What does VPN on a stick mean. Well it means that if you connect to a VPN gateway your traffic will run across this gateway and will be forwarded into the Internet (if you try to connect to the Internet). Why is it named "on a stick" this is because you enter the VPN gateway (ASA/Pix) on the
outside interface an you leave it the same way without accessing the private LAN Sometimes it called hair pinning (if you enter an other VPN connection)
So what do we need? First of all an ASA/ PIX and second a VPN Client.
Configuration.
First we´ll have to do some fluff stuff like creating interfaces etc. This is depending on your hardware slightly different. I´ll post the differences here but for later configs please have a look at CISCO.com
ASA 5510 or higher
interface ethernet 0/0
description ### Outside Interface ###
nameif outside
ip address 10.255.255.2 255.255.255.0
interface ethernet 0/1
description ### Inside Interface ###
nameif inside
ip address 192.168.0.1 255.255.255.0
ASA 5505
interface vlan 10
description ### Outside Interface ###
nameif outside
ip address 10.255.255.2 255.255.255.0
interface vlan 20
description ### Inside Interface ###
nameif inside
ip address 192.168.0.1 255.255.255.0
PIX
interface ethernet 0
description ### Outside Interface ###
nameif outside
ip address 10.255.255.2 255.255.255.0
no shutdown
interface ethernet 1
description ### Inside Interface ###
nameif inside
ip address 192.168.0.1 255.255.255.0
no shutdown
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.255.255.254
! 10.255.255.254 is the next hop router from the ISP
crypto ipsec transform-set ESP-AES256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map DynOutsideMap 100 set transform-set ESP-AES256-MD5
! configuration for dynamic Clients like the Cisco VPN Client
!
crypto map OutsideMap 65535 ipsec-isakmp dynamic DynOutsideMap
crypto map OutsideMap interface outside
! configuration of the over all Crypto Map that is applied on the outside Interface
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
Thats the basic part that you need nearly everywhere. Next step would be to configure the specific parameters for your VPN client.
ip local pool POOL_VPN_Client 192.168.1.1-192.168.1.254 mask 255.255.255.0
group-policy GPOL_VPN_Client internal
group-policy GPOL_VPN_Client attributes
split-tunnel-policy tunnelall
tunnel-group GRP_VPN_Client type remote-access
tunnel-group GRP_VPN_Client general-attributes
default-group-policy GPOL_VPN_Client
address-pool POOL_VPN_Client
tunnel-group GRP_VPN_Client ipsec-attributes
pre-shared-key DoNotUseMe
So far, so good, your client should now be able to connect to your ASA or Pix but well, nothing more.
You still need to add a User that is allowed to log in. You could use AAA but for this scenario we stick to LOCAL users.
username VPNUser password none priv 1
Now lets start with the interesting parts
Assuming that you do NAT on your ASA/ Pix you need to configure a NAT exception so that you can access your hosts on the inside interface from your VPN Client.
I tend to use objects groups quite a lot since they enable you to quick change a lot of ACLs. For this reason I´ll set up some object groups and use them later.
Object-group network OBJ_VPN_Client
network 192.168.1.0 255.255.255.0
Object-group network OBJ_LAN
network 192.168.0.0 255.255.255.0
access-list NO_nat_inside remark ### NAT exceptions ###
access-list NO_nat_inside permit ip object-group OBJ_LAN object-group OBJ_VPN_Client
So we are nearly through add a new NAT statement
nat (outside) 1 192.168.1.0 255.255.255.0
! NAT on interface outside so that your VPN User get your public IP
nat (inside) 0 access-list NO_nat_inside
Finlay disable the default rule "No traffic between interfaces with the same security level".
same-security-traffic permit intra-interface
Thats it!
Hope you enjoyed and thanks for your attention.
Full PIX configuration
Posts
Keine Kommentare:
Kommentar veröffentlichen