Dynamic to Static IPSec VPN Tunnel ( HQ to Branch office) on Cisco ASA

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys so today we are going to configure at animate to static VPN a normal use case would be a headquarter office which you can see as a SAV - this is a headquarter office and then think of a si v1 as a branch office which is a very small office so you don't get at static IP address from the ISP rather you have a modem sitting here that provides you IP address from private range and then the modem sends out the traffic over to the Internet and this IP address keeps on changing okay so in those scenarios the static - static VP internal strategy doesn't work so what we built is dynamic - static VPN tunnel and I'm going to demonstrate that using this lab so we are using R 3 as test pcs which will bring across the VPN tunnel I'm going to show you the configuration for R 3 so R 3 let's look at the configuration so the IP address is 10.2 and the default gateway of a say v1 is 10.1 we are able to ping that and we have a default route towards 10.1 then coming to si one on si one we have of that sorry I'm sorry on a say one we have IP address of the insert interface has 10.1 and then the IP address of the outside interface is 20.5 again this IP address is not static if you look at how we are getting the IP address that's we are DHCP so this is going to change continuously ok show interface show run interface gig 0 by 1 ok so there is a DHCP come on so this interface is getting IP address we are DHCP if I look at the route this is the next hop which we are able to ping okay and then coming to our for our four it's running a DHCP server so you'll see 20.5 is signed to the ASE and then if we type in show IP into brief you will see the IP address of 20.1 that is connected to the a essay and then 1.1 is your internet address okay and we also have an add-in here to send all the private traffic towards Internet by overload command so if we look at what's in there is so anything which comes from 20.0 should be sent towards 0.0 using the oullette come up and anything coming from 20.0 towards 30.0 should be not exempted okay this has to this is isn't nearer I think we can ignore this then coming to a say version 2 may say v2 it's a pretty simple statement so IP inside is 1.1.2 I'm sorry inside is 182 once you see a 30 wrote one and then outside is 1.1.1 or two okay and we are able to bring our five okay let's see why you're not able to pay it should be that we don't sorry I will do ping i okay so let's now start we are going to start configuring a say b1 so the strategies as below so a say v1 is the dynamic in this is the sequence of steps that we are going to configure the dynamic end with always we can figure it like a normal static side to side with internal there is no difference the difference is actually on the static end we need a dynamic map in there so for the dynamic pair we are first going to start with configuring access list so I'll go to a say 1 which is the dynamic n this is going to expand so the inside interface is 10.1 and the IP address of our 5 segments is 30.2 so the access list is going to be from 10.0 towards 30.0 right that's your land segment so I'm going to say access list VPN extended permit IP 192 168 10.0 by 5.25 5.25 5.0 192 168 30.0 255.255.255.0 I think that's just I've already defined let's see if it's already there ok alright ok next we are going to configure phase 1 policies so first thing we are going to do is enable phase one on the outside interface and then configure phase one policy it's like we one policy then we are going to use authentication as Frechette key encryption as 3des hashing asha group as - okay it's policies in there and then we are going to configure the ppreciate key tunnel group 1.1 1.2 what is that the IP address of the remote is a type is IPSec and L 2 L then we are going to define the ppreciate key like we won ppreciate key let's say Cisco and then we are going to configure phase 2 policies crypto IPSec iv1 transform set name is T set then ESP 3 - yes be sure let's define a crypto matter crypto map see map 10 set P R is going to be 1.1 1.2 we are going to also call the access list here match address VPN then we are going to call the transforms it it's tea set and then we will enable it on the surrender face done let's review the configuration once again ok so let's look at Ike we won if you have enabled it on the outside interface and then we have called the policies and then we look at the preciate key yes the ppreciate key is configured then for phase two policies this is the phase two policy then the crypto map the crypto map then the next part is not exempt before configuring the net exempt we'll configure a net for accessing Internet so I'm going to say obj 0 0 0 subnet would be 0 0 0 net inside to outside dynamic interface that's for accessing your internet now you want to make sure that our traffic does not gets para to the interface IP address now the why it works why why we need a net exempt I've explained that on my previous video so you can always go back to the first video I'll paste the link here you can always go back to that video and then understand why we need the net exempt of it so object Network obj 192 168 10.0 subnet 192 168 and not 0 0 object Network obj 268 30.0 going to put in a net net inside to outside so static destination static all right so this side is configured I'm just going to do a right map then we'll move to a say 2 which is the static site for static site we'll have a little different policy we are going to define preciate key in the default and then we are going to create a dynamic map okay so I'll explain why we need that so first of all that start with configuring phase 1 policies here crypto like we've won enable outside we have enabled it crypto like we one policy tent authentication ppreciate key hashing sha group 2 encryption traitors all right then there is a little difference in how we define the pre shared key on a dynamic site and how we define preciate key on a static site so the static site will not receive a traffic from a specific IP address it will the IP address will rather change right so we can't just define a static town group and then call the preciate key here right so for that on the aasa' there is a default tunnel group for lentil and connections known as default l2l group so any connection which does not follow any static turnin troops it will always land on the default l2l group meaning if the connection from the remote side lands on a different IP address meaning let's say for example it comes via 101.5 and that 104 not five-ton group is not defined here it will rather land on the default is 12 okay so the appreciate key that we are going to define we are going to define it for default L to L group okay so might we one appreciate keys Cisco we have defined appreciate key here now will configure the phase two policy script Oh IPSec Mike we won transform set T set yes be three this ESP shouts Mac okay then we are going to configure dynamic map so dynamic map unlike static reprimands dynamic maps are used for accepting connections which are dynamic in nature I mean for the connections for which we don't we know that the static static IP is in there we define dynamic map so that it can handle dynamic IPSec connections from the remote site okay so crypto dynamic map we are going to give it a name and then we look cold call Ike v1 parameter here okay that's it then we will call this dynamic map on the static crypto crypto map see map 10 I'd be sick Isaac amp then we will mention dynamic dine - map and then we enable crypto map on the outside interface see map interface outside oh I'd rather give it a you know a last sequence number rather than just 10 because the crypto map is sequence from - I mean it's mash from dr. Tom bottom so as the best practices the dynamic pair should always be at the last right so I'm going to give it a 6 5 5 3 5 entry IP say there's a camp time map no all right so I think that that part I've already explained on the previous video so I'll not configure not here let's see by starting the connections so I'm going to R 3 and I'm going to bring the remote side ping 192 168 30.2 ok it worked let's look at the status of the v Fenton so crypto like free one let's say the town is up now notice the dynamic end will always be the initiator of the time because it knows where the PRS so the peer can never be the initiator of the town it will always be the dynamic end which is the initiator of the town right if we look at the IPSec si you will see that we sent nine packets with received nine in and then no okay alright so there were two pings now notice we in total we sent you know five things here and five things here so in total there should be ten pings one timed out reason one timed out is because that one packet dropped and that actually triggered the weekend tunnel so that one packet will always be dropped at the initial stage when the town is negotiating the rest all should be you know go for it should go fine also that can be verified by the output share you will see just nine packets getting encrypted not ten packet the first packet was used for week in negotiation right now if you look at that we used the access list so that is that we use words you used tools now establish the beep in this is our peer and then this is the transform set for Facebook and let's go to the other side a savvy to this would be little interesting like we won si you notice that we the headquarter site will always be a responder and if you look at the IPSec si now you will see that the connection rendered on the dynamic map and there is no access destroyed because we accepted whatever was sent from the remote side we did not have to create an access this that's how the dynamic inbox known notice the current PR is 20.5 okay so yeah that's pretty much it if you have any questions just comment & subscribe the channel thank you

Info

Channel: Security Ninja's

Views: 874

Rating: undefined out of 5

Keywords:

Id: NGrjugh-PVI

Channel Id: undefined

Length: 17min 30sec (1050 seconds)

Published: Fri Apr 10 2020