Friday 22 September 2017

Cisco VTI Configuration

Virtual Tunnel Interface is a Cisco technology that basically allows you to have IPSEC tunnels. This is easier compared to  site to site tunnel which needs lot of work, and troubleshooting also is very complex.

Below are the configuration steps for setting up VTI in Cisco

crypto isakmp policy 100
encr 1des
authentication pre-share
group 1

crypto ipsec transform-set VTI-TS esp-3des esp-md5-hmac

crypto ipsec profile VTI
set transform-set VTI-TS

interface Tunnel0
ip address 192.168.1.1 255.255.255.252
tunnel source <Local ISP  IP>
tunnel destination <Remote ISP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI

crypto isakmp key Psk@PSK address <Remote ISP>


Remote Router

interface Tunnel0
ip address 192.168.1.2 255.255.255.252
tunnel source <Local ISP  IP>
tunnel destination <Remote ISP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI

Rest of the configuration is same. You need to assign local ISP interface IP and Remote ISP interface IP accordingly.

Once this is done, you will be able to ping 192.168.1.1 and 192.168.1.2 eachother. Then add  any dynamic routing protocol for easy routing.

Cisco ASA dual ISP for incoming traffic

Requirement

If we are using Public IP address provided by ISP1 and ISP2, and wants to make both public links active at a time.


For this purpose , we can use Traffic zones so that we will be able create two default routes.

Outbound Traffic- Load balanced across two ISPs, We should do tracking as well to identify failed routes

Inbound Traffic - ASA will return the traffic through the same interface it is coming from.

Additional requirement-   Secondary or Additional IP address in Public (dmz/inside) server


Example.

Topology
R3 is the remote user
R1 - ISP1 Router
R2- ISP2 Router
ASA- Customer side ASA
R4- Internal or DMZ public server with 2 ip address

Configuration required in ASA

1. Traffic zones

config mode-
zone ISP
zone Internal

Interface mode

zone-member ISP // for both ISP interfaces

2. Routes

route outside1 0.0.0.0 0.0.0.0 192.168.3.2 1
route outside2 0.0.0.0 0.0.0.0 192.168.4.2 1

You may need to create tracking for above routes.

3. NAT

nat (inside1,outside1) source static inside1_192.168.100.100 public1_1.1.1.1  ( NAT for primary IP)
nat (inside1,outside2) source static inside2_192.168.100.101 public2_2.2.2.2  ( NAT for secondary/additonal IP through seondary ISP)
nat (inside1,outside1) source dynamic inside1_192.168.100.100 interface
nat (inside1,outside2) source dynamic inside1_192.168.100.100 interface


pm me if you need any help

Please note: Alternate option is use Policy based routes in ASA, so if ip address in secondary , then we can set next hop to secondary IP.