Site to Site VPN (Dynamic to Static IP)

Site to Site VPN (Dynamic-to-Static)

In most cases, a branch (remote) office uses a static outside IP address to connects to a main office and we covered that in a previous post.

We configured a site-to-site IPsec VPN between two Cisco ASA firewalls with static IP address on both end, but what if one of the remote ASA firewalls has a dynamic IP address?

In this post I will show you how to configure ASA to ASA VPN with dynamic IP in the remote office.

This configuration enables the ASA at the main office to accept dynamic IPsec connections.

The ASA at the branch office can initiate connections to the ASA at the main office (it knows the end-point), but the main ASA cannot initiate connections to the remote ASA (it does not know the endpoint).

Lets start

We configured earlier site-to-site VPN and DHCP server, we will continue to expand our topology by adding a branch office with dynamic IP “New York”.

I will follow the steps below:

Configure The remote ASA outside interface to receive an IP address through DHCP and connects to a main office ASA.
Configure VPN on the remote ASA to initiate IPsec connection for traffic
Update configuration on the main ASA and enables the main ASA to accept dynamic IPsec connections.

Configure the ASA Interfaces (branch office – New York )

hostname NewYork

!−−− The interface dynamically learns its IP address from the service provider ‘DHCP’, make sure to add setroute to the end.

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.10.20.1 255.255.255.0

no shutdown

access-list acl_out extended permit icmp any any

access-list acl_in extended permit icmp any any

access-list acl_in extended permit icmp any any echo-reply

access-list acl_in extended permit icmp any any time-exceeded

access-list acl_in extended permit icmp any any unreachable

access-list acl_in extended permit ip any any

pager lines 24

mtu outside 1500

mtu Inside 1500

arp timeout 14400

global (outside) 1 interface

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group acl_out in interface outside

access-group acl_in in interface Inside

Note:

check and make sure that the outside interface dynamically learned its IP address from the service provider.
use a ping in order to ensure that there is connectivity to both the internal and external networks, and especially to the remote peer (main office) that will be used in order to establish a dynamic -to- site VPN tunnel.

Dynamic-to-Static IPsec VPN Configuration (branch office – New York )

After ASA firewall initial configuration and connectivity test, we are ready now to configure VPN.

In a point-to-point ( site-to-site) VPN topology, two devices communicate directly with each other over the Internet.

Specify the endpoint IP peer (main office) devices to establish a VPN, in this topology only the remote devices can initiate the connection,

!−−− This access list is used for a nat zero command that prevents

!−−− traffic which matches the access list from undergoing NAT.

access-list notnat permit ip 10.10.20.0 255.255.255.0 192.168.10.0 255.255.255.0

!— Bind ACL nonat to the NAT statement to avoid NAT on the IPsec packets.

nat (inside) 0 access-list notnat

!— The sysopt command avoids conduit on the IPsec encrypted traffic

sysopt connection permit-ipsec

!−−− This ACL specifies the interesting traffic to be encrypted.

access-list toronto_vpn permit ip 10.10.20.0 255.255.255.0 192.168.10.0 255.255.255.0

!— Phase 2 encryption type

crypto ipsec transform-set torontoset esp-aes-256 esp-sha-hmac

crypto map toronto 1 ipsec-isakmp

crypto map toronto 1 match address toronto_vpn

crypto map toronto 1 set peer 170.10.1.1

crypto map toronto 1 set transform-set torontoset

!— Bind the IPsec on the outside interface.

crypto map toronto interface outside

!— Enable ISAKMP key exchange

isakmp enable outside

!— ISAKMP policy for connecting to Toronto FW.

isakmp key 34FB1907 address 170.10.1.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

Update VPN Configuration (main office – Toronto)

!−−− This access list is used for a nat zero command that prevents

!−−− traffic which matches the access list from undergoing NAT.

access-list notnat permit ip 192.168.10.0 255.255.255.0 10.10.20.0 255.255.255.0

!— Bind ACL nonat to the NAT statement to avoid NAT on the IPsec packets.

nat (inside) 0 access-list notnat

!— The sysopt command avoids conduit on the IPsec encrypted traffic

sysopt connection permit-ipsec

!−−− This ACL specifies the interesting traffic to be encrypted.

access-list NewYork_vpn permit ip 192.168.10.0 255.255.255.0 10.10.20.0 255.255.255.0

!— Phase 2 encryption type

crypto ipsec transform-set NewYorkset esp-aes-256 esp-sha-hmac

crypto dynamic-map NY_dyn_map 20 set transform-set NewYorkset

crypto dynamic-map NY_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map NY_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map NY_dyn_map set reverse-route

!—Be sure to give the dynamic-map entry the highest sequence-number

crypto map outside_map 999 ipsec-isakmp dynamic NY_dyn_map

!— Bind the IPsec on the outside interface.

crypto map outside_map interface outside

!−−− The security appliance provides the default tunnel groups

!−−− for Lan to Lan access (DefaultL2LGroup) and configure the pre-shared key

!−−− (34FB1907) to authenticate the remote router.

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key 34FB1907

!— Enable ISAKMP key exchange

isakmp enable outside

!— ISAKMP policy for connecting to NewYork FW.

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

bonus:

1- There is only one crypto map per interface possible, but the dynamic-map is used in an entry in the crypto-map, so you need only one crypto-map to use dynamic and site-to-site VPNs on the same interface.

2- Be sure to give the dynamic-map entry the highest sequence-number, as the dynamic-map entry may also match all static entries, and the entries are matched in the order of sequence-numbers, so a dynamic entry should always appear as last entry in the crypto map

IPsec tunnel was established, Ping across the VPN tunnel from the host PC at each end were successful.