Wednesday, May 26, 2010

A complex VPN MESS LAB!


LAB Scenario
Summary:
1. GETVPN over DMVPN with OSPF, (RSA authetication); selective traffic
engineering over GET and DMVPNs.
2. VRF Aware IPSec Dynamic VTI based RA VPN with XAuth
3. RA VPN using Dynamic VTI with Xauth
4. Crypto-map based VPN with Dynamic VTI on other side
5. Static VTI based VPN with EIGRP
5. Zone based FW + NAT ..just to add bit more spice
6. MPLS L3 VPN core


SITE1 is the HeadQuarter(HUB). SITE2,3,4 are Branch SITES.

RTR-XYZ is external connection.

Internet-host is any host on internet.

Restriction: Don't modify ISP router (PE1 and PE2) configs.
  

TASK1: DMVPN with OSPF

SITE1, 2 and 3 participate in DMVPN. Use PSK for authentication.
RTR-SITE1-HUB functions as DMVPN Hub. Use OSPF routing protocol for DMVPN reachability.
Protect the DMVPN cloud using IPSec. *Correction1: Create only mGRE tunnels, tunnels proctection should be configured as per next GETVPN task.
  
  

 TASK2: GETVPN over DMVPN


SITE 1, 2 and 3 run GETVPN over the previously configured DMVPN cloud. Use Digital certificate for authentication (including IKE Ph1 authentication).

RTR-SITE1-KS functions as KS Server , CA Server , NTP server.

GETVPN routers should enroll certificate from RTR-SITE1-KS.

Ensure that GETVPN traffic is encrpyted first, then tunneled via DMVPN. Check IPSec SAs to confirm this.
  

TASK3:  VRF aware IPSEC Remote Access VPN using Dynamic VTI

SITE1 RTR-SITE1-HUB uses Dynamic VTI to host EasyVPN Server.

We have overlapping IP address in SITE1. 10.1.1.0/24 is overlapped between CUSTOMERX, CUSTOMERY and SITE1's Global Routing table. CUSTOMERX and CustomerY have dedicated VRFs in SITE1.

If InternetHost uses Groupname: CUSTOMERX password: CISCO, it can access CUSTOMERX's 10.1.1.0/24

If InternetHost uses Groupname: CUSTOMERY password: CISCO, it can access CUSTOMERY's 10.1.1.0/24

If InternetHost uses Groupname: USER_GRT password: CISCO, it can access SITE1's Global routing table's 10.1.1.0/24

Configure XAUTH for all groups using the same Group credentials respectively. Use local pool address - 10.100.101.1 to 10.100.101.7

Ensure that Remote Access VPN connection using GroupID USER_GRT has access to all LAN segements in SITE1,2,3,4 and RTR-XYZ's LAN segment
  

TASK4:  L2L Tunnel with Crypto MAP on SITE4 + Dynamic VTI


SITE4's ASA-SITE4 firewall connects using Crypto-map based L2L tunnel to SITE1's RTR-SITE1-HUB router. SITE1 uses Dynamic VTI. Don't use crypto-map on RTR-SITE1-HUB.

Ensure that inside LAN subent in SITE4 has access to other LAN segements in SITE1,2,3, RTR-XYZ's LAN segment and Remote Access VPN Pool.

  

TASK5: L2L Tunnel using Static VTI

Configure a L2L VPN tunnel between SITE1 and RTR-XYZ. Use EIGRP for routing. RTR-XYZ LAN segment should be able to reach all LAN subnets in SITE1,2,3,4

RTR-XYZ LAN segment should also be able to reach Internet-host once InternetHost connects RAVPN using USER_GRT groupID.
  

TASK6: VPN Traffic engineering

Traffic between SITE1,2,3 LAN segments should pass via GETVPN tunnel, then get encapsulated in DMVPN.(vice versa).

Dont include SITE1's 10.1.1.0/24 subnet in GETVPN encrypted path. 10.1.1.0/24 should be reachable via DMVPN path between the sites.

Traffic from Remote-access-VPN_POol (10.100.101.0/29) to SITE2-Loopback0 and SITE3-Loopback0 should pass via GETVPN tunnel, then get encapsulate in DMVPN.(vice versa)

Traffic from Remote-access-VPN_POol (10.100.101.0/29) to SITE4_LAN,RTR-XYZ_LAN should ONLY pass via DMVPN tunnel, not via GetVPN. (vice versa)

Traffic to 10.1.1.0/24 in SITE1 shouldnt be included in GetVPN encryption for any of these flows.

Ensure that all traffic via ISP routers is IPSEC protected. GETVPN traffic is allowed to be encrypted twice, once by GETVPN, second time by DMVPN.
*Correction2 : NON-GETVPN traffic (e.g. between RTR-XYZ and RTR-SITE2 etc.) should only be GRE encapsulated within DMVPN cloud across the Service provider routers, no IPSec protection is needed.
  

TASK7: Zone based Firewall with NAT

Configure Zone based firewall on RTR-SITE2 in SITE2 for Internet access filtering.

Allow only ICMP traffic to and from RTR-SITE2 (Self zone). Make sure DMVPN, GETVPN etc. continue to work normally. VPN traffic flow should continue to work.

Allow INBOUND TELNET, SMTP to SITE2's LAN segments.

ALLOW ALL OUTBOUND TRAFFIC from SITE2's LAN segments (10.2.1.0/24 and 10.23.23.0/24).

NAT

SITE2 LAN Segment should be able to access Internet host 105.1.1.2 using 102.1.1.3 as source IP. Use PAT.

Configure NAT on RTR-SITE2 such that Internet Host can telnet into RTR-SITE3 using 102.1.1.4 as destination IP.

SITE2 and SITE3 are connected via a backdoor link with IP 10.23.23.0/24 for testing NAT related tasks.

Add static route on RTR-SITE3 to test the access to 105.1.1.2.

DYNAMIPS NET FILE/PEMU SCRIPT

Dynamips NET FILE

startautostart = False
[192.168.100.75]
port = 7200
udp = 10000

[[7200]]
image = C:\Program Files\Dynamips\images\c7200-k91p-m.122-25.S15.bin
npe = npe-400
ram = 96
disk0 = 0
disk1 = 0
mmap = false

[[router RTR-SITE1-KS]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256
Fa0/0 = RTR-SITE1-HUB Fa0/1

cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE1-KS.cfg

[[router RTR-SITE1-HUB]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256

# ASA-FW-SITE1 INSIDE #
Fa0/0 = NIO_udp:1011:1.1.1.1:1001
Fa1/0 = LAN 120
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE1-HUB.cfg

[[router RTR-SITE2]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256
Fa0/0 = PE2 Fa1/0
Fa0/1 = LAN 102
Fa1/0 = RTR-SITE3 Fa1/0
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE2.cfg

[[Router PE1]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE

# ASA-FW-SITE1 OUTSIDE #
Fa0/0 = NIO_udp:1010:1.1.1.1:1000

#TO VM for RA VPN #
Fa2/0 = NIO_gen_eth:\Device\NPF_{597007F5-5BF6-45E2-B348-388172170CF3}

# ASA-FW-SITE4 OUTSIDE #
Fa2/1 = NIO_udp:2010:1.1.1.1:2000

Fa1/0 = PE2 Fa0/0

F1/1 = RTR-XYZ Fa0/0
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\PE1.cfg

[[Router PE2]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\PE2.cfg


##############
##############
#MutliPC

[192.168.100.35:7200]
udp = 11000
workingdir = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB
[[router RTR-SITE3]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin

model = 3660
mmap = false
ram = 256
Fa0/0 = PE2 Fa1/1
Fa0/1 = LAN 103
cnfg = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE3.cfg

[[router RTR-XYZ]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = False
ram = 256
F0/0 = PE1 Fa1/1
Fa0/1 = LAN 60
cnfg = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-XYZ.cfg


###########################################################
PEMU ASA-SITE11

start /belownormal pemu -net nic,vlan=10,macaddr=00:00:00:00:10:01 -net udp,vlan=10,sport=1000,dport=1010,daddr=1.1.1.1 -net nic,vlan=11,macaddr=00:00:00:00:10:02 -net udp,vlan=11,sport=1001,dport=1011,daddr=1.1.1.1 -net nic,vlan=12,macaddr=00:00:00:00:10:03 -net udp,vlan=12,sport=1002,dport=1012,daddr=1.1.1.1 -net nic,vlan=13,macaddr=00:00:00:00:10:04 -net udp,vlan=13,sport=1004,dport=1014,daddr=1.1.1.1 -serial telnet::2050,server,nowait -m 128 FLASH8X-SITE1

###########################################################
PEMU ASA-SITE4

start /belownormal pemu -net nic,vlan=20,macaddr=00:00:00:00:20:01 -net udp,vlan=20,sport=2000,dport=2010,daddr=1.1.1.1 -net nic,vlan=21,macaddr=00:00:00:00:20:02 -net udp,vlan=21,sport=2001,dport=2011,daddr=1.1.1.1 -net nic,vlan=22,macaddr=00:00:00:00:20:03 -net udp,vlan=22,sport=2002,dport=2012,daddr=1.1.1.1 -net nic,vlan=23,macaddr=00:00:00:00:20:04 -net udp,vlan=23,sport=2004,dport=2014,daddr=1.1.1.1 -serial telnet::2051,server,nowait -m 128 FLASH8X-SITE4
____________
############################################################


INIT CONFIGS

########################################################
hostname ASA-SITE1

!
interface Ethernet0
nameif outside
security-level 0
ip address 101.1.1.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.1.2 255.255.255.252
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1


###########################################################


hostname ASA-SITE4
!
interface Ethernet0
nameif outside
security-level 0
ip address 104.1.1.2 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.4.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
route outside 0.0.0.0 0.0.0.0 104.1.1.1 1

###########################################################


version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf ABC
rd 123:123
route-target export 123:123
route-target import 123:123
route-target import 106:106
!
ip vrf XYZ
rd 106:106
route-target export 106:106
route-target import 106:106
route-target import 123:123
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding ABC
ip address 101.1.1.1 255.255.255.248
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 12.1.1.1 255.255.255.252
ip router isis
duplex auto
speed auto
mpls ip
!
interface FastEthernet1/1
ip vrf forwarding XYZ
ip address 106.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet2/0
ip vrf forwarding ABC
ip address 105.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet2/1
ip vrf forwarding ABC
ip address 104.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
router isis
net 49.0000.0000.0001.00
passive-interface Loopback0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf XYZ
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf ABC
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
!
!
end

###########################################################


version 12.2

hostname PE2
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf ABC
rd 123:123
route-target export 123:123
route-target import 123:123
route-target import 106:106
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.252
ip router isis
duplex full
mpls ip
!
interface FastEthernet1/0
ip vrf forwarding ABC
ip address 102.1.1.1 255.255.255.248
duplex full
speed auto
no clns route-cache
!
interface FastEthernet1/1
ip vrf forwarding ABC
ip address 103.1.1.1 255.255.255.248
duplex full
speed auto
no clns route-cache
!
router isis
net 49.0000.0000.0002.00
passive-interface Loopback0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf ABC
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
ip classless

end

###########################################################
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE1-HUB
!
boot-start-marker
boot-end-marker
!
!
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
ip vrf CUSTOMERX
rd 1:1
!
ip vrf CUSTOMERY
rd 2:2
!
!
interface Loopback0
ip address 10.100.100.101 255.255.255.255
!
!
interface FastEthernet0/0
ip address 10.10.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.10
encapsulation dot1Q 10
ip vrf forwarding CUSTOMERX
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip vrf forwarding CUSTOMERY
ip address 10.1.1.1 255.255.255.0
!
end

###########################################################


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE1-KS
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
!

!
interface Loopback0
ip address 10.100.100.100 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
end

###########################################################


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE2
!
boot-start-marker
boot-end-marker
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
interface Loopback0
ip address 10.100.100.102 255.255.255.255
!
!
interface FastEthernet0/0
ip address 102.1.1.2 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.23.23.2 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 102.1.1.1
!
!
end

###########################################################


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
interface Loopback0
ip address 10.100.100.103 255.255.255.255
!
interface FastEthernet0/0
ip address 103.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.23.23.3 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 103.1.1.1
ip route 105.1.1.0 255.255.255.0 10.23.23.2
!
!
end
###########################################################

version 12.4
!
hostname RTR-XYZ
!
ip cef
!
interface FastEthernet0/0
ip address 106.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.6.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 106.1.1.1
!
end
############################################################

4 comments:

  1. This is great mixed topoplogy
    this weekend i'll have fun

    http://prakashkalsaria.wordpress.com

    ReplyDelete
  2. Swap, this is good exercise to work on many topics at once. I will lab this up tonight.

    ReplyDelete
  3. I need to hide my IP since I work for as a chat support agent for a website. I need to hide my IP address. How do I go about doing that? Thank you! This is really helpful.


    vpn

    ReplyDelete
  4. Wonderful Article

    Regards
    Inder
    My Blogs: http://www.networksbaseline.in/

    ReplyDelete