The War of the Cisco ASA VPN
Over the last few weeks I have had an all out war with a Cisco ASA. Typically ASA’s are not that hard to configure. Some of the ACL’s can get tricky, but it is quite easy to determine if they are working or not. Now when you are trying to figure out how to make a VPN work and the other side has assured you that their configuration and configuration instructions are fine, it clouds the issues. To begin, I will give you some background on the configuration. This particular device is guarding the entry point for a network that has Remote-Access users and is also required for Site-to-Site to another companies network. The remote access configuration was previously configured and working. It was my responsibility to figure out the issue with the site-to-site and make the VPN work.
Initially, it seemed simple, take traffic over the VPN, but then NAT it before it gets to the other side. Easy right? No No, this turned into a total mess. The issue was that the instruction read that “you need to NAT interesting traffic to 10.1.0.205/32 (255.255.255.255).” They also gave us the information that, “Your Local Network: 10.1.0.205/32 (255.255.255.255),” which is supposed to be our NAT side of the VPN. Ok, so let me break this down… You want me to take my network traffic (192.168.1.0/24) and then NAT it to 10.1.0.205/32 on the 10.1.0.205/32 network??? This is the assumption that was throwing me off course. Their instructions should have been better to read, “Your Local Network: 10.1.0.205/24 (255.255.255.0)” which means that we have a host on a network, not a host on a host.
So anyways, here is the special modifications that got thing working for me:
access-list outside_cryptomap_1 extended permit ip host 10.1.0.205 192.168.50.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
global (inside) 10 10.1.0.205
nat (inside) 10 access-list outside_cryptomap_1
crypto map outside_map 1 match address outside_cryptomap_1
These rules provided the meat to connect the site-to-site VPN.
In the process to the above solution I learned a number of very valuable things that will save me on future ASA configurations, like for example, when creating a Remote-Access VPN from the CLI, you must have the dynamic crypto map rules, you must have crypto isakmp enabled, and you must define a crypto isakmp policy. If you do not have any of these things the VPN will not negotiate. If you are going to use DHCP, then you will need to have a dhcpd pool and it is also vital to have a group-policy.
Well, The war is over and I have won! Many hours have been spent on this project, but I believe I can conquer nearly anything on the Cisco ASA!
-Mike
No comments yet.