Solution 1 - Use of the DefaultL2LGroup
This is the simplest way to configure a LAN-to-LAN (L2L) tunnel betwen two ASAs when one ASA gets its address dynamically. The DefaultL2L Group is a preconfigured tunnel group on the ASA and all connections that do not explicitly match any particular tunnel group fall on this connection. Since the Dynamic ASA does not have a constant predetermined IP address, it means the admin cannot configure the static tunnel-group in order to allow the connection come in, in this situation, the DefaultL2L Group can be used in order to allow the dynamic connections.
HQ ASA
! Create objects
object network obj-172.16.1.0_24
subnet 172.16.1.0 255.255.255.0
object network obj-172.16.2.0_24
subnet 172.16.2.0 255.255.255.0
object network obj-172.16.3.0_24
subnet 172.16.3.0 255.255.255.0
!Create NAT excemption for L2L VPN and dynamic NAT for Internet access.
nat (inside,outside) source static obj-172.16.1.0_24 obj-172.16.1.0_24 destination static obj-172.16.2.0_24 obj-172.16.2.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static obj-172.16.1.0_24 obj-172.16.1.0_24 destination static obj-172.16.3.0_24 obj-172.16.3.0_24 no-proxy-arp route-lookup
!
object network obj-172.16.1.0_24
nat (inside,outside) dynamic interface
! Define IKEv2 policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
! Enable ikev2 on outside interface
crypto ikev2 enable outside
! Define phase2 proposal
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
! Configure dynamic map
- Requires Ipsec proposal
- (Optional) Enable Reverse Route Injection (RRI), which allows ASA to learn routing information for connected clients, dynamic keyword will delete the learned static route when VPN is down.
crypto dynamic-map D-MAP 10 set ikev2 ipsec-proposal AES256
crypto dynamic-map D-MAP 10 set reverse-route (dynamic)
! Bind the dynamic map to crypto map
crypto map Outside_map 65535 ipsec-isakmp dynamic D-MAP
! Enable crypto map on outside interface
crypto map Outside_map interface outside
! Solution1:Branch A has dynamic public IP, use default tunnel-group since can’t specify tunnel-group with IP address.
tunnel-group DefaultL2LGroup ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
! Solution2:Branch B has dynamic public IP, but it specified isakmp identity, create user-defined tunnel-group to match it.
tunnel-group RemoteB type ipsec-l2l
tunnel-group RemoteB ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Branch-A ASA
! Create objects
object network obj-172.16.1.0_24
subnet 172.16.1.0 255.255.255.0
object network obj-172.16.2.0_24
subnet 172.16.2.0 255.255.255.0
!Create NAT exemption for L2L VPN and dynamic NAT for Internet access.
nat (inside,outside) source static obj-172.16.2.0_24 obj-172.16.2.0_24 destination static obj-172.16.1.0_24 obj-172.16.1.0_24 no-proxy-arp route-lookup
!
object network obj-172.16.2.0_24
nat (inside,outside) dynamic interface
! Define IKEv2 policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
! Enable ikev2 on outside interface
crypto ikev2 enable outside
! Define phase2 proposal
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
! Define VPN-ACL
access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
! Create crypto map
crypto map outside_map 1 match address VPN-ACL
crypto map outside_map 1 set peer 203.0.113.2
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
! Enable crypto map and ikev2 on outside interface
crypto map outside_map interface outside
! Create tunnel-group
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Branch-B ASA
! Create objects
object network obj-172.16.1.0_24
subnet 172.16.1.0 255.255.255.0
object network obj-172.16.3.0_24
subnet 172.16.3.0 255.255.255.0
!Create NAT excemption for L2L VPN and dynamic NAT for Internet access.
nat (inside,outside) source static obj-172.16.3.0_24 obj-172.16.3.0_24 destination static obj-172.16.1.0_24 obj-172.16.1.0_24 no-proxy-arp route-lookup
!
object network obj-172.16.3.0_24
nat (inside,outside) dynamic interface
! Define IKEv2 policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
! Define isakmp identity to match HQ ASA tunnel-group
crypto isakmp identity key-id RemoteB
! Enable ikev2 on outside interface
crypto ikev2 enable outside
! Define phase2 proposal
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
! Define VPN-ACL
access-list VPN-ACL extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
! Create crypto map
crypto map outside_map 1 match address VPN-ACL
crypto map outside_map 1 set peer 203.0.113.2
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
! Enable crypto map and ikev2 on outside interface
crypto map outside_map interface outside
! Create tunnel-group
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
===============
Reference:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html
Comments
Post a Comment