ASA Site to Site VPN (DHCP)
If you don’t already know, site to site VPNs can be a cost-effective way for remote sites to connect to HQ resources instead of a lease line like using MPLS or Metro-E circuits. We can instead use a standard internet connection with a static IP, this is usually cheaper than a dedicated circuit. Our next steps are purchasing a firewall for the remote site (assuming you already have one at HQ) and setup a site to site VPN connection to make the connection. In this guide, I’ll demo a site to site VPN with a pair of ASAs as well as some additional commands to allow DHCP across the tunnel so that your HQ DHCP server can hand out addresses instead of configuring a local DHCP server at the remote site.
The table below goes over the agreed settings and what networks are protected. Also note that the “public” IP addresses listed in this example are from RFC 5737 and are not publicly available. Since this is a VPN connection we must agree on some common settings before traffic is allowed across it. We will be tunneling the entire address range for both sites and no need to NAT anything because its Acme’s network. Reference the table below:
| Acme Corp | Acme Branch |
|---|---|
| Peer IP Address: 192.0.2.10 | Peer IP Address: 203.0.113.10 |
| Phase 1: AES 256 SHA (Group 2) | Phase 1: AES 256 SHA (Group 2) |
| Phase 2: AES 128 SHA | Phase 2: AES 128 SHA |
| PFS: No | PFS: No |
| Protected Networks: 10.1.1.0/24 | Protected Networks: 10.1.2.0/24 |
| Preshared Key: cisco | Preshared Key: cisco |
Here is the topology below for reference:
Let's start building the tunnel on the Acme Corp side first by creating object groups:
object network VPN-REMOTE-ACME-BRANCH-NET-1
subnet 10.1.2.0 255.255.255.0
object network VPN-REMOTE-ACME-BRANCH-NET-2
subnet 10.1.3.0 255.255.255.0
object network ACME-CORP-NET
subnet 10.1.1.0 255.255.255.0
object network VPN-REMOTE-ACORP-BRANCH-NET-1
subnet 10.1.2.0 255.255.255.0
object network VPN-REMOTE-ACORP-BRANCH-NET-2
subnet 10.1.3.0 255.255.255.0
object-group network VPN-LOCAL-ACMECORP-NET
network-object object ACME-CORP-NET
object-group network VPN-LOCAL-ACORP
network-object object ACME-CORP-NET
object-group network VPN-REMOTE-ACORP-BRANCH
network-object object VPN-REMOTE-ACORP-BRANCH-NET-1
network-object object VPN-REMOTE-ACORP-BRANCH-NET-2
```
Next we need to create an access control list to match the traffic we want protected over the tunnel.
We have to create some NAT exemption rules as we don't want to NAT these networks when we are crossing over the VPN. On line one (1) I’m creating a single static NAT entry to reference Acme's Branch networks going to Acme's local networks.In line two (2) just reversing so that Acme's local network can reach Acme's Branch.
> **Notice:** I'm not changing the source or destination address for these NAT rules.
Create a VPN Group Policy for Acme and Acme's Branch VPN connection
Create the tunnel
Build the cryptomap:
Let's jump to Acme's Branch ASA and configure it to get this tunnel up. Let's create some object-groups.
Create the access control list to match the traffic we want protected on Acme's branch.
Just like before we have to create some NAT exemption rules, Acme's Branch has two networks that need to go over the tunnel so we'll add them here. Line one (1) and two (2) is one network of Acme's Branch. Line three (3) and four (4) is another network that Acme's Branch has and with these two networks we are allowing both an inbound and outbound connection from the VPN.
Create a VPN Group Policy for Acme's Branch and Acme Corp VPN connection:
Create the tunnel:
Build the cryptomap:
We now have configured everything for the tunnel to come up but we are missing DHCP, in this example since I don't have Windows DHCP server available I have configured an IOS router to do DHCP, which is on the Acme Corp network (10.1.1.20). To make DHCP available over the tunnel we only have to focus on Acme's Branch ASA and add in the following configuration:
We should be able to get an IP adderess from Acme's DHCP server, if I jump over to one of the Windows hosts on the Acme Branch and issue _ipconfig /all_ we can see that this windows host was able to reach the DHCP server 10.1.1.20 which is over the VPN:
Host Name . . . . . . . . . . . . : VIRL-D3D4EE00AA
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
Physical Address. . . . . . . . . : FA-16-3E-59-67-A3
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.2.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.2.1
DHCP Server . . . . . . . . . . . : 10.1.1.20
Lease Obtained. . . . . . . . . . : Sunday, April 09, 2017 5:29:25 PM
Lease Expires . . . . . . . . . . : Monday, April 10, 2017 5:29:25 PM
C:\Documents and Settings\VIRL> ``` If you want to try this out I have attached the running-configs of both firewalls at the end of this post. If you are using Cisco VIRL here is a link on GitHub to the file I was working with.
Note: When working with this file I noticed sometimes that the network switches on both sides don't always hold a MAC address table when we first start them. The workaround I found is you just copy the configuration delete the switch and add it back and plug everything back in order.
There is a subtype that is added in this configuration which was the Windows XP image I was working with. You can find more information about import Windows VMs and other 3rd Party systems into VIRL by checking out a previous post: Cisco VIRL and Windows VMs
As always I hope this is helpful! :)