Site to Site VPN with NAT
Site to Site VPN with NAT
Site-to-Site VPN with NAT (Network Address Translation) involves establishing a secure connection between two remote networks over the internet while also translating the IP addresses of the internal network to public IP addresses for communication across the VPN tunnel. NAT enables private IP addresses used within one network to be mapped to public IP addresses, ensuring compatibility with the internet and addressing conflicts between private networks. By combining Site-to-Site VPN and NAT, organizations can securely connect geographically dispersed locations while effectively managing IP address translation, maintaining confidentiality, integrity, and authenticity of data transmitted between sites..
Lab:
Disclaimer
This Workbook is designed to assist candidates to facilitate Technology learning. While every effort has been made to ensure that all material is as complete and accurate as possible, the enclosed material is presented on an “as is” basis. Neither the authors nor RSTForum assume any liability or responsibility to any person or entity with respect to loss or damages incurred from the information contained in this Workbook. This workbook was developed by RSTForum. Any similarities between material presented in this Workbook and any other Workbook, Lab Guide or any other material is completely coincidental.
Task 1: Configure Site to Site VPN on ASA:
Overview: We have two sites with ASA firewall, Site-A ASA Firewall is sitting behind a NAT router whereas Site-B ASA Firewall is directly connected to Internet.
Step 1: Configure All the Branch Routers with their respective IP Address.
Site-A LAN Router:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Site_A_LAN
Site_A_LAN(config)#int e0/0
Site_A_LAN(config-if)#ip add 10.0.0.1 255.255.255.0
Site_A_LAN(config-if)#no shut
Site_A_LAN(config-if)#exit
Site_A_LAN(config)#ip route 0.0.0.
Site_A_LAN(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.10
Site_A_LAN(config)#exit
Site_A_LAN#
Site_A_LAN#
Site-A NAT Router:
Router>
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Site_A_NAT_Router
Site_A_NAT_Router(config)#int e0/0
Site_A_NAT_Router(config-if)#ip add 192.168.0.10 255.255.255.0
Site_A_NAT_Router(config-if)#no shut
Site_A_NAT_Router(config-if)#exit
Site_A_NAT_Router(config)#int e0/1
Site_A_NAT_Router(config-if)#ip add 11.11.11.11 255.255.255.0
Site_A_NAT_Router(config-if)#no shut
Site_A_NAT_Router(config-if)#exit
Site_A_NAT_Router(config)#int e0/0
Site_A_NAT_Router(config-if)#ip nat inside
Site_A_NAT_Router(config-if)#exit
Site_A_NAT_Router(config)#int e0/1
Site_A_NAT_Router(config-if)#ip nat outside
Site_A_NAT_Router(config-if)#exit
Site_A_NAT_Router(config)#access-list 101 permit ip any any
Site_A_NAT_Router(config)#ip nat inside source list 101 interface ethernet 0/1 overload
Site_A_NAT_Router(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.10
Site_A_NAT_Router(config)#exit
ISP Router:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#int e0/1
ISP(config-if)#ip add 11.11.11.10 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#exi
ISP(config)#int e0/0
ISP(config-if)#ip add 22.22.22.10 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#exit
ISP(config)#
ISP(config)#exit
ISP#
Site_B_LAN Router:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Site_B_LAN
Site_B_LAN(config)#int e0/0
Site_B_LAN(config-if)#ip add 172.16.0.1 255.255.255.0
Site_B_LAN(config-if)#no shut
Site_B_LAN(config-if)#exit
Site_B_LAN(config)#ip route 0.0.0.0
Site_B_LAN(config)#ip route 0.0.0.0 0.0.0.0 172.16.0.10
Site_B_LAN(config)#exit
Site_B_LAN#
Site_B_LAN#
Step 2: Configure Site-A ASA with IKEv2 VPN Parameter.
Site-A ASA Firewall:
ciscoasa# conf t
ciscoasa(config)#hostname SITE-A-ASA
SITE-A-ASA(config)# interface eth0
SITE-A-ASA(config-if)# ip add 10.0.0.10 255.255.255.0
SITE-A-ASA(config-if)# no shut
SITE-A-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
SITE-A-ASA(config-if)# exit
SITE-A-ASA(config)# interface eth1
SITE-A-ASA(config-if)# ip add 192.168.0.1 255.255.255.0
SITE-A-ASA(config-if)# no shut
SITE-A-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
SITE-A-ASA(config-if)# exit
SITE-A-ASA(config)# route outside 0 0 192.168.0.10
SITE-A-ASA(config)# crypto ikev2 policy 10
SITE-A-ASA(config-ikev2-policy)# encryption aes-256
SITE-A-ASA(config-ikev2-policy)# integrity sha256
SITE-A-ASA(config-ikev2-policy)# group 19
SITE-A-ASA(config-ikev2-policy)# prf sha256
SITE-A-ASA(config-ikev2-policy)# lifetime seconds 86400
SITE-A-ASA(config-ikev2-policy)# crypto ikev2 enable outside
SITE-A-ASA(config)# object network SITE-A
SITE-A-ASA(config-network-object)# subnet 10.0.0.0 255.255.255.0
SITE-A-ASA(config-network-object)# object network SITE-B
SITE-A-ASA(config-network-object)# subnet 172.16.0.0 255.255.255.0
SITE-A-ASA(config-network-object)# access-list INTERESTING-Traffic extended permit ip object SITE-A object SITE-B
SITE-A-ASA(config)# nat (inside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B no-proxy-arp route-lookup
SITE-A-ASA(config)# tunnel-group 22.22.22.22 type ipsec-l2l
SITE-A-ASA(config)# tunnel-group 22.22.22.22 ipsec-attributes
SITE-A-ASA(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 12345678
SITE-A-ASA(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 12345678
SITE-A-ASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
SITE-A-ASA(config-tunnel-ipsec)# crypto ipsec ikev2 ipsec-proposal VPN-TSET
SITE-A-ASA(config-ipsec-proposal)# protocol esp encryption aes-256
SITE-A-ASA(config-ipsec-proposal)# protocol esp integrity sha-1
SITE-A-ASA(config-ipsec-proposal)# crypto map CRYPTO-MAP 1 match address INTERESTING-Traffic
SITE-A-ASA(config)# crypto map CRYPTO-MAP 1 set peer 22.22.22.22
SITE-A-ASA(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TSET
SITE-A-ASA(config)# crypto map CRYPTO-MAP interface outside
SITE-A-ASA(config)#
Site-B ASA Firewall:
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)#hostname SITE-B-ASA
SITE-B-ASA(config)# interface eth0
SITE-B-ASA(config-if)# ip add 172.16.0.10 255.255.255.0
SITE-B-ASA(config-if)# no shut
SITE-B-ASA(config-if)# nameif inside
SITE-B-ASA(config-if)# exit
SITE-B-ASA(config)# interface eth1
SITE-B-ASA(config-if)# ip add 22.22.22.22 255.255.255.0
SITE-B-ASA(config-if)# no shut
SITE-B-ASA(config-if)# nameif outside
SITE-B-ASA(config-if)# exit
SITE-B-ASA(config)# route outside 0 0 22.22.22.10
SITE-B-ASA(config)# crypto ikev2 policy 10
SITE-B-ASA(config-ikev2-policy)# encryption aes-256
SITE-B-ASA(config-ikev2-policy)# integrity sha256
SITE-B-ASA(config-ikev2-policy)# group 19
SITE-B-ASA(config-ikev2-policy)# prf sha256
SITE-B-ASA(config-ikev2-policy)# lifetime seconds 86400
SITE-B-ASA(config-ikev2-policy)# crypto ikev2 enable outside
SITE-B-ASA(config)# object network SITE-A
SITE-B-ASA(config-network-object)# subnet 172.16.0.0 255.255.255.0
SITE-B-ASA(config-network-object)# object network SITE-B
SITE-B-ASA(config-network-object)# subnet 10.0.0.0 255.255.255.0
SITE-B-ASA(config-network-object)# access-list INTERESTING-Traffic extended permit ip object SITE-A object SITE-B
SITE-B-ASA(config)# nat (inside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B no-proxy-arp route-lookup
SITE-B-ASA(config)# tunnel-group 11.11.11.11 type ipsec-l2l
SITE-B-ASA(config)# tunnel-group 11.11.11.11 ipsec-attributes
SITE-B-ASA(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 12345678
SITE-B-ASA(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 12345678
SITE-B-ASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
SITE-B-ASA(config-tunnel-ipsec)# crypto ipsec ikev2 ipsec-proposal VPN-TSET
SITE-B-ASA(config-ipsec-proposal)# protocol esp encryption aes-256
SITE-B-ASA(config-ipsec-proposal)# protocol esp integrity sha-1
SITE-B-ASA(config-ipsec-proposal)# crypto map CRYPTO-MAP 1 match address INTERESTING-Traffic
SITE-B-ASA(config)# crypto map CRYPTO-MAP 1 set peer 11.11.11.11
SITE-B-ASA(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TSET
SITE-B-ASA(config)# crypto map CRYPTO-MAP interface outside
SITE-B-ASA(config)#
Task 2: Verify Site to Site VPN:
Step 1: We will try to initiate traffic from Site B LAN to Site A LAN. Here we will not see any packet going even though NAT-Traversal is by default enabled on ASAs, the reason is because we are trying to initiate tunnel with an ASA device which is sitting behind NAT Router. All packet which is currently going from Site B LAN to Site A LAN, is getting dropped at NAT Router as no NAT entry is create in NAT Table of NAT Router.
Site-B LAN Router:
Site_B_LAN#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Site_B_LAN#
Site-A NAT Router:
Site_A_NAT_Router#sh ip nat translations
Site_A_NAT_Router#
Step 2: Now we will try to initiate traffic from Site-A LAN Router to Site-B LAN Router, as a result of this first NAT entry will be created on Site-A NAT Router, which will now allow the return traffic from Site-B LAN, as a result we will now be able to form tunnel.
Site-A LAN Router:
Site_A_LAN#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 23/25/31 ms
Site_A_LAN#
Site-A NAT Router:
Site_A_NAT_Router#sh ip nat translations
udp 11.11.11.11:500 192.168.0.1:500 22.22.22.22:500 22.22.22.22:500
udp 11.11.11.11:4500 192.168.0.1:4500 22.22.22.22:4500 22.22.22.22:4500
We can verify that NAT-Traversal is happening as the port number above is UDP 4500 which is reserved for NAT-T and tunnel is forming as we can also see ESP with port number 500.
Step 3: Now we verify if our interesting traffic is getting encrypted, encapsulated, and hashed or not.
Site-A-ASA Firewall:
SITE-A-ASA(config)# show crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:15, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
64522925 192.168.0.1/4500 22.22.22.22/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/207 sec
Child sa: local selector 10.0.0.0/0 - 10.0.0.255/65535
remote selector 172.16.0.0/0 - 172.16.0.255/65535
ESP spi in/out: 0xa35855f/0xf9ec1428
SITE-A-ASA(config)#
SITE-A-ASA(config)# show crypto ipsec sa
interface: outside
Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 192.168.0.1
access-list INTERESTING-Traffic extended permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 22.22.22.22
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.0.1/4500, remote crypto endpt.: 22.22.22.22/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F9EC1428
current inbound spi : 0A35855F
SITE-A-ASA(config)#