VPN dinámica con ASA

Pruebas de VPN detrás de una router con IP dinámica y realizando PAT

Fecha: Octubre 2012 Clase: ASA Fundamentals (clase privada)

Las pruebas se realizaron entre un ASA 5505 y contra un terminador Cisco 1841, pero las configuraciones

son similares en cuanto al funcionamiento de IPSec, varían detalles de los comandos entre IOS y ASA.

Escenario

En este escenario, se simula una conección a internet con IP dinámisca, tipo ADSL o cablemodem, entre

un Cisco 1841 (abajo en la foto) a travéz de un SW 2960 y se le cambian las IP públicas al Cisco 831

(en la foto aún sin conectar) y detrás de este (en el diagrama), un ASA 5505 (arriba de todo en la foto).

Verificación

Router#sh crypto isakmp sa (verificación fase I IPsec)

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

200.80.209.92 200.80.209.89 QM_IDLE 1079 0 ACTIVE

IPv6 Crypto ISAKMP SA

Router#sh crypto ipsec sa (verificación fase II IPsec)

interface: FastEthernet0/1

Crypto map tag: VPN, local addr 200.80.209.92

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer 200.80.209.89 port 4500 (en vez de UDP 500 porque está detrás de un NAT)

PERMIT, flags={}

#pkts encaps: 69961, #pkts encrypt: 69961, #pkts digest: 69961

#pkts decaps: 139566, #pkts decrypt: 139566, #pkts verify: 139566

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

---resumido---

Router#sh ip route (verificación enrutamiento)

Gateway of last resort is 200.80.209.89 to network 0.0.0.0

200.80.209.0/29 is subnetted, 1 subnets

C 200.80.209.88 is directly connected, FastEthernet0/1

10.0.0.0/16 is subnetted, 1 subnets

C 10.61.0.0 is directly connected, FastEthernet0/0

S 192.168.1.0/24 [1/0] via 200.80.209.89 (router ADSL, ruta creada cuando levanta la VPN)

S* 0.0.0.0/0 [1/0] via 200.80.209.89 (default gateway)

Router#

Gateway# sh ip nat trans (verificamos PAT hacia internet)

Pro Inside global Inside local Outside local Outside global

udp 200.80.209.89:4500 192.168.0.2:4500 200.80.209.92:4500 200.80.209.92:4500 (non-isakmp, detrás de NAT)

Gateway#

FW-ASA# sh crypto isakmp sa (verificación fase I)

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 200.80.209.92

Type : L2L Role : initiator (ASA inició el túnel)

Rekey : no State : MM_ACTIVE

FW-ASA# sh crypto ipsec sa (verificación fase II)

interface: outside

Crypto map tag: Outside, seq num: 1, local addr: 192.168.0.2

access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer: 200.80.209.92

#pkts encaps: 139566, #pkts encrypt: 139566, #pkts digest: 139566

#pkts decaps: 69961, #pkts decrypt: 69961, #pkts verify: 69961

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 139566, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.0.2/4500, remote crypto endpt.: 200.80.209.92/4500 (porque está detrás de un NAT)

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: CB46D829

FW-ASA# sh route (verificación enrutamiento)

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.0.0 255.255.255.0 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside (router ADSL con PAT)

FW-ASA#

Cambios en la IP del router Cisco 831 simulando IP dinámica

Gateway#

Gateway#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Gateway(config)#int eth1

Gateway(config-if)#ip add 200.80.209.90 255.255.255.248 (nueva IP del router ADSL)

Gateway(config-if)#^Z

Gateway#

Router#sh crypto isakm sa (verificación fase I)

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

200.80.209.92 200.80.209.89 QM_IDLE 1079 0 ACTIVE (luego quedará como DELETED)

200.80.209.92 200.80.209.90 QM_IDLE 1080 0 ACTIVE (nueva IP del router ADSL)

Router#sh ip route (verificación enrutamiento)

Gateway of last resort is 200.80.209.89 to network 0.0.0.0

200.80.209.0/29 is subnetted, 1 subnets

C 200.80.209.88 is directly connected, FastEthernet0/1

10.0.0.0/16 is subnetted, 1 subnets

C 10.61.0.0 is directly connected, FastEthernet0/0

S 192.168.1.0/24 [1/0] via 200.80.209.90 (nueva IP del router ADSL generada por IPSec)

S* 0.0.0.0/0 [1/0] via 200.80.209.89 (default gateway, no impacta)

Router#

Configuraciones relevantes en los equipos

Router#sh runn (terminador de tunel)

Building configuration...

Current configuration : 2111 bytes

version 12.4

hostname Router

crypto isakmp policy 1

hash md5

authentication pre-share

group 5

crypto isakmp key cisco123 address 0.0.0.0 (acepta cualquier IP)

crypto isakmp nat keepalive 10

crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac

crypto ipsec nat-transparency spi-matching

crypto dynamic-map vpn-adsl 10 (es dinámico ya que se adapta a cualquier IP)

set transform-set DES-MD5

set pfs group5

match address VPN (ver ACL VPN)

reverse-route (genera una entrada en la tabla de enrutamiento)

crypto map VPN 1 ipsec-isakmp dynamic vpn-adsl (asocia dinámico con mapa en la interfaz)

interface FastEthernet0/0

ip address 10.61.1.1 255.255.0.0

ip nat inside

ip virtual-reassembly

interface FastEthernet0/1

ip address 200.80.209.92 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map VPN (mapa de cifrado real)

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

! (también podría utilizarse ip nat inside source list NAT etc...)

ip access-list extended NAT

deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 (evita NAT, reencapsula tráfico)

permit ip 10.0.0.0 0.255.255.255 any

ip access-list extended VPN

permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 (tráfico a enviar a la VPN)

route-map SDM_RMAP_1 permit 1

match ip address NAT

end

Gateway#sh runn (delante del ASA)

Building configuration...

Current configuration : 1694 bytes

version 12.2

hostname Gateway

interface Ethernet0

description INSIDE

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Ethernet1

description OUTSIDE

ip address 200.80.209.89 255.255.255.248

ip nat outside

(ver que no existe port forwarding, lo que fuerza al ASA a ser iniciador del túnel)

ip nat inside source list NAT interface Ethernet1 overload (PAT)

ip access-list extended NAT

permit ip 192.168.0.0 0.0.0.255 any

end

FW-ASA# sh runn (terminador de tunel)

ASA Version 7.2(3)

hostname FW-ASA

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.2 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 (tráfico a la VPN)

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound (evita NAT, reencapsula tráfico)

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 (vía el router ADSL)

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac (fase II IPSec)

crypto map Outside 1 match address outside_1_cryptomap (fase II IPSec)

crypto map Outside 1 set pfs group5 (fase II IPSec)

crypto map Outside 1 set peer 200.80.209.92 (fase II IPSec)

crypto map Outside 1 set transform-set ESP-DES-MD5 (fase II IPSec)

crypto map Outside interface outside (fase II IPSec)

crypto isakmp enable outside (fase I IPSec)

crypto isakmp policy 10 (fase I IPSec)

authentication pre-share

encryption des

hash md5

group 5

lifetime 86400

crypto isakmp nat-traversal 10 (fase I IPSec)

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

---resumido---

inspect sip

inspect xdmcp

inspect icmp (permite los Ping)

inspect icmp error (permite Tracert)

service-policy global_policy global (todas las interfaces)

tunnel-group 200.80.209.92 type ipsec-l2l

tunnel-group 200.80.209.92 ipsec-attributes (fase I IPSec)

pre-shared-key * (cisco123)

: end

Pruebas de performance entre extremos

Utilizando el túnel, notar que están conectados a 10 Mbps mediante en router Gateway, en la configuración aparece

como Eth0 y 1, por lo tanto el límite de ambas inetrfaces es 10 Mbps menos las cabeceras IPSec.

bin/iperf.exe -c 10.61.0.1 -P 1 -i 1 -p 5001 -C -f m -t 120 -T 1

------------------------------------------------------------

Client connecting to 10.61.0.1, TCP port 5001

TCP window size: 0.01 MByte (default)

------------------------------------------------------------

[3960] local 192.168.1.123 port 1458 connected with 10.61.0.1 port 5001

[ ID] Interval Transfer Bandwidth

[3960] 0.0- 1.0 sec 1.07 MBytes 8.98 Mbits/sec

[3960] 1.0- 2.0 sec 1.06 MBytes 8.91 Mbits/sec

[3960] 2.0- 3.0 sec 1.07 MBytes 8.98 Mbits/sec

---resumido---

[3960] 113.0-114.0 sec 1.06 MBytes 8.91 Mbits/sec

[3960] 114.0-115.0 sec 1.06 MBytes 8.91 Mbits/sec

[3960] 115.0-116.0 sec 1.07 MBytes 8.98 Mbits/sec

[3960] 116.0-117.0 sec 1.06 MBytes 8.91 Mbits/sec

[3960] 117.0-118.0 sec 1.07 MBytes 8.98 Mbits/sec

[3960] 118.0-119.0 sec 1.06 MBytes 8.91 Mbits/sec

[3960] 119.0-120.0 sec 1.07 MBytes 8.98 Mbits/sec

[ ID] Interval Transfer Bandwidth

[3960] 0.0-120.0 sec 128 MBytes 8.94 Mbits/sec (promedio)

Done.

(2012) Datacenters stories by uncle Ernst

Rosario, Argentina