Recently in Configurations Category

This is becoming a common configuration for me. Here's a base template I use:

ip local pool WebVPNPool 192.168.251.10-192.168.251.100 mask 255.255.255.0

webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
svc enable
tunnel-group-list enable

group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol svc
group-lock value WebVPNAccessProfile
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value business.local
address-pools value WebVPNPool
webvpn
svc ask none default svc
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable

tunnel-group WebVPNAccessProfile type remote-access
tunnel-group WebVPNAccessProfile general-attributes
default-group-policy WebVPNPolicy
tunnel-group WebVPNAccessProfile webvpn-attributes
group-alias WebVPN enable

It doesn't matter how many times I've done this, I always forget one piece. Here's a template for the future:

Assume local subnet 192.168.15.0/24, remote subnet 192.168.16.0/24. Remote public IP 11.11.11.11.

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 28800

access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 11.11.11.11
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside

nat (inside) 0 access-list REMOTE_SITE

tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
 pre-shared-key ***

Alright, I've run into this problem three times now and each time I keep having to rediscover the solution, so I thought I'd write the solution here for myself and whomever it may help. Here's the problem:

Creating site-to-site VPN connections as a WAN link replacement is becoming quite common. The problem I continually encounter is the servers behind the router that have Static NAT entries allowing them to be accessible from the outside world become inaccessible through the VPN (using a private address). VPN users can still access the servers by using the Internet connection. This problem occurs simply because of the order in which the Cisco router handles NAT rules.

Take this example. A user from SiteA accesses ServerB at SiteB using its private address on TCP port 80 (HTTP):

UserA ---> Site-to-Site VPN ---> ServerB

The request reaches ServerB who attempts to transmit back to UserA. The router at SiteB has a Static NAT mapping allowing ServerB to be accessible from the Internet. This Static NAT mapping is processed before the site-to-site VPN rule:

ServerB Response ----> Static NAT mapping ---> Reply sent to Internet abyss

The result is the HTTP connection from SiteA times out. So, here's how to fix it:

RouterB(config)#route-map NO_NAT
RouterB(config-route-map)#match ip address 100
RouterB(config-route-map)#exit
RouterB(config)#access-list 100 deny ip host 192.168.15.100 192.168.10.0 0.0.0.255
RouterB(config)#access-list 100 permit ip 192.168.15.0 0.0.0.255 any
RouterB(config)#ip nat inside source static tcp 192.168.15.100 80 81.14.214.29 80 route-map NO_NAT

The above configuration essentially denies the server from going through the Static NAT entry when speaking to hosts across the VPN, but permits it to pass through Static NAT for everything else.

Here's the original Cisco reference:

http://www.cisco.com/warp/public/707/static.html#topic2

This blog has been a long-time-coming as someone asked me quite some time ago to post the simplest way to accomplish this (for a home environment). I hate to admit this, but my home PC (where I get all my email) was hacked since I allowed Microsoft's Remote Desktop Protocol (RDP) and VNC from anywhere on the Internet (very bad idea). That was the end of that - now VPN connections are required to get to my home PC. Well, the simplest way to configure a VPN on a router is to use the Cisco SDM...but Real Cisco Techs™ use the command line :). So here we go:

SSL VPNs are the future of VPN technology. While they are still brand new, "bleeding edge" sort of technology, they will eventually be how we run our VPN connections for most organizations. The concept is simple: HTTPS (SSL-based) web pages have used adequate encryption for years...why not harness the technology to create a "client-less VPN system," tunneling applications through the SSL connection.

For a user to connect to a SSL VPN, no client installation is necessary. Rather, they simply access a web page, authenticate, and minimize the web browser window. They're now on the corporate VPN.

There's more to it than this (such as JAVA client downloads may be necessary for full port forwarding capabilities, etc...). Cisco just published an excellent explanation / configuration document for the WebVPN/SSL VPN technology. Get it here.

While doing a recent deployment, I ran across this concept. It's a slightly different way to configure VPNs on a Cisco router that (for me) is far less confusing and finicky. If you've ever configured VPNs using a PIX firewall or IOS router, you probably know of the pain associated with making sure your crypto map is correctly configured. There are SO MANY pieces of it, you're almost assured that something is not going to match between one side of the connection and the other (especially that "interesting traffic" ACL). That's where these IPSec Virtual Tunnel Interfaces come in. Check this out...

I just finished recording a Cisco Security title for CBTNuggets. It came out awesome. When recording the VPN section, I typed up a document showing the minimum configuration to get a site-to-site VPN running with pre-shared keys. Those of you that have configured this before know how much of a headache getting all the configuration settings correct can be. Hopefully this document will help ease that pain!

Creating Site-to-Site VPNs with pre-shared keys (PDF)