But back to the problem: creating a Hub Spoke VPN topology between 3 Cisco PIX. Where the two spoke PIX can send packets to each other
At first a small break for theory.
VPN networks are commonly divided into two topology schemes The first is Hub Spoke the other Full Mesh.
Hub Spoke is somehow easier to manage, because all you have to do is make sure that your remote location can connect to the central side. Everything else can be configured at the central location.
Full Mesh offers more redundancy and you don´t have to fear that your network is completely down if your central side is off-line In comparison to Hub Spoke Full mesh is harder to administrate
In larger enterprises you often find both schemes together, Full Mesh connecting the country offices and hub spoke for the regional offices connecting to the country headquarters
Now lets get started with solution to task 1
Setting:
Used networks
192.168.1.0 /24 - LAN main site ; routing via default route
192.168.2.0 /24 – LAN at customer 1 location 1 (Cust_1); routing via default route
192.168.3.0 /24 – LAN at customer 2 location (Cust_2); routing via default route
10.10.1.x /30 transfer network between ISP router and ASA/PIX; routing via default route
10.10.98.x /30 transfer networks between ISP routers, routing via OSPF
10.10.99.x /32 Management IP of the ISP Router; added to OSPF routing
Used tools, router and software versions
configuration and simulation using GNS3 + dynamips + PEMU
3x router 7200 (IOS 12.4.24T) as ISP router
3x router 1700 (IOS 12.3.26) as LAN hosts
3x PIX 525 (ASA/PIX 8.0.3) as Firewall and VPN endpoints
Step by step solution:
Configuration of the ISP zone
Interface creation at the routers:
device: ISP_Main
interface Loopback0
description ### MGMT INT ###
ip address 10.10.99.1 255.255.255.255
interface FastEthernet0/0
description ### FW_Main-e0 ###
ip address 10.10.1.1 255.255.255.252
duplex auto
speed auto
interface FastEthernet0/1
description ### Uplink ISP-Cust-2_f0/1 ###
ip address 10.10.98.5 255.255.255.252
duplex auto
speed auto
interface FastEthernet1/0
description ### Uplink ISP-Cust-1_f1/0 ###
ip address 10.10.98.1 255.255.255.252
duplex full
speed auto
device: ISP_Cust_1
interface Loopback0
description ### MGMT INT ###
ip address 10.10.99.3 255.255.255.255
interface FastEthernet0/0
description ### FW_Cust_1-e0 ###
ip address 10.10.1.5 255.255.255.252
duplex full
speed auto
interface FastEthernet0/1
description ### Uplink to ISP_Cust_2-f1/0 ###
ip address 10.10.98.10 255.255.255.252
duplex full
speed auto
interface FastEthernet1/0
description ### Uplink to ISP_Main-f1/0 ###
ip address 10.10.98.2 255.255.255.252
duplex full
speed auto
device: ISP_Cust_2
interface Loopback0
description ### MGMT INT ###
ip address 10.10.99.2 255.255.255.255
interface FastEthernet0/0
description ### FW-cust-2-e0 ###
ip address 10.10.1.9 255.255.255.252
duplex full
speed auto
interface FastEthernet0/1
description ### Uplink ISP_Main-f0/1 ###
ip address 10.10.98.6 255.255.255.252
duplex full
speed auto
interface FastEthernet1/0
description ### Uplink ISP_Cust_1-f0/1 ###
ip address 10.10.98.9 255.255.255.252
duplex full
speed auto
Configuration of OSPF
The task is easy but for the 3 internet routers I decided to work with a dynamic routing protocol OSPF
Using the command router ospf [prozess ID] will enable OSPF in your routers. The network statements define the networks that will be redistributed into OSPF.
device: ISP_Main
router ospf 100
router-id 10.10.99.1
log-adjacency-changes
network 10.10.1.0 0.0.0.3 area 0
network 10.10.98.0 0.0.0.3 area 0
network 10.10.98.4 0.0.0.3 area 0
network 10.10.99.1 0.0.0.0 area 0
device: ISP_Cust_1
router ospf 100
router-id 10.99.99.2
log-adjacency-changes
network 10.10.1.4 0.0.0.3 area 0
network 10.10.98.0 0.0.0.3 area 0
network 10.10.98.8 0.0.0.3 area 0
network 10.10.99.3 0.0.0.0 area 0
device: ISP_Cust_2
router ospf 100
router-id 10.99.99.3
log-adjacency-changes
network 10.10.1.8 0.0.0.3 area 0
network 10.10.98.4 0.0.0.3 area 0
network 10.10.98.8 0.0.0.3 area 0
network 10.10.99.2 0.0.0.0 area 0
The main configuration tasks are now done. Just do a quick ping from the router to the other routers
will ensure that the "Internet" works
Note:
I just wanted to use 12.4.24T and did get more trouble than necessary I´ve had to reconfigure quite a lot of times the IDLEPC value in Dynamips so that they do not consume all my CPU capacity. 3724 Router would have done the job running 12.4.15T8. This will be a lesson for me.
Configuration of the „Hosts“
Create an IP on the connected Interface and configure a default route to the Firewall. Nothing more to do here.
device: Host_Main
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.1.1
device: Host_Cust_1
interface FastEthernet0
ip address 192.168.2.2 255.255.255.0
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.2.1
device: Host_Cust_2
interface FastEthernet0
ip address 192.168.3.2 255.255.255.0
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.3.1
The configuration of this Hosts was done quick and after no shutdown was issued on all Interfaces they could be pinged from the PIX.
Configuration of the PIX
Basics
In the first step basic configuration on every ASA/PIX have been made. This means Interfaces, default routes to the ISPs and object groups.
device: FW_Main
interface Ethernet0
nameif IF_Outside
security-level 0
ip address 10.10.1.2 255.255.255.252
interface Ethernet1
nameif IF_Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
route IF_Outside 0.0.0.0 0.0.0.0 10.10.1.1 1
device: FW-Cust-1
interface Ethernet0
nameif IF_Outside
security-level 0
ip address 10.10.1.6 255.255.255.252
interface Ethernet1
nameif IF_Inside
security-level 100
ip address 192.168.2.1 255.255.255.0
route IF_Outside 0.0.0.0 0.0.0.0 10.10.1.5 1
device: FW-Cust-2
interface Ethernet0
nameif IF_Outside
security-level 0
ip address 10.10.1.10 255.255.255.252
interface Ethernet1
nameif IF_Inside
security-level 100
ip address 192.168.3.1 255.255.255.0
route IF_Outside 0.0.0.0 0.0.0.0 10.10.1.9 1
All object groups are the same on all firewalls.
device: FW-Main / FW-Cust-1 /FW-Cust-2
object-group network OBJ_VPN_Main
network-object 192.168.1.0 255.255.255.0
object-group network OBJ_VPN_Customer_1
network-object 192.168.2.0 255.255.255.0
object-group network OBJ_VPN_Customer_2
network-object 192.168.3.0 255.255.255.0
object-group network OBJ_VPN_Customer
group-object OBJ_VPN_Customer_1
group-object OBJ_VPN_Customer_2
Site 2 Site VPNs have 3 characteristics that have to be configured
1. Crypto ACLs that define what traffic has to be encrypted
2. Tunnel groups that characterize the tunnel
3. ISAKMP and IPSEC parameters to build the tunnel.
Crypto ACLs are somehow every time the same. Allow traffic from local network A to remote network B.
The only thing to remember is that you have to apply a exact mirror on the other side of your VPN connection.
So this nearly automatically leads to the following crypto ACLs.
device: FW-Main
access-list ACL_Cry_map_10 remark ### traffic for VPN to Customer 1 ###
access-list ACL_Cry_map_10 extended permit ip object-group OBJ_VPN_Main object-group OBJ_VPN_Customer_1
access-list ACL_Cry_map_10 extended permit ip object-group OBJ_VPN_Customer_2 object-group OBJ_VPN_Customer_1
access-list ACL_Cry_map_20 remark ### traffic for VPN to Customer 2 ###
access-list ACL_Cry_map_20 extended permit ip object-group OBJ_VPN_Main object-group OBJ_VPN_Customer_2
access-list ACL_Cry_map_20 extended permit ip object-group OBJ_VPN_Customer_1 object-group OBJ_VPN_Customer_2
device: FW-Cust-1
access-list ACL_Cry_map_10 remark ### traffic for VPN to Main Location ###
access-list ACL_Cry_map_10 extended permit ip object-group OBJ_VPN_Customer_1 object-group OBJ_VPN_Main
access-list ACL_Cry_map_10 extended permit ip object-group OBJ_VPN_Customer_1 object-group OBJ_VPN_Customer_2
device: FW-Cust-2
access-list ACL_Cry_map_10 remark ### traffic for VPN to Main Location ###
access-list ACL_Cry_map_10 extended permit ip object-group OBJ_VPN_Customer_2 object-group OBJ_VPN_Main
access-list ACL_Cry_map_10 extended permit ip object-group OBJ_VPN_Customer_2 object-group OBJ_VPN_Customer_1
So far the traffic that has to be encrypted is defined. Now the tunnel has to be specified
Together with several parameters the pre shared key is configured using the tunnel group.
If you use PSK you should use of course long and complex keys and change them from time to time.
Certificates may be an alternative for other scenarios but this will be covered in later tasks
For site 2 site VPNs usually the IP Address of the remote endpoint is the name of the tunnel group.
device: FW-Main
! Tunnel Group for FW-Cust-1
tunnel-group 10.10.1.6 type ipsec-l2l
tunnel-group 10.10.1.6 ipsec-attributes
pre-shared-key 1234567890
! Tunnel Group for FW-Cust-2
tunnel-group 10.10.1.10 type ipsec-l2l
tunnel-group 10.10.1.10 ipsec-attributes
pre-shared-key 0987654321
device: FW-Cust-1
! Tunnel Group for FW-Main
tunnel-group 10.10.1.2 type ipsec-l2l
tunnel-group 10.10.1.2 ipsec-attributes
pre-shared-key 1234567890
device: FW-Cust-2
! Tunnel Group for FW-Main
tunnel-group 10.10.1.2 type ipsec-l2l
tunnel-group 10.10.1.2 ipsec-attributes
pre-shared-key 0987654321
The last and biggest configuration block is for the ISAKMP and IPsec parameters and of course the matching between ISAKMP / IPSec parameters, the tunnel group and the ACLs.
device: FW-Main/ FW-Cust-1 / FW-Cust-2
crypto isakmp enable IF_Outside
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
Creating the IPSec transform Sets
device: FW-Main/ FW-Cust-1 / FW-Cust-2
crypto ipsec transform-set TRANS_1 esp-aes-256 esp-sha-hmac
Defining the crypto map to match the parameters with each other. It is only possible to match one Crypto map on a logical interface, but every crypto map offers enough space for 65534 static connections
device: FW-Main
crypto map MAP_Outside 10 match address ACL_Cry_map_10
crypto map MAP_Outside 10 set peer 10.10.1.6
crypto map MAP_Outside 10 set transform-set TRANS_1
crypto map MAP_Outside 20 match address ACL_Cry_map_20
crypto map MAP_Outside 20 set peer 10.10.1.10
crypto map MAP_Outside 20 set transform-set TRANS_1
crypto map MAP_Outside interface IF_Outside
device: FW-Cust-1
crypto ipsec transform-set TRANS_1 esp-aes-256 esp-sha-hmac
crypto map MAP_Outside 10 match address ACL_Cry_map_10
crypto map MAP_Outside 10 set peer 10.10.1.2
crypto map MAP_Outside 10 set transform-set TRANS_1
crypto map MAP_Outside interface IF_Outside
crypto isakmp enable IF_Outside
device: FW-Cust-2
crypto map MAP_Outside 10 match address ACL_Cry_map_10
crypto map MAP_Outside 10 set peer 10.10.1.2
crypto map MAP_Outside 10 set transform-set TRANS_1
crypto map MAP_Outside interface IF_Outside
crypto isakmp enable IF_Outside
Basically the VPN tunnels are now ready to do their job. Often NAT is configured on the firewall and even more often this fact is forgotten, so that the tunnel will not work.
That is why the in this task is NAT zero configured.
device: FW-Main
access-list ACL_NAT_0 remark ### Nat ZERO ###
access-list ACL_NAT_0 extended permit ip object-group OBJ_VPN_Main object-group OBJ_VPN_Customer
access-list ACL_NAT_0 extended permit ip object-group OBJ_VPN_Customer_2 object-group OBJ_VPN_Customer_1
access-list ACL_NAT_0 extended permit ip object-group OBJ_VPN_Customer_1 object-group OBJ_VPN_Customer_2
nat (IF_Outside) 0 access-list ACL_Nat_0
device: FW-Cust-1
access-list ACL_NAT_0 remark ### Nat ZERO ###
access-list ACL_Nat_0 extended permit ip object-group OBJ_VPN_Customer_1 object-group OBJ_VPN_Main
access-list ACL_Nat_0 extended permit ip object-group OBJ_VPN_Customer_1 object-group OBJ_VPN_Customer_2
nat (IF_Outside) 0 access-list ACL_Nat_0
device: FW-Cust-2
access-list ACL_NAT_0 remark ### Nat ZERO ###
access-list ACL_Nat_0 extended permit ip object-group OBJ_VPN_Customer_2 object-group OBJ_VPN_Customer_1
access-list ACL_Nat_0 extended permit ip object-group OBJ_VPN_Customer_2 object-group OBJ_VPN_Main
nat (IF_Outside) 0 access-list ACL_Nat_0
Last but not least we have to enable that traffic can flow from one VPN tunnel to the other. This is by default not possible. Why VPN tunnel have the same security level and by design traffic within the same level is not allowed. Solution, enable
device: FW-Main
same-security-traffic permit intra-interface
If everything works as expected we should now be able to ping from any host to the other hosts
The ASA and PIX will now show a MM_Actif if you run show crypto isakmp sa
Feel free to comment, ask question or give feedback (corrections).
cheers NWG
Posts
Keine Kommentare:
Kommentar veröffentlichen