Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Redundant VPN Tunnel Situation 1

Status
Not open for further replies.

North323

Technical User
Jan 13, 2009
966
US
OK, we currently have one VPN tunnel with our remote office. This is done through VLAN tagging through our provider ATT on vlan1204. The internet interface is not being used...until now. i need to add another tunnel in the event vlan 1204 goes down. below is my scrubbed config and below that are my changes. i need to know if it looks OK to put in production.

ASA Version 8.0(4)
!
hostname XYZ0101025505
domain-name ABCDOH.NET
enable password
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name X.Y.67.0 Cityville_VLAN67
name X.Y.2.0 Cityville_VLAN2
name X.Y.7.0 Cityville_VLAN7
name X.Y.6.0 Cityville_VLAN6
name X.Y.8.0 Cityville_VLAN8
name X.Y.5.0 Cityville_VLAN5
name X.Y.1.0 Cityville_VLAN1
name X.Y.4.0 Cityville_VLAN4
name X.Y.32.0 Subnet32
name X.Y.75.0 Cityville_Vlan75
!
interface Vlan64
nameif XYZNetwork
security-level 100
ip address X.Y.Z.251 255.255.255.0
!
interface Vlan1201
nameif Internet
security-level 0
ip address 1.1.1.1 255.0.0.0
!
interface Vlan1204
nameif XYZ
security-level 0
ip address X.Y.Z.251 255.255.255.0
!
interface Ethernet0/0
switchport trunk allowed vlan 1200-1204
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 64
!
interface Ethernet0/2
switchport access vlan 64
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
banner login c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
banner motd c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone UTC -4
dns server-group DefaultDNS
domain-name ABCDOH.NET
object-group network XYZLocal
description ABCD XYZ Office
network-object X.Y.64.0 255.255.255.0
object-group network XYZtownRemote
description Remote network list for the ABCD XYZtown office.
network-object X.Y.2.0 255.255.255.0
network-object X.Y.67.0 255.255.255.0
network-object X.Y.7.0 255.255.255.0
network-object X.Y.1.0 255.255.255.0
network-object X.Y.5.0 255.255.255.0
network-object X.Y.6.0 255.255.255.0
network-object X.Y.8.0 255.255.255.0
network-object X.Y.4.0 255.255.255.0
network-object X.Y.32.0 255.255.255.0
network-object X.Y.75.0 255.255.255.0
access-list crypto10 extended permit ip object-group XYZLocal any
access-list inside_outbound_nat0_acl extended permit ip object-group XYZLocal any
access-list ABCD extended permit icmp any any
access-list ABCD extended permit tcp host X.Y.99.3 any eq 50 log
access-list ABCD extended permit tcp host X.Y.99.3 any eq 51 log
access-list ABCD extended permit udp host X.Y.99.3 any eq isakmp log
access-list ABCD extended permit ip host X.Y.99.0 any log
access-list ABCD extended permit icmp X.Y.0.0 255.255.0.0 any
access-list ABCD extended deny ip 14.2.6.0 255.255.255.0 any log
access-list ABCD extended deny ip 127.0.0.0 255.255.255.0 any log
access-list ABCD extended deny ip 10.0.0.0 255.255.255.0 any log
access-list ABCD extended deny ip 0.0.0.0 255.0.0.0 any log
access-list ABCD extended deny ip 192.168.0.0 255.255.0.0 any log
access-list ABCD extended deny ip 192.0.2.0 255.255.255.0 any log
access-list ABCD extended deny ip 169.254.0.0 255.255.0.0 any log
access-list ABCD extended deny ip 224.0.0.0 224.0.0.0 any log
access-list ABCD extended deny ip host 255.255.255.255 any log
access-list ABCD extended deny icmp any any echo log
access-list ABCD extended deny icmp any any redirect log
access-list ABCD extended deny icmp any any mask-request log
access-list ABCD extended permit ip host X.Y.75.0 interface XYZNetwork log
pager lines 24
logging console debugging
logging monitor warnings
logging buffered debugging
logging asdm informational
mtu XYZNetwork 1500
mtu Internet 1500
mtu XYZ 1500
ip verify reverse-path interface XYZ
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any XYZNetwork
icmp permit any XYZ
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (XYZNetwork) 0 access-list inside_outbound_nat0_acl
access-group ABCD in interface XYZ
route XYZ 0.0.0.0 0.0.0.0 X.Y.99.251 1
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec transform-set ABCDXYZ esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map XYZ 10 match address crypto10
crypto map XYZ 10 set peer X.Y.99.3
crypto map XYZ 10 set transform-set ABCDXYZ
crypto map XYZ 10 set security-association lifetime seconds 28800
crypto map XYZ 10 set security-association lifetime kilobytes 4608000
crypto map XYZ interface XYZ
crypto isakmp enable XYZ
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 120
telnet timeout 1
ssh X.Y.64.0 255.255.255.0 XYZNetwork
ssh X.Y.75.0 255.255.255.0 XYZNetwork
ssh timeout 5
ssh version 2
console timeout 5
management-access XYZNetwork

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username
tunnel-group X.Y.99.3 type ipsec-l2l
tunnel-group X.Y.99.3 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum
: end


Now for the changes:
Create access-list for new tunnel
*************************************************************
access-list crypto12 line 1 extended permit ip object-group YYYYLocal any
access-list inside_outbound_nat0_acl_1 line 1 extended permit ip object-group YOUNLocal any
access-list ATI_Internet extended permit icmp any any
access-list ATI_Internet extended permit tcp host p.j.99.3 any eq 50 log informational interval 300
access-list ATI_Internet extended permit tcp host p.j.99.3 any eq 51 log informational interval 300
access-list ATI_Internet extended permit udp host p.j.99.3 any eq isakmp log informational interval 300
access-list ATI_Internet extended permit ip host p.j.99.0 any log informational interval 300
access-list ATI_Internet extended permit icmp p.j.0.0 255.255.0.0 any
access-list ATI_Internet extended deny ip 14.2.6.0 255.255.255.0 any log informational interval 300
access-list ATI_Internet extended deny ip 127.0.0.0 255.255.255.0 any log informational interval 300
access-list ATI_Internet extended deny ip 10.0.0.0 255.255.255.0 any log informational interval 300
access-list ATI_Internet extended deny ip 0.0.0.0 255.0.0.0 any log informational interval 300
access-list ATI_Internet extended deny ip 192.168.0.0 255.255.0.0 any log informational interval 300
access-list ATI_Internet extended deny ip 192.0.2.0 255.255.255.0 any log informational interval 300
access-list ATI_Internet extended deny ip 169.254.0.0 255.255.0.0 any log informational interval 300
access-list ATI_Internet extended deny ip 224.0.0.0 224.0.0.0 any log informational interval 300
access-list ATI_Internet extended deny ip host 255.255.255.255 any log informational interval 300
access-list ATI_Internet extended deny icmp any any echo log informational interval 300
access-list ATI_Internet extended deny icmp any any redirect log informational interval 300
access-list ATI_Internet extended deny icmp any any mask-request log informational interval 300


access-group ATI_Internet in interface Internet
************************************************************

Create the new routes and new tunnel with below commands
**************************************************************
route YOUN 0.0.0.0 0.0.0.0 x.x.x.251 1 track 1
route backup 0.0.0.0 0.0.0.0 w.w.w.181 254

sla monitor 123
type echo protocal ipIcmpEcho w.w.w.181 interface Internet
num-packets 3
frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability


crypto ipsec transform-set Internet esp-3des esp-md5-hmac
crypto map Internet 10 match address crypto10
crypto map Internet 10 set peer t.t.t.7
crypto map Internet 10 set transform-set Internet
crypto map Internet interface Interface
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group t.t.t.7 type ipsec-l2l

tunnel-group t.t.t.7 ipsec-attributes

pre-shared-key *
 
I skimmed over the config and it looks like it should be ok.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
so i can create to acl for each interface and two seperate crypto maps?
 
yes, since they are being applied to two different interfaces.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top