How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs
Upcoming SlideShare
Loading in...5
×
 

How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs

on

  • 855 views

Leading Cisco networking products distributor-3network.com ...

Leading Cisco networking products distributor-3network.com

LAN-to-LAN VPNs are typically used to transparently connect geographically disparate LANs over an untrusted medium (e.g. the public Internet).

Statistics

Views

Total Views
855
Views on SlideShare
855
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs Document Transcript

  • How to create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs What needs to be done to create a Lan to Lan VPN tunnel on an ASA firewall with IPv6 addressing? First let’s begin with the fundamentals: -IPv6 L2L VPN support was added in the latest version available of the ASA 8.3 track -The ASA will be able to build a VPN site to site tunnel running IPv6 ONLY with another ASA. LAN-to-LAN VPNs are typically used to transparently connect geographically disparate LANs over an untrusted medium (e.g. the public Internet). Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances: •The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces). •The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces). •The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces) If we want to run a VPN tunnel with a third-party unit or another Cisco router then we must go with the IPv4 address scheme only. Now, let’s take a look at the Scenario: 1
  • Our main goal here is to create a VPN tunnel using IPSec between Company A and Company B across an IPv6 network. IPv6 addressing and routing has been configured previously. The IPsec configuration 1) Specify as usual the phase 1 and phase 2 configuration Site A: crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 crypto ikev1 enable outside crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac Site B: crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 crypto ikev1 enable outside crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac 2) Now let’s move forward to the Interesting traffic configuration: Site A Inside Subnet 2001:AAAA::/64 2
  • Site B Inside Subnet 2001:DDDD::/64 On Site A: ipv6 access-list IPv6-Lab permit ip 2001:AAAA::/64 2001:DDDD::/64 On Site B: ipv6 access-list VPN-Traffic permit ip 2001:dddd::/64 2001:aaaa::/64 So the Crypto ACL is the same thing, just that now we use Hex notation instead of Decimal notation 3) Crypto-Map Setup Site A outside IPv6 address is 2001:BBBB::1 Site B outside IPv6 address is 2001:CCCC::2 So let’s go to the Firewall on Site A Site A: crypto map IPv6-L2L 1 match address IPv6-Lab crypto map IPv6-L2L 1 set peer 2001:cccc::2 crypto map IPv6-L2L 1 set ikev1 transform-set cisco crypto map IPv6-L2L interface outside Site B: crypto map IPv6-Lab 1 match address VPN-Traffic crypto map IPv6-Lab 1 set peer 2001:bbbb::1 crypto map IPv6-Lab 1 set ikev1 transform-set cisco crypto map IPv6-Lab interface outside Now we will configure the final part. Is the Tunnel-group setup? … Site A: tunnel-group 2001:CCCC::2 type ipsec-l2l tunnel-group 2001:CCCC::2 ipsec-attributes ikev1 pre-shared-key cisco123 Site B: tunnel-group 2001:BBBB::1 type ipsec-l2l tunnel-group 2001:BBBB::1 ipsec-attributes ikev1 pre-shared-key cisco123 Where is the NAT setup? On IPv6 we do not have to use NAT in order to be routable over the internet so unless specific desing requirements we will not need to use NAT so we can forget about the NAT Exemption setup in our VPN cases. 3
  • Now let’s ping from Client A to Client B and see if the tunnel gets established: SiteA-Client#ping 2001:DDDD::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DDDD::1, timeout is 2 seconds: Now let’s check the tunnel On Site A SiteA config)# sh crypto ikev1 sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2001:cccc::2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE On Site B: SiteB(config)# sh crypto ikev1 sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2001:bbbb::1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE SiteB(config)# Final notes: -Configuration is the same, except for the fact that now we write down the IPs in Hex format ( That’s what IPv6 uses ) -There is no need for NAT Exemption anymore -Debugs,Packet-tracers are the same ( For troubleshooting purposes ). If you plan to use CAPTURES, remember that in IPv6 you cannot use the match keyword, you must match the capture with an IPv6 ACL. -Discussing about IPv6 ACL’s: Before 9.0(1) you must create a dedicated IPv6 access-list for IPv6 traffic as shown in this example but starting on 9.0(1) and higher versions now we can use the regular syntax for IPv6 access-list as well. So we can use IPv6 and IPv4 on the same ACL, no need to create a dedicated IPv6 access-list. In fact the ASA will not allow you to do that. 4
  • More related: About Cisco IOS ver for 1941 router to do IPSec VPN tunnels (DMVPN) Configuring Microsoft Lync to use Cisco 3925 as a PSTN Gateway More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at competitive price and ship to worldwide. Our website: http://www.3anetwork.com Telephone: +852-3069-7733 Email: info@3Anetwork.com Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong 5
  • More related: About Cisco IOS ver for 1941 router to do IPSec VPN tunnels (DMVPN) Configuring Microsoft Lync to use Cisco 3925 as a PSTN Gateway More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at competitive price and ship to worldwide. Our website: http://www.3anetwork.com Telephone: +852-3069-7733 Email: info@3Anetwork.com Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong 5