RE: Possible to have L2L IPSEC (Dynamic IP address) clients and

Yes, this is quite basic to do; the group matching ike feature is quite powerful and knows what to authenticate who and apply policy against;

Check it-

(this a change request to add dynamic ipsec l2l to an existing asa/pix with dynamic clients;

Task 1: Configure nat bypass on Colo Firewall

1. Remove static nat

access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 192.168.225.0 255.255.255.0

Task 2: Configure dynamic crypto map entry and policies to permit ASA 5505 client connections

1. Choose ESP-AES-128-SHA (much better in CPU than 3DES/MD5)

crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

2. Configure dynamic crypto map entry

crypto dynamic-map dyn-remote 10 set transform-set ESP-AES-128-SHA
crypto dynamic-map dyn-remote 10 set reverse-route

3. Create pointer in main Crypto ACL to dynamic rule for ASA 5505's

crypto map outside_map 65534 ipsec-isakmp dynamic dyn-remote

4. Configure Default Lan to Lan group with pre-shared-key

tunnel-group DefaultL2LGroup ipsec-attributes
pre-share-key <preshare key>

here is the total conf; (its doing static l2l, dynamic l2l, and dynamic client)

fw-nyc-25b# show run crypto
crypto ipsec transform-set aes-set esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 1 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto dynamic-map dyn-remote 10 set transform-set ESP-AES-128-SHA
crypto dynamic-map dyn-remote 10 set security-association lifetime seconds 86400
crypto dynamic-map dyn-remote 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn-remote 10 set reverse-route
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 210.70.74.50
crypto map outside_map 100 set transform-set ESP-3DES-MD5 ESP-AES
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map 110 match address wgny-to-la-showroom
crypto map outside_map 110 set peer 76.200.242.15
crypto map outside_map 110 set transform-set ESP-3DES-MD5
crypto map outside_map 110 set security-association lifetime seconds 86400
crypto map outside_map 110 set security-association lifetime kilobytes 4608000
crypto map outside_map 120 match address wgny-to-nyc-sales
crypto map outside_map 120 set peer 210.11.31.194
crypto map outside_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map 120 set security-association lifetime seconds 86400
crypto map outside_map 120 set security-association lifetime kilobytes 4608000
crypto map outside_map 130 match address wgny-to-nyc-showroom
crypto map outside_map 130 set peer 195.56.142.162
crypto map outside_map 130 set transform-set ESP-3DES-MD5
crypto map outside_map 130 set security-association lifetime seconds 86400
crypto map outside_map 130 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic dyn-remote
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 120

fw-nyc-25b# show run group-policy
group-policy VPNCLIENT internal
group-policy VPNCLIENT attributes
 dns-server value 10.10.1.82
 vpn-idle-timeout 720
 ip-comp disable
 pfs enable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNCLIENT_splitTunnelAcl
 default-domain value news.org
 user-authentication enable
 ip-phone-bypass enable
group-policy ROADS internal
group-policy ROADS attributes
 vpn-access-hours none
 vpn-simultaneous-logins 2
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ROADS_acl

fw-nyc-25b# show run tunnel-group
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
 address-pool outside_vpn
 authentication-server-group RADIUS
 default-group-policy VPNCLIENT
tunnel-group VPNCLIENT ipsec-attributes
 pre-shared-key *
tunnel-group 210.70.74.50 type ipsec-l2l
tunnel-group 210.70.74.50 ipsec-attributes
 pre-shared-key *
tunnel-group ROADS type remote-access
tunnel-group ROADS general-attributes
 address-pool outside_vpn
 default-group-policy THUNDER
tunnel-group THUNDER ipsec-attributes
 pre-shared-key *
tunnel-group 76.200.242.15 type ipsec-l2l
tunnel-group 76.200.242.15 ipsec-attributes
 pre-shared-key *
tunnel-group 195.56.142.162 type ipsec-l2l
tunnel-group 195.56.142.162 ipsec-attributes
 pre-shared-key *
tunnel-group 210.11.31.194 type ipsec-l2l
tunnel-group 210.11.31.194 ipsec-attributes
 pre-shared-key *

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ryan West
Sent: Thursday, May 13, 2010 5:23 PM
To: Martin Hogan; Cisco certification
Subject: RE: Possible to have L2L IPSEC (Dynamic IP address) clients and regular IPSEC VPN Clients (Dynamic IP address) connecting to the same ASA/PIX(Static IP address)

Martin,

> -----Original Message-----
> Sent: Thursday, May 13, 2010 5:12 PM
> To: Cisco certification
> Subject: OT: Possible to have L2L IPSEC (Dynamic IP address) clients and
> regular IPSEC VPN Clients (Dynamic IP address) connecting to the same
> ASA/PIX(Static IP address)
>
> OT: Possible to have L2L IPSEC (Dynamic IP address) clients[IOS] and regular
> IPSEC VPN Clients (Dynamic IP address) connecting to the same ASA/PIX(Static
> IP address)
>
> Disclaimer: "I'm not a firewall guy"
>
> Hi All,
>
> As the subject line says; I've got an odd requirement for a customer to have
> a last minute ultra urgent branch office turned up but the only connectivity
> option available is a dynamic IP address based Internet link, thus moving
> away from the existing / known working setups.
>
> This ASA already has IPSEC VPN Clients (Cisco clients running on Windows)
> that connect and work fine.
>
> It would seem as if its possible, but I think I must be missing some config
> at the ASA/PIX end, the unit connects, negotiates Phase 1, then fails
> (deletes the SA) with no errors in debug crypto isakmp sa pointing to the
> issue that I can see.
>
> The ultra urgency and last minute being the part which is causing me to ask
> here rather than build the lab, configure, test, configure test which would
> be my preferred option.
>
> If anyone could tell me it definitely can work that would be a big help,
> even better if anyone can note the specific requirements (config) for it to
> work.
>

Can you post part of your config? Show run crypto show run isakmp show run access-list's involved.

You can enable a crypto peer with an any address to bring up phase1, then your phase2 traffic would need match inversely as normal. The tunnel needs to be initiated from the dynamic end of course. You can also configure the remote end to act as EzVPN client and use NEM.

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Thu May 13 2010 - 17:34:39 ART