Tag Archives: Cisco

Double NAT to allow IPSEC VPN on firewall behind router or firewall

On your Site 1 internet router/firewall, NAT the following ports to your VPN firewall’s External IP address

ports

Note: To setup a proper IPSEC VPN on a firewall that is behind an internet facing router/firewall, your IPSEC VPN firewall must be assigned an internal IP address. The above example shows the IPSEC VPN firewall as 192.168.254.100.

This is the IP subnet that is hosted by the internet router/firewall. 192.168.254.100 is what the External interface of the IPSEC VPN firewall is assigned. Its internal subnet must be on a different subnet. This example will use 172.29.0.0/24

The IPSEC VPN tunnel configuration is exactly identical as if the device was the internet facing device.

In the VPN tunnel configuration, setup your local gateway to what the internet facing device (External) IP address is assigned.

On the remote IPSEC VPN tunnel, configure its remote IP address to the same IP address that is assigned to the above local gateway.

Example:

Site 1 (Home)                                                   Site 2 (Business)

Local GW: 1.1.1.1                                             Local GW: 2.2.2.2
Remote GW: 2.2.2.2                                      Remote GW: 1.1.1.1
Internal: 172.29.0.0/24                                Internal: 192.168.1.0/24
Remote: 192.168.1.0/24                                Remote: 172.29.0.0/24

vpn.png

Advertisements

Switch VLAN Tags on Switchports

Connect into the Cisco switch:

 switch1

 Login:

switch2

Ensure no other users are logged in:

switch3

If more than one user is logged in, ensure the other user(s) log out prior to making any changes.

Show running config:

switch4

Scroll down to the switchport needing changed. When –More– shows, press the spacebar to view more of the configuration:

Once the switchport is in view, press the Esc key to end scrolling the config:

Enter configuration terminal mode:

switch5

Using the cursor, highlight the switchport needing changed by left clicking in front of the line and scrolling right until you highlight the switchport number:

switch6

Right click and the highlighted text will copy and paste into your config line:

switch7

Press Enter and that allows that particular switchport interface to be edited:

switch8

Using the cursor, highlight the switchport access vlan needing changed by left clicking in front of the line and scrolling right until you highlight the vlan number:

switch9

Right click and the highlighted text will copy and paste into your config line:

Press the Delete key to remove the current vlan number and enter the new vlan you wish to assign to the switchport:

switch10

Continue making additional switchport changes by using your up arrow key to display the switchport line from the history and change the switchport number to your desired switchport number. Once the change has been made, press Enter and use the same feature to change the vlan tag as well.

Exit the terminal and configuration mode by entering ‘exit and press Enter’ twice:

switch11

Save running config to startup config:

switch12

Port Forwarding to Host on ASA

To forward a port to a device behind the firewall on your inside subnet, follow the steps below:

Using the ASDM, Add Network Object under the Configuration/Firewall/Objects/Network Objects/Groups settings.

Provide a Name, select Host and enter it’s IP Address.
Check the Add Automatic Address Translation Rules box.
Ensure the Type is Static.
Set the Translated Addr to outside.
Click on the Advanced… button.
Set the Source Interface to inside and the Destination Interface to outside.
Select the correct Protocol Service, then enter the correct Real Port and Mapped Port.
Click OK.

port1

Add Access Rule under Configuration/Firewall/Access Rules.
Set the Interface to inside.
Set Action to Permit.
Set Source to any
Set Destination to the device you are forwarding the port to.
Set the Service to the Protocol/Port you are forwarding.
Click OK.port2

Configure ASA for S2S IPSEC VPN

In the toolbar in the ASDM, select Wizards/VPN Wizards/Site-to-site VPN Wizard…

Step 1: Click Next on the Introduction screen.
Step 2: Enter the Peer IP Address for the remote site and ensure the VPN Access Interface is set to outside, click Next

s2swizard1

Step 3: Browse the Local Network by clicking on the three to the right of the Local Network field.
Select inside-network and click on the Local Network button, then click OK
Enter the Remote Network IP/Class for the remote subnet, Example(10.10.1.1/24) then click Next

s2swizard2

Step 4: Select Simple Configuration, enter the Pre-shared Key and click Next

s2swizard3

Step 5: Exempt the Inside interface by marking the box with a checkmark and click Next

s2swizard4

Step 6: Review the configuration and click Finish if everything is correct, click Back to make any changes needed.

s2swizard5

Uncheck IKEv2 Enabled checkbox, then click Edit on the Connection Profile you just created.

s2swizard6

Verify the appropriate IKE Policy is used in the Ipsec Settings/IKE v1 Settings/Encryption Algorithms, if not, click Manage and Add it.

s2swizard7

Click Apply, then Save

Subnet Cheat Sheet

I’ve created this easy to remember cheat sheet for use while taking your Cisco exams. Once you have copied it onto paper a few times, you will realize just how easy it is and how valuable it is when testing for your Cisco exams. After reviewing several different methods for computing the number of hosts and subnets, I’ve consolidated the information so it will save you considerable amounts of time in computations during your exams.