Cisco ASA Site-to-Site IKEv1 IPsec VPN

I will all your labs in virl , i had a problem the labs disappeard , contacted the virl community but have not got any answer.

Hi guys !

I give up nothing works GNS3 cant save config, and in VIRL my workspace disappear ??? i am using vm Workstation …so anybody knows ?

i will give a last try …i will go to DMvpn for my ccnp security later on…:slight_smile:

 

/Oskar

Hi Rene,

Thanks for letting me know about ASAv. I’ll find out if they have a workstation version. If so, I’ll try to set up that environment on my PC, and see how that works.

Thanks again, Amin

Hi Oskar,

Hmm what exactly do you mean that your workspace dissapears in Virl? I never had any issues with it so far.

Rene

Hi Rene,

I have some problem for asa ipsec vpn and nat integration. please see my network design. pc1 connect to pc2 with VPN ipsec tunnel and then pc1 connect to router 3 loopback interface 200.200.200.0 network with NAT. Now pc1 and pc2 tunnel is ok but asa can’t translate NAT address for pc1 and pc1 can’t go to router 3 (network 200.200.200.0/24). I would like to know, could I able to use NAT and VPN for one local network.

Hi Mark,

It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the 192.168.2.0/24 subnet that exits the outside interface UNLESS the destination is 192.168.39.0/24 (the other end of the VPN).

You can use this example for PAT:

Cisco ASA PAT configuration

The only thing left to do is to create an exception for your VPN traffic, like this:

object network LOCAL_SUBNET
 subnet 192.168.2.0 255.255.255.0

 object network REMOTE_SUBNET
 subnet 192.168.39.0 255.255.255.0

nat (LOCAL_SUBNET,OUTSIDE) source static LOCAL_SUBNET LOCAL_SUBNET destination static REMOTE_SUBNET REMOTE_SUBNET

This tells the ASA not to translate traffic from the local to the remote subnet.

If you are also doing NAT on R2 then you’ll need to add a deny statement in the access-list that you use for NAT that matches traffic between 192.168.39.0/24 and 192.168.2.0/24.

Hope this helps!

Rene

1 Like

Hi Rene,

As per your IPsec lesson…The IPsec (ESP,AH)protocols support two different modes:

1.Transport mode
2.Tunnel mode

So, How we will define that IPsec ESP/AH will use either Transport or Tunnel mode and what is the default mode ??

And also IKEV1 phase-1 tunnel can be completed using two different modes:

1.Main mode
2.Aggressive mode

where we will define that will use either Aggressive or Main mode ??

Could you please explain a little bit .Thx

br//
zaman

Hi Rene,

What is the difference between below two commands? Please give some more clarification on it.Thanks

ASA2(config-ikev1-policy)# lifetime 3600

ASA2(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600

br//
zaman

19 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi Zaman,

Aggressive mode can be configured in the crypto map:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive

And transport mode in the transform set:

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET mode ?         

configure mode commands/options:
  transport  mode transport

The first lifetime (ikev1 policy) is for phase 1 and the lifetime in the crypto map is for phase 2.

Rene

Hello Rene,

What do the following two commands mean for IKE phase-1 and IKE Phase-2 :

IKE phase-1:

ASA1(config-ikev1-policy)# lifetime 4800

IKE Phase-2:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000

I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.

Many Thanks

br//
zaman

Thanks Rene.So the default mode Main and Tunnel . If we want to change it to Aggressive & transport mode then have to configure like way, right ??

br/
zaman

Hi Zaman,

These lifetimes specify when we regenerate the keying material, they don’t specify the “idle” timeout. That’s done with another command:

ASA1# show run all | incl vpn-idle
 vpn-idle-timeout 30

By default, after 30 minutes of inactivity we tear down the SA.

The default mode is indeed “main mode” and “tunnel mode”. You can change this with the commands I supplied in the previous post.

Rene

Hi Rene,

Thanks for your reply. I have one more question that at VPN GW which one execute first - Encryption then Encapsulating or vice -versa .Thanks a lot

br//
zaman

Hi Zaman,

For a detailed answer, take a look at this Cisco example:

Cisco ASA Packet order of operation

What I prefer to do, is to use packet tracer on the ASA:

ASA1# packet-tracer input INSIDE tcp 192.168.1.1 54411 34.5.3.1 80

If you use this then it will show you exactly what steps it takes and in what order.

Rene

Hi Rene,

What if , if we dont use the command “ASA1(config)# crypto isakmp identity address”

br//
zaman

Hi Zaman,

Somehow, your ASAs have to be able to identify each other so that you use the correct tunnel-group. This command makes sure that the IP address is used for identification.

Rene

Hi,

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

Lets say already there is a cryptomap called MY_CRYPTO_MAP and we want to create a site to site vpn to another site .
Is it ok If I create MY_CRYPTO_MAP_2 same as MY_CRYPTO_MAP

ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP_2 interface OUTSIDE

Thanks

In the examples, shouldn’t there be a no-nat?

Typically, there should be no NAT performed on the VPN traffic. In order to exempt that traffic, you must create an identity NAT rule. The identity NAT rule simply translates an address to the same address.

nat (inside,outside) source static local-network local-network destination static
 remote-network remote-network no-proxy-arp route

@Sims You can only apply one crypto-map to your interface. You should create one crypto-map with different statement numbers for each peer. Something like this:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP 20 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set peer 10.10.10.3
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set security-association lifetime seconds 3600

@Ryan if you use NAT then yes, you will need to exempt your site-to-site or remote VPN traffic or it will be translated. Here’s an example:

nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static VPN_POOL VPN_POOL

Basically it means that whenever traffic from the INSIDE destined to VPN_POOL goes from INSIDE > OUTSIDE that it will be translated to its own address. In other words, no NAT.

Rene