IPsec VPN With ASA EzVPN Server

!! ASA-S10 EzVPN Server !! v9.5(2)

! IP Routing between VPN underlay

[IOS-C11] to [ASA-S10], 1.1.11.11 to 1.1.10.10

[IOS-C11] to [ASA-S10], 1.1.11.11 to 1.1.22.22

! Interfaces

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.10.10 255.255.255.0

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.10.10 255.255.255.0

! VPN Parameters

!! Crypto client VPN IP pool

ip local pool EZVPN_POOL1 172.16.20.100-172.16.20.200

!! Local user for X-AUTH

username user1 password cisco1

!! Crypto ACL / Split Tunneling Inclusion

access-list 199 permit ip 172.16.10.0 255.255.255.0 any

!! Per-group VPN Filter ACL

access-list ALLOW_PING_ONLY extended permit icmp any any

access-list ALLOW_PING_ONLY extended deny ip any any

! ISAKMP/IKE Phase 1 security parameters

crypto ikev1 policy 10

encryption 3des

hash md5

group 2

lifetime 43200

! ISAKMP/IKE Phase 2 security parameters

crypto ipsec transform-set XF esp-3des esp-md5-hmac

! VPN Group Policy

group-policy EZVPN_GROUP1_POL internal

!

group-policy EZVPN_GROUP1_POL attributes

dns value 8.8.8.8

default-domain value docisco.com

vpn-filter value ALLOW_PING_ONLY

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 199

! VPN Group

tunnel-group EZVPN_GROUP1 type ipsec-ra

!

tunnel-group EZVPN_GROUP1 general-attributes

address-pool EZVPN_POOL1

authentication-server-group LOCAL

default-group-policy EZVPN_GROUP1_POL

tunnel-group EZVPN_GROUP1 ipsec-attributes

pre-shared-key ISAKMP_KEY_G1

! Crypto map parameters and binding

crypto dynamic-map DYNAMIC_MAP1 1 set transform-set XF

!

crypto dynamic-map DYNAMIC_MAP1 1 set reverse-route

!

crypto map STATIC_MAP1 1 ipsec-isakmp dynamic DYNAMIC_MAP1

! Apply crypto map to interface

crypto ikev1 enable outside

crypto map STATIC_MAP1 interface outside

!! PC-C1 Cisco VPN Client !! v5.0.07.0410

! IP Routing between VPN underlay

[PC-C1] default route to [R22]

[R22] NAT 10.1.1.1 into 1.1.22.22

[R22] to [ASA-S10], 1.1.22.22 to 1.1.10.10

! VPN Client connection profile

Connection Entry: ASA-S10

Description: ASA-S10 EzVPN

Host: 1.1.10.10

Group Authentication

Name: EZVPN_GROUP1

Password: ISAKMP_KEY_G1

Transport

Enable Transparent Tunneling: IPSec over UDP (NAT/PAT)

!! IOS-C11 EzVPN Remote !! v15.5(2)T

! IP Routing between VPN underlay

[IOS-C11] to [ASA-S10], 1.1.11.11 to 1.1.10.10

! EzVPN client connection profile

crypto ipsec client ezvpn EZVPN_REMOTE

group EZVPN_GROUP1 key ISAKMP_KEY_G1

mode client

crypto ipsec client ezvpn EZVPN_REMOTE

connect auto

username user1 password cisco1

xauth userid mode local

peer 1.1.10.10

! Apply EzVPN client connection profile

interface Ethernet0/1

description ##To R3 (Client)##

crypto ipsec client ezvpn EZVPN_REMOTE inside

interface Ethernet0/0

description ##To ASA-S10 (VPN Server)##

crypto ipsec client ezvpn EZVPN_REMOTE outside

! Routing via auto-RRI

S        172.16.20.100/32 [1/0] via 1.1.10.9, outside

S        172.16.20.101/32 [1/0] via 1.1.10.9, outside

! Clear VPN session

ASA-S10#clear crypto ikev1 sa

ASA-S10#clear crypto ipsec sa

! IPsec VPN session

ASA-S10#show crypto ikev1 sa

1   IKE Peer: 1.1.11.11

Type    : user            Role    : responder

Rekey   : no              State   : AM_ACTIVE

2   IKE Peer: 1.1.22.22

Type    : user            Role    : responder

Rekey   : no              State   : AM_ACTIVE

ASA-S10#show crypto ipsec sa

interface: outside

//IOS-C11 EzVPN Client

Crypto map tag: DYNAMIC_MAP1, seq num: 1, local addr: 1.1.10.10

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.20.100/255.255.255.255/0/0)

current_peer: 1.1.11.11, username: user1

dynamic allocated peer ip: 172.16.20.100

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

inbound esp sas:

spi: 0x1A2D2E04 (439168516)

outbound esp sas:

spi: 0x7EF5E5F5 (2130044405)

//PC-C1 Cisco VPN Client

Crypto map tag: DYNAMIC_MAP1, seq num: 1, local addr: 1.1.10.10

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.20.101/255.255.255.255/0/0)

current_peer: 1.1.22.22, username: user1

dynamic allocated peer ip: 172.16.20.101

dynamic allocated peer ip(ipv6): 0.0.0.0

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

inbound esp sas:

outbound esp sas:

spi: 0x5DB7C51D (1572324637)

! IPsec VPN ACL

ASAv10# show access-list

access-list 199 line 1 extended permit ip 172.16.10.0 255.255.255.0 any (hitcnt=0)

access-list ALLOW_PING_ONLY line 1 extended permit icmp any any (hitcnt=14)

access-list ALLOW_PING_ONLY line 2 extended deny ip any any (hitcnt=21)

! Connectivity

//IOS-C11 EzVPN Remote

//ICMP is getting allowed by VPN Filter

[R3] ping to [WEB2], 10.3.3.3 to 172.16.10.2 [OK]

[IOS-C11] PAT/NAT 10.3.3.3 into 172.16.20.100

//TCP port 80 is getting blocked by VPN Filter

[R3] telnet TCP:80 [WEB2], 10.3.3.3 to 172.16.10.2 [NOK]

//Failed due to target is behind PAT/NAT

[WEB2] ping to [R3], 172.16.10.2 to 10.3.3.3 [NOK]

//PC-C1 Cisco VPN Client

//ICMP is getting allowed by VPN Filter

[PC-C1] ping to [WEB2], 172.16.20.101 to 172.16.10.2 [OK]

//TCP port 80 is getting blocked by VPN Filter

[PC-C1] telnet TCP:80 [WEB2], 172.16.20.101 to 172.16.10.2 [NOK]

//Access to INET is OK due to split tunneling

[PC-C1] ping to [INET], 10.1.1.1 to 8.8.8.8 [OK]

//Traffic is bidirectional

[WEB2] ping to [R3], 172.16.10.2 to 172.16.20.101 [OK]