VPN
SSL VPN
DSL
Maui
Oahu
ASA
2911
Home Offices
Kauai
DSL
Internet
871
871

Cisco Site-to-Site and Easy VPN Review
Site-to-Site and Easy VPN provide remote office connectivity and eliminate the need for individual Desktop
client VPN applications. Each solution supports split tunneling which allows Internet destined traffic to be sent
unencrypted to the local ISP, while Corporate destined traffic is tunneled and encrypted.

Site-to-Site VPN requires remote offices to maintain a Static Public IP and is the premier solution for
permanent VPN connections. Examples of this are IPsec VPN, DMVPN, and GET VPN. Each VPN connection
requires a separate Tunnel-Policy with the Remote Public IP configured.

EzVPN can establish a VPN Tunnel using either DHCP or Static IP from an ISP. This is ideal for remote offices
and teleworkers with dynamic internet access such as Cable or DSL. Configuration on EzVPN Clients
(ASA/ISR) is minimal as security policies are delivered from a central EzVPN Server (ASA/ISR).
Morgan Stepp CCIE #12603 | morgstepp@gmail.com Page 2 of 15

Cisco Client and SSL VPN Review
Client and SSL VPN provide remote-access connectivity to individual user desktops. Remote users can access
Corporate Network Resources securely from any Internet enabled location. Both solutions support split
tunneling.

The Client VPN is pre-installed software that enables remote access using an IPsec-compliant implementation.
The client can be preconfigured for mass deployments and initial logins which require little user intervention.
VPN access policies and configurations are downloaded from the central gateway and pushed to the client
when a connection is established, allowing simple deployment and management.

Ciscos AnyConnect SSL solution provides remote users with secure VPN connections using Secure Socket
Layer (SSL) and Datagram Transport Layer Security (DTLS). SSL Authentication to AnyConnect is done via a
Web Browser which can automatically download the Anyconnect client. The client can be installed on
Windows, Linux (Multiple Distros) and MAC OS X.

VPN Configuration
In our VPN example, the majority of network resources reside in Maui. However, additional resources have
been installed in Oahu and Kauai. As a result, we need to provide connectivity for all users to all locations. For
example, users in Oahu should be able to communicate with users in Kauai through the ASA. Home Offices
should be allocated IPs in the 192.168.254.0/24 subnet and also be granted VPN access to all locations.

Step 1: ASA VPN Preparation - NAT Exemptions and Hairpinning
NAT is the enemy of VPNs. In the majority of implementations, the ASA provides NAT services for internal
sources behind the ASA to external sources outside the ASA. We need to ensure internal sources to VPN
destinations are not exposed to this NAT processing. For example, the Oahu 192.168.2.0/24 should appear to
all Corporate segments using its original IP range. First, we define the networks we do not want to NAT.

object-group network MAUI
network-object 192.168.1.0 255.255.255.0
!
object-group network OAHU
network-object 192.168.2.0 255.255.255.0
!
object-group network KAUAI
network-object 192.168.3.0 255.255.255.0
!
object-group network HOME-OFFICE
network-object 192.168.254.0 255.255.255.0

Next, we instruct the ASA (8.4 or later) to exclude NAT for traffic matching the listed source and destination.
The "static MAUI MAUI" segment instructs the ASA to NAT MAUI to MAUI (itself), which in effect disables
NAT.

nat (inside,outside) source static MAUI MAUI destination static OAHU OAHU
nat (inside,outside) source static MAUI MAUI destination static KAUAI KAUAI
nat (inside,outside) source static MAUI MAUI destination static HOME-OFFICE HOME-OFFICE

The HOME-OFFICE object-group contains the subnet of the IP Pool provided by the ASA to Home Office
users. This subnet has been made exempt from NAT when accessing Maui in the last configuration line above.
However, we also need to ensure this subnet is exempt from NAT when accessing Kauai and Oahu. Since all
of these locations are on the outside interface of the ASA, we will create a rule exempting specific outside to
outside traffic.

nat (outside,outside) source static HOME-OFFICE HOME-OFFICE destination static OAHU
nat (outside,outside) source static HOME-OFFICE HOME-OFFICE destination static KAUAI

When Home Office, Kauai, or Oahu users attempt to access each other, they will ingress and egress on the
ASA outside interface. This intra-interface communications is referred to as hairpinning and is disabled by
default. Enabling this feature is required for a VPN configuration like our example, were traffic entering an
interface will exit the same interface.

same-security-traffic permit intra-interface

By default, intra-interface communication is not permitted. We can test this
default behavior with the ASA packet tracer. In this example, Kauai
communication to Oahu fails prior to enabling intra interface
communications.

MAUI-ASA# packet-tracer input outside icmp 192.168.3.10 8 0 192.168.2.10 detailed
Phase: 1
Type: FLOW-LOOKUP
Result: ALLOW
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Result: ALLOW
in 192.168.2.0 255.255.255.0 outside

Phase: 3
Type: ACCESS-LIST
Result: DROP
Implicit Rule
Drop-reason: (acl-drop) Flow is denied by configured rule

Step 2: ASA Security Associations
ISAKMP is the negotiation protocol that lets two hosts agree on how to build an IPsec security association
(SA). It provides a common framework for agreeing on the format of SA attributes. This includes negotiating
with the peer about the SA, and modifying or deleting the SA.

ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. Phase 1 creates the first tunnel, which
protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IKE uses ISAKMP
to setup the SA for IPsec to use. IKE creates the cryptographic keys used to authenticate peers.

Transform Sets combines an encryption method and an authentication method. During the IPsec security
association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular
data flow. A transform set protects the data flows for the access list specified in the associated crypto map
entry.
192.168.3.0/24
1.1.1.1
3.3.3.3
192.168.2.0/24
Site-to-Site
VPN
EzVPN
Maui
Oahu
ASA
Kauai
DSL
871
871
Internet
VPN Hairpinning
Enable ISAKMP on the outside interface and create ikev1 policies. This section covers the IKE Phase 1 in
which a bidirectional security agreement (SA) is established between IPSec peers. It is best to give the VPN
client options as different clients may use different security agreements. In this configuration we will use Policy
10 for our Site-to-Site and Easy VPN configurations. This will be explicitly spelled out in the upcoming
transform set.

These phase 1 policies will be used for the proceeding VPN types in this document.

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
encryption aes-256
hash sha
group 2
lifetime 86400
encryption 3des
hash sha
group 2
lifetime 86400

Create a Transform Set to be used with Site-to-Site and Easy VPN connections.

! The transform set ESP-DES-MD5 matches ikev1 policy 10
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Step 3: Site-to-Site IPsec VPN Configuration
We will configure a Site-to-Site IPsec VPN between the Maui ASA and the Kauai 871. The subnets below will
be enabled for IPsec protection.

1.1.1.1
Internet
Maui
ASA
871
Kauai
3.3.3.3
IPSEC Tunnel
192.168.1.0/24
192.168.2.0/24
192.168.254.0/24
192.168.3.0/24 Tunneled Networks

Maui ASA Site-to-Site VPN Configuration
Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. Kauai will use a Site-
to-Site IPsec tunnel which requires an extended ACL. The ACL on the Kauai 871 should mirror (reverse the
subnets) the ASA ACL below.

access-list KAUAI-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Crypto Maps pull together the elements of IPsec security associations. You must apply a crypto map set to
the outside interface through which IPsec traffic travels. Applying the crypto map set to an interface instructs
the ASA to evaluate all interface traffic against the crypto map set and to use the specified policy during
connection or security association negotiations.

On the ASA, configure the crypto map CMAP and use sequence 10 to define IPsec security associations for
the Site-to-Site VPN tunnel to Kauai. The address keyword references the extended ACL above which
determines the traffic to tunnel.

crypto map CMAP 10 match address KAUAI-VPN
crypto map CMAP 10 set peer 3.3.3.3
crypto map CMAP 10 set ikev1 transform-set ESP-DES-MD5

Alternatively, we could reference multiple transform sets to allow flexibility for remote endpoints.

crypto map CMAP 10 set ikev1 transform-set ESP-DES-MD5 ESP-AES-256-SHA ESP-3DES-SHA

Assign the crypto map to the ASA outside interface. Only 1 crypto map may be applied per interface, which is
why we have chosen to use a generic name.

crypto map CMAP interface outside

Create an IPsec Tunnel Group matching the Public IP of the Kauai 871 and assign a psk password.

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key Kauai!

Kauai 871 Site-to-Site VPN Configuration
Create a Transform Set to be used with Site-to-Site connections. Define ASA IPSec Peer IP and Password.

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto isakmp key Kauai! address 1.1.1.1 no-xauth

Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. Kauai will use a Site-
to-Site IPsec tunnel which requires an extended ACL. Notice the IOS ACL configuration is much different than
in the ASA. The IOS ACL permit statements are the reverse of those in the ASA ACL. In order to IPSEC
encrypt traffic between remote subnets, the crypto ACLs used must mirror each other.

ip access-list extended MAUI-VPN
permit ip 192.168.3.0 255.255.255.0 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 255.255.255.0 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 255.255.255.0 192.168.254.0 0.0.0.255

Configure the crypto map CMAP and use sequence 10 to define IPsec security associations for the Site-to-
Site VPN tunnel to Kauai. We use the same crypto map name here as on the ASA, though this is not required.

crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set ESP-DES-MD5
match address MAUI-VPN

Configure the isakmp policy to match ikev1 policy 10 on the ASA.

crypto isakmp policy 10
encr des
hash md5
group 2

Assign the crypto map to the ASA outside interface. Only 1 crypto map may be applied per interface, which is
why we have chosen to use a generic name.

interface Ethernet0
crypto map CMAP

Verify Site-to-Site VPN Configuration

KAUAI-871#show crypto isakmp sa
dst src state conn-id slot status
1.1.1.1 3.3.3.3 QM_IDLE 16 0 ACTIVE

KAUAI-871#show crypto ipsec sa
interface: Ethernet0
Crypto map tag: CMAP, local addr 3.3.3.3
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500

KAUAI-871#ping 192.168.1.1 source 192.168.3.1
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/78/80 ms

Step 4: Easy VPN Configuration
We will configure Easy VPN between the Maui ASA and the Oahu 871. The subnets below will be enabled for
IPsec protection.
1.1.1.1
Internet
Maui
ASA
871
Oahu
DSL
IPSEC Tunnel
192.168.1.0/24
192.168.3.0/24
192.168.254.0/24

Maui ASA Easy VPN Configuration
We will use the previously defined Transform Set for our Easy VPN connection.

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

Create the dynamic crypto map DMAP and assign the transform set TS1. This dynamic crypto map will be
used for Easy VPN and Client VPN connections.

crypto dynamic-map DMAP 10 set ikev1 transform-set ESP-DES-MD5

Bind the dynamic crypto map DMAP to the previously defined crypto map CMAP. Notice the dynamic crypto
map is assigned the highest (last) possible sequence number. Ensure you do this to avoid Site-to-Site VPN
connections incorrectly matching the dynamic crypto map.

crypto map CMAP 65535 ipsec-isakmp dynamic dmap

Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. With EzVPN, policies
are downloaded automatically, so a matching ACL is not required on the Oahu 871.

access-list OAHU-VPN standard permit 192.168.1.0 255.255.255.0

Configure a Group Policy and User account for authentication to the the Oahu EZVPN. Enable network
extension mode (NEM) to present routable networks over the VPN tunnel.

group-policy OAHU-EZVPN-GP internal
group-policy OAHU-EZVPN-GP attributes
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OAHU-VPN
nem enable

Configure a VPN User Account and associate this to the Easy VPN Group Policy.

username OAHU-EZVPN-USER password Oahu!
username OAHU-EZVPN-USER attributes
vpn-group-policy OAHU-EZVPN-GP

Create an IPsec Tunnel Group with the group-policy OAHU-EZVPN and an authentication password.

tunnel-group OAHU-EZVPN-TG type remote-access
tunnel-group OAHU-EZVPN-TG general-attributes
default-group-policy OAHU-EZVPN-GP
tunnel-group OAHU-EZVPN-TG ipsec-attributes
ikev1 pre-shared-key Oahu!

Oahu 871 Easy VPN Configuration
Configure the Oahu 871 for EzVPN Client. The group name, group password, peer IP, user name, and user
password in the 871 client configuration below must match those configured in the ASA.

crypto ipsec client ezvpn OAHU-EZVPN
connect auto
group OAHU-EZVPN-TG key Oahu!
mode network-extension
peer 1.1.1.1
username OAHU-EZVPN-USER password Oahu!
xauth userid mode local
!
interface Ethernet1
description LAN Link
ip address 192.168.2.1 255.255.255.0
crypto ipsec client ezvpn OAHU-EZVPN inside
!
interface Ethernet0
description DSL WAN Link
ip address DHCP
crypto ipsec client ezvpn OAHU-EZVPN

Verify Easy VPN Configuration
The Oahu site has pulled a public dhcp address of 2.2.2.2 from the DSL provider.

OAHU-871#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : OAHU-EZVPN
Inside interface list: Ethernet1
Outside interface: Ethernet0
Current State: IPSEC_ACTIVE
Last Event: XAUTH_STATUS
Save Password: Allowed
Current EzVPN Peer: 1.1.1.1

OAHU-871#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1068 ACTIVE

OAHU-871# show crypto ipsec sa
interface: Ethernet0
Crypto map tag: Ethernet0-head-0, local addr 2.2.2.2
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 359, #pkts encrypt: 359, #pkts digest: 359
#pkts decaps: 222, #pkts decrypt: 222, #pkts verify: 222

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: 2

OAHU-871# ping 192.168.1.1 source 192.168.2.1
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 46/48/50 ms

Step 5: Client VPN Configuration
We will configure Client VPN support on the Maui ASA for Home Office Users. Home Office User
Authentication will be maintained locally on the ASA. Home Offices will be allocated IPs in the
192.168.254.0/24 subnet and be granted VPN access to all Corporate locations. The subnets below will be
enabled for IPsec protection.

1.1.1.1
Internet
Maui
ASA
871
Home Office
Client VPN
DSL
IPSEC Tunnel
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Configure the ASA to hand out Corporate routable IP space to Home Office VPN Clients.

ip local pool CLIENT-POOL 192.168.254.1-192.168.254.254 mask 255.255.255.0

Configure an ACL that determines which networks to Tunnel (encrypt) through the Home Office VPN.

access-list CLIENT-VPN standard permit 192.168.1.0 255.255.255.0

Configure a VPN Group Policy and supply the split-tunnel ACL. Configure DNS information for Corporate name
resolution.

group-policy CLIENTVPN-GP internal
group-policy CLIENTVPN-GP attributes
dns-server value 192.168.1.99 192.168.1.100
default-domain cisco.com
address-pools value CLIENT-POOL
vpn-tunnel-protocol ikev1
split-tunnel-network-list value CLIENT-VPN

Configure a VPN User Account and associate this to the Client VPN Group Policy.

username john.smith password cisco!
username john.smith attributes
vpn-group-policy CLIENTVPN-GP

Configure a VPN Tunnel Group and bind the Group Policy. Associate the IP Pool for address assignment.

tunnel-group CLIENTVPN-TG type remote-access
tunnel-group CLIENTVPN-TG general-attributes
address-pool CLIENT-POOL
default-group-policy CLIENTVPN-GP

Verify Client VPN Configuration
Configure End User VPN Client for Login and Access verification


MAUI-ASA# show crypto ipsec sa user john.smith
username: john.smith
Crypto map tag: dmap, seq num: 10, local addr: 1.1.1.1

current_peer: 4.4.4.4, username: john.smith
dynamic allocated peer ip: 192.168.254.1

#pkts encaps: 261, #pkts encrypt: 261, #pkts digest: 261
#pkts decaps: 245, #pkts decrypt: 245, #pkts verify: 245
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 261, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 4.4.4.4/61574
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: AE9395B9
current inbound spi : 62C6E7FD

inbound esp sas:
spi: 0x62C6E7FD (1657202685)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 98516992, crypto-map: dmap
sa timing: remaining key lifetime (sec): 28683
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xAE9395B9 (2928907705)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 98516992, crypto-map: dmap
sa timing: remaining key lifetime (sec): 28683
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Step 6: SSL VPN Configuration
Configure Anyconnect SSL VPN on the Maui ASA.

1.1.1.1
Internet
Maui
ASA
871
Home Office
Clientless VPN
DSL
IPSEC Tunnel
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Download the latest AnyConnect Client Files from CCO and upload these to the ASA Flash.
ASA01# sh flash
--#-- --length-- -----date/time------ path
122 5387450 Jun 20 2011 10:16:48 anyconnect-dart-win-2.5.3041-k9.pkg
123 6285465 Jun 20 2011 10:17:26 anyconnect-macosx-i386-2.5.3041-k9.pkg

For SSL VPN address assignment, we will use the previously configured Home Office IP Local Pool.

ip local pool CLIENT-POOL 192.168.254.1-192.168.254.254 mask 255.255.255.0

For SSL VPN split-tunneling, we will use the previously configured Home Office ACL.

access-list CLIENT -VPN standard permit 192.168.2.0 255.255.255.0

Enable WebVPN on the outside interface and identify the Anyconnect client images. Enable the display of the
tunnel-group list on the WebVPN Login page. This allows users to select and login to their desired Group.

webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3041-k9.pkg 2
anyconnect enable
tunnel-group-list enable

Configure a VPN Group Policy and supply the split-tunnel ACL. Configure DNS information for Corporate name
resolution. Configure the tunnel protocol as SSL. For the WebVPN characteristics, we will keep the client
installed to stop the SSL VPN Client from attempting to install every time users connect. We will launch a web
page upon SSL login that can be used for Intranet access or other purposes.

group-policy SSLVPN-GP internal
group-policy SSLVPN-GP attributes
vpn-tunnel-protocol ssl-client
dns-server value 192.168.1.99 192.168.1.100
split-tunnel-network-list value HOME-OFFICE-SPLIT-TUNNEL
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
homepage value http://www.vpnparadise.com

Configure an VPN User Account and associate this to the SSL VPN Group Policy.

username jane.doe password ciscorocks!
username jane.doe attributes
vpn-group-policy SSLVPN-GP

Configure a VPN Tunnel Group and bind the Group Policy. Associate the IP Pool for address assignment. We
will mask the actual Tunnel Group name with a Group Alias.

tunnel-group SSLVPN-TG type remote-access
tunnel-group SSLVPN-TG general-attributes
address-pool HOME-OFFICE-POOL
default-group-policy SSLVPN-GP
tunnel-group SSLVPN-TG webvpn-attributes
group-alias SSLVPN enable

Verify Client VPN Configuration
Launch Web Browser to login and test SSL VPN. Notice the Tunnel Group Alias is displayed in the Login
browser.


MAUI-ASA# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : jane.doe Index : 16
Assigned IP : 192.168.254.2 Public IP : 4.4.4.4
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : 3DES Hashing : SHA1
Bytes Tx : 541923 Bytes Rx : 341600
Group Policy : SSLVPN-GP Tunnel Group : SSLVPN-TP
Login Time : 8:17:32 EDT Fri Jul 22 2011
Duration : 0h:3m:11s

Configuring Cisco VPN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring Cisco VPN

Uploaded by

Copyright:

Available Formats

Morgan Stepp CCIE #12603 | morgstepp@gmail.

You might also like