In most cases, a branch (remote) office uses a static outside IP address to connects to a main office and we covered that in a previous post.
We configured a site-to-site IPsec VPN between two Cisco ASA firewalls with static IP address on both end, and also we covered site-to-site VPN with Dynamic IP on one end.
What if one of the remote ASA firewall at branch office is behind provider router (ADSL) and have a dynamic public IP from the ISP?
In this post I will take you through the steps to configure a PPPoE, IPsec/GRE VPN tunnel behind provider router (ADSL) with dynamic IP in the remote office.
PPPoE stands for Point-to-Point Protocol over Ethernet which is combines Ethernet and PPP, in order to provide an authenticated method that assigns IP addresses to client systems.
PPPoE client in this case is the “NewYork” firewall connected to an ISP (authenticate and receive IP addresses) .
IPSEC tunnel is dynamic and triggered with IP traffic, GRE (generic routing encapsulation) is an encapsulation method using protocol 47. You can run an IPSEC session inside a GRE tunnel
This configuration enables the ASA at the main office to accept dynamic IPsec connections.
The ASA at the branch office can initiate connections to the ASA at the main office (it knows the end-point), but the main ASA cannot initiate connections to the remote ASA (it does not know the endpoint).
I will recommend to take a look into site to site VPN (Dynamic to Static) before you start, Because I will modify New York firewall configuration by using Reverse Route Injection and enabling PPPoE, and IPsec/GRE.
Lets start
In this scenario the New York branch office firewall is behind provider router (ADSL) and have a dynamic public IP address from the ISP
Steps:
- Configure the remote ASA outside interface as a PPPoE client to authenticate and receive IP addresses from the ISP, and then connects to a main office ASA.
- Configure VPN on the remote ASA to initiate IPsec/ GRE VPN connection for interested traffic.
- Update configuration on the main ASA and enables the main ASA to accept dynamic IPsec/GRE connections.
If you are working on a production environment be careful when you apply this setting to avoid override your existing setting.
Configure the ASA Interfaces (branch office – New York )
!
hostname NewYork
!
!−−− The interface authenticate and learns its IP address from the service provider
!−−− The [setroute] option sets the default routes
interface Ethernet0/0
nameif outside
security-level 0
ip address outside pppoe setroute
no shutdown
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.10.20.1 255.255.255.0
no shutdown
!
access-list acl_out extended permit icmp any any
access-list acl_in extended permit icmp any any
access-list acl_in extended permit icmp any any echo-reply
access-list acl_in extended permit icmp any any time-exceeded
access-list acl_in extended permit icmp any any unreachable
access-list acl_in extended permit ip any any
pager lines 24
mtu outside 1492
mtu Inside 1500
arp timeout 14400
global (outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
access-group acl_in in interface Inside
!−−−Define the VPDN group to be used for PPPoE.
vpdn group pppoex request dialout pppoe
!−−−Associate the user name assigned by your ISP to the VPDN group.
vpdn group pppoex localname Verizon
!−−−select an authentication protocol.
vpdn group pppoex ppp authentication pap
!−−−user name and password for the PPPoE connection.
vpdn username Verizon password AyYildiz1453
Note:
check and make sure that the outside interface dynamically learned its IP address.
use a ping in order to ensure that there is connectivity to both the internal and external networks, and especially to the remote peer (main office) that will be used in order to establish a dynamic -to- site VPN tunnel.
Site to Site VPN config for New York branch office. (Dynamic to Static IPsec behind router)
After ASA firewall initial configuration and connectivity test, we are ready now to configure VPN.
In a point-to-point ( site-to-site) VPN topology, two devices communicate directly with each other over the Internet. Specify the endpoint IP peer (main office) devices to establish a VPN, in this topology only the remote devices can initiate the connection.
!−−− This access list is used for a nat zero command that prevents
!−−− traffic which matches the access list from undergoing NAT.
access-list notnat permit ip 10.10.20.0 255.255.255.0 192.168.10.0 255.255.255.0
!— Bind ACL nonat to the NAT statement to avoid NAT on the IPsec packets.
nat (inside) 0 access-list notnat
!— The sysopt command avoids conduit on the IPsec encrypted traffic
sysopt connection permit-ipsec
!−−− This ACL specifies the interesting traffic to be encrypted.
access-list toronto_vpn permit ip 10.10.20.0 255.255.255.0 192.168.10.0 255.255.255.0
!— Phase 2 encryption type
crypto ipsec transform-set torontoset esp-aes-256 esp-sha-hmac
crypto map toronto 1 ipsec-isakmp
crypto map toronto 1 match address toronto_vpn
crypto map toronto 1 set peer 170.10.1.1
crypto map toronto 1 set transform-set torontoset
!— Bind the IPsec on the outside interface.
crypto map toronto interface outside
!— required to enable NAT-T on both ends if either peer is behind a NAT device
isakmp nat-traversal 20
!— Enable ISAKMP key exchange
isakmp enable outside
!— ISAKMP policy for connecting to Toronto FW.
isakmp key 34FB1907 address 170.10.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
Update VPN Configuration (main office – Toronto)
!−−− This access list is used for a nat zero command that prevents
!−−− traffic which matches the access list from undergoing NAT.
access-list notnat permit ip 192.168.10.0 255.255.255.0 10.10.20.0 255.255.255.0
!— Bind ACL nonat to the NAT statement to avoid NAT on the IPsec packets.
nat (inside) 0 access-list notnat
!— The sysopt command avoids conduit on the IPsec encrypted traffic
sysopt connection permit-ipsec
!−−− This ACL specifies the interesting traffic to be encrypted.
access-list NewYork_vpn permit ip 192.168.10.0 255.255.255.0 10.10.20.0 255.255.255.0
!— Phase 2 encryption type
crypto ipsec transform-set NewYorkset esp-aes-256 esp-sha-hmac
crypto dynamic-map NY_dyn_map 20 set transform-set NewYorkset
crypto dynamic-map NY_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map NY_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map NY_dyn_map set reverse-route
crypto map outside_map 999 ipsec-isakmp dynamic NY_dyn_map
!— Bind the IPsec on the outside interface.
crypto map outside_map interface outside
!— required to enable NAT-T on both ends if either peer is behind a NAT device
isakmp nat-traversal 20
!−−− The security appliance provides the default tunnel groups
!−−− for Lan to Lan access (DefaultL2LGroup) and configure the pre-shared key
!−−− (34FB1907) to authenticate the remote router.
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key 34FB1907
!— Enable ISAKMP key exchange
isakmp enable outside
!— ISAKMP policy for connecting to NewYork FW.
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
bonus:
1- There is only one crypto map per interface possible, but the dynamic-map is used in an entry in the crypto-map, so you need only one crypto-map to use dynamic and site-to-site VPNs on the same interface.
2- Be sure to give the dynamic-map entry the highest sequence-number, as the dynamic-map entry may also match all static entries, and the entries are matched in the order of sequence-numbers, so a dynamic entry should always appear as last entry in the crypto map
IPsec tunnel was established, Ping across the VPN tunnel from the host PC at each end were successful.
Troubleshoot
some of the helpful command you may need to verify channel state and for troubleshoot
show crypto isakmp sa
show crypto ipsec sa
Good luck!
I hope this post will be useful to you. If you like the post , Please don’t forget to Vote and click the Like Button.
Email me at itmug.pro@gmail.com for corrections, additions, or questions.
IT mug 