Tag Archives: VPN

Static IP and Dynamic IP Point-to-Point VPNs

I used to use a router for each P2P VPN tunnel before I realized that these can be kept on one router. So I have move all of our P2P VPNs (besides one) to a Cisco ISR 2811 and any new VPNs are terminated here. So recently, I was tasked with getting a Home user a constant connection to allow their hard phone to connect to our internal 3com NBX. The phones use a network connection to talk to the NBX through the data link layer (layer 2) by default, but can be programmed to communicate through IP (layer 3). So a constant connection that uses Layer 3 and is external pretty much says VPN tunnel all over it, and I want to keep the same design of using one end point to terminate the VPN tunnels.

I’ve setup many a VPN tunnel for clients and a few to our call centers through the web, but never a P2P to a home user. The problem here is that the home user may not always come from the same IP address. So I need to find a way to allow connections from any IP address using a specific key, while allowing connections from specific IPs using their own keys. Searching for this I found a few Cisco sites using ISAKMP profiles. I configured this and got it to work for the home P2P tunnel, but the other client P2P tunnels failed. The reason for this is that profiles take precedence over ISAKMP policies and the profile is setup to accept connections from 0.0.0.0 0.0.0.0. Therefore, the client P2P VPNs would try to match their key to the key setup for the home P2P, which would obviously fail. Did some more looking and profiles are good for allowing more than one type of authentication, where here I am only using one type of authentication, pre-shared keys (PSK).

Nonetheless, after a lot of trial and error and googling I finally found the one command I was looking for: crypto isakmp key $key address [b]0.0.0.0[/b]

Apparently, the term for this is called “wildcard keys”, where any end point meeting the Phase1 parameters with the proper key can create a VPN tunnel. Using this allowed both the current P2P VPN sessions and the home session to connect at the same time. If you want some more info and bit more of the walk through of my through process you can have a look see at the networking-forum.com post: . Also, here’s the final code that I used to get this connection working on my side:


crypto isakmp policy 200
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 900
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key $KEY address 65.x.x.x
crypto isakmp key $KEY address 113.x.x.x
crypto isakmp key $KEY address 190.x.x.x
crypto isakmp key $KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20 periodic
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto dynamic-map ZachHome 1000
set transform-set esp-3des-sha
!
!
crypto map external_ipsec 200 ipsec-isakmp
set peer 65.x.x.x
set transform-set esp-3des-sha esp-3des-md5
match address
crypto map external_ipsec 900 ipsec-isakmp
set peer 113.x.x.x
set transform-set esp-aes-sha
match address
crypto map external_ipsec 65000 ipsec-isakmp
set peer 190.x.x.x
set transform-set esp-3des-sha
match address
crypto map external_ipsec 65500 ipsec-isakmp dynamic ZachHome
!
!
!
interface FastEthernet0/0
ip address 10.30.110.250 255.255.255.252
ip access-group inside_allowed_in in
ip access-group outbound_to_inside out
ip nat inside
!
interface FastEthernet0/1
ip address 64.x.x.x 255.255.255.240
ip access-group inbound_from_outside in
ip nat outside
crypto map external_ipsec


Tricky NAT and VPN

So we have a client that we are looking to do some inbound telemarketing for and everything seems to be going good. Everyone on our team is getting along with everyone on the client’s team and we all understand what needs done.

The first thing that needs completed is a L2L VPN between our ASA and the client’s PIX. Here are the requirements:

1) Private IPs are not allowed to traverse the VPN
2) Need a PAT for users connecting to the clients Terminal Server (initiated from users)
3) Need a Static NAT for connections between AES of Avaya and client’s Verint server (connection is bidirectional, so can be initiated by either side)
4) Need a Static NAT for connections between CLAN of Avaya and client’s Verint system (connection is bidirectional, so can initiated by either side)
Continue reading