Configuring Dynamic Multipoint VPN and Zone Based Firewall

Published by Joe Conklin on

What is a Dynamic Multipoint VPN and why to use it?

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks..

In the example below we will build two hub routers in the hub site for redundancy and two spoke sites. Users sitting behind these routers must be able to reach other site and any new networks provisioned in either site should be advertised to the router is the opposite site automatically. Spoke site should learn routes and advertise the local routes to the hub sites but other spoke sites should not learn routes for other spoke sites. Users in either location must only be allowed to access the site using approved protocols such as FTP, HTTP, DNS, etc. Lastly, each router must be configured for a firewall to protect the device and users from Internet attack without impeding the ability to establish a site-to-site VPN.

Steps to configure DMVPN on hub routers

Step 1: Perform a basic router configuration on R1 and R2 to establish connectivity. Notice the NAT access-list 101 include a deny clause to prevent the remote VPN traffic from using NAT.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 1.1.1.1 255.255.255.248
R1(config-if)#ip nat outside
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 192.168.254.1 255.255.255.0
R1(config-if)#ip nat inside
!
R1(config)#ip nat inside source list 101 interface FastEthernet0/0 overload
!
R1(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R1(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 any
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 1.1.1.2 255.255.255.248
R2(config-if)#ip nat outside
!
R2(config)#interface FastEthernet0/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#ip nat inside
!
R2(config)#interface FastEthernet1/0
R2(config-if)#ip address 192.168.254.2 255.255.255.0
R2(config-if)#ip nat inside
!
R2(config)#ip nat inside source list 101 interface FastEthernet0/0 overload
!
R2(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R2(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 any

Step 2: Configure a crypto isakmp policy and set the crypto isakmp pre-share key on R1 and R2.

R1(config-if)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
!
R1(config)#crypto isakmp key vpnpasswordhere address 0.0.0.0
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
!
R2(config)#crypto isakmp key vpnpasswordhere address 0.0.0.0

Step 3: Configure a crypto ipsec transform-set, crypto ipsec profile, and tunnel interface on R1 and R2.

R1(config)#crypto ipsec transform-set TS-DMVPN-VPN esp-aes esp-sha-hmac
!
R1(config)#crypto ipsec profile DMVPN-VPN
R1(ipsec-profile)#set security-association lifetime seconds 86400
R1(ipsec-profile)#set transform-set TS-DMVPN-VPN
!
R1(config)#interface Tunnel1
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config-if)#ip nhrp authentication dmsvpnpassword1
R1(config-if)#no ip redirects
R1(config-if)#ip nhrp authentication firewall
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp network-id 1
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel key 1
R1(config-if)#tunnel protection ipsec profile DMVPN-VPN
R2(config)#crypto ipsec transform-set TS-DMVPN-VPN esp-aes esp-sha-hmac
!
R2(config)#crypto ipsec profile DMVPN-VPN
R2(ipsec-profile)#set security-association lifetime seconds 86400
R2(ipsec-profile)#set transform-set TS-DMVPN-VPN
!
R2(config)#interface Tunnel2
R2(config-if)#ip address 172.16.2.2 255.255.255.0
R2(config-if)#ip nhrp authentication dmsvpnpassword2
R2(config-if)#no ip redirects
R2(config-if)#ip nhrp authentication firewall
R2(config-if)#ip nhrp map multicast dynamic
R2(config-if)#ip nhrp network-id 2
R2(config-if)#tunnel source 1.1.1.2
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#tunnel key 2
R2(config-if)#tunnel protection ipsec profile DMVPN-VPN

Step 4: Configure a EIGRP routing process on each router advertising local networks and tunnel networks.

R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 192.168.254.0 0.0.0.3
R1(config-router)#network 172.16.1.0 0.0.0.255
R2(config)#router eigrp 101
R2(config-router)#network 192.168.2.0 0.0.0.255
R2(config-router)#network 192.168.254.0 0.0.0.3
R2(config-router)#network 172.16.2.0 0.0.0.255

Steps to configure DMVPN on spoke routers

Step 5: Perform a basic router configuration on R3 and R4 to establish connectivity. Notice the NAT access-list 101 include a deny clause to prevent the remote VPN traffic from using NAT.

R3(config)#interface FastEthernet0/0
R3(config-if)#ip address 1.1.1.3 255.255.255.248
R3(config-if)#ip nat outside
!
R3(config)#interface FastEthernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#ip nat inside
!
R3(config)#ip nat inside source list 101 interface FastEthernet0/0 overload
!
R3(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R3(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 any
R4(config)#interface FastEthernet0/0
R4(config-if)#ip address 1.1.1.4 255.255.255.248
R4(config-if)#ip nat outside
!
R4(config)#interface FastEthernet0/1
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#ip nat inside

R4(config)#ip nat inside source list 101 interface FastEthernet0/0 overload
!
R4(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R4(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 any

Step 6: Configure a crypto isakmp policy and set the crypto isakmp pre-share key on R3 and R4.

R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
!
R3(config)#crypto isakmp key vpnpasswordhere address 0.0.0.0 0.0.0.0
R4(config)#crypto isakmp policy 1
R4(config-isakmp)#encryption 3des
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 2
!
R4(config)#crypto isakmp key vpnpasswordhere address 0.0.0.0 0.0.0.0

Step 7: Configure a crypto ipsec transform-set, crypto ipsec profile, and tunnel interfaces on R3 and R4.

R3(config)#crypto ipsec transform-set TS-DMVPN-VPN esp-aes esp-sha-hmac
!
R3(config)#crypto ipsec profile DMVPN-VPN
R3(ipsec-profile)#set security-association lifetime seconds 86400
R3(ipsec-profile)#set transform-set TS-DMVPN-VPN
!
R3(config)#interface Tunnel1
R3(config-if)#ip address 172.16.1.3 255.255.255.0
R3(config-if)#ip nhrp authentication dmsvpnpassword1
R3(config-if)#no ip redirects
R3(config-if)#ip nhrp authentication firewall
R3(config-if)#ip nhrp map multicast dynamic
R3(config-if)#ip nhrp map 172.16.0.1 1.1.1.1
R3(config-if)#ip nhrp map multicast 1.1.1.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 172.16.0.1
R3(config-if)#tunnel source FastEthernet0/0
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel key 1
R3(config-if)#tunnel protection ipsec profile DMVPN-VPN shared
!
R3(config)#interface Tunnel2
R3(config-if)#ip address 172.16.2.3 255.255.255.0
R3(config-if)#ip nhrp authentication dmsvpnpassword2
R3(config-if)#no ip redirects
R3(config-if)#ip nhrp authentication firewall
R3(config-if)#ip nhrp map multicast dynamic
R3(config-if)#ip nhrp map 172.16.0.2 1.1.1.2
R3(config-if)#ip nhrp map multicast 1.1.1.2
R3(config-if)#ip nhrp network-id 2
R3(config-if)#ip nhrp nhs 172.16.0.2
R3(config-if)#tunnel source FastEthernet0/0
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel key 2
R3(config-if)#tunnel protection ipsec profile DMVPN-VPN shared
R4(config)#crypto ipsec transform-set TS-DMVPN-VPN esp-aes esp-sha-hmac
!
R4(config)#crypto ipsec profile DMVPN-VPN
R4(ipsec-profile)#set security-association lifetime seconds 86400
R4(ipsec-profile)#set transform-set TS-DMVPN-VPN
!
R4(config)#interface Tunnel1
R4(config-if)#ip address 172.16.1.4 255.255.255.0
R4(config-if)#ip nhrp authentication dmsvpnpassword1
R4(config-if)#no ip redirects
R4(config-if)#ip nhrp authentication firewall
R4(config-if)#ip nhrp map multicast dynamic
R4(config-if)#ip nhrp map 172.16.0.1 1.1.1.1
R4(config-if)#ip nhrp map multicast 1.1.1.1
R4(config-if)#ip nhrp network-id 1
R4(config-if)#ip nhrp nhs 172.16.0.1
R4(config-if)#tunnel source FastEthernet0/0
R4(config-if)#tunnel mode gre multipoint
R4(config-if)#tunnel key 1
R4(config-if)#tunnel protection ipsec profile DMVPN-VPN shared
!
R4(config)#interface Tunnel2
R4(config-if)#ip address 172.16.2.4 255.255.255.0
R4(config-if)#ip nhrp authentication dmsvpnpassword1
R4(config-if)#no ip redirects
R4(config-if)#ip nhrp authentication firewall
R4(config-if)#ip nhrp map multicast dynamic
R4(config-if)#ip nhrp map 172.16.0.2 1.1.1.2
R4(config-if)#ip nhrp map multicast 1.1.1.2
R4(config-if)#ip nhrp network-id 2
R4(config-if)#ip nhrp nhs 172.16.0.2
R4(config-if)#tunnel source FastEthernet0/0
R4(config-if)#tunnel mode gre multipoint
R4(config-if)#tunnel key 2
R4(config-if)#tunnel protection ipsec profile DMVPN-VPN shared

Step 8: Configure a EIGRP routing process on each router advertising local networks and tunnel networks.

R3(config)#router eigrp 101
R3(config-router)#eigrp stub
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 172.16.1.0 0.0.0.255
R3(config-router)#network 172.16.2.0 0.0.0.255
R4(config-if)#router eigrp 101
R4(config-router)#eigrp stub
R4(config-router)#network 192.168.4.0 0.0.0.255
R4(config-router)#network 172.16.1.0 0.0.0.255
R4(config-router)#network 172.16.2.0 0.0.0.255

Configure a Zone-Based Firewall on DMVPN routers

Step 9: Configure the applicable security zones and assign them to Interfaces including tunnel interfaces.

R1(config)#zone security INTERNET
!
R1(config-sec-zone)#zone security LAN
!
R1(config)#zone security S2SVPN
!
R1(config-sec-zone)#interface Tunnel1
R1(config-if)# zone-member security S2SVPN
!
R1(config)#interface FastEthernet0/0
R1(config-if)# zone-member security INTERNET
!
R1(config)#interface FastEthernet0/1
R1(config-if)# zone-member security LAN
R2(config)#zone security INTERNET
!
R2(config-sec-zone)#zone security LAN
!
R1(config)#zone security S2SVPN
!
R2(config-sec-zone)#interface Tunnel2
R2(config-if)# zone-member security S2SVPN
!
R2(config)#interface FastEthernet0/0
R2(config-if)# zone-member security INTERNET
!
R2(config)#interface FastEthernet0/1
R2(config-if)# zone-member security LAN

Step 10: Create a class-map, policy-map, and zone-pair to allow traffic from the local LAN to the Internet.

R1(config)#class-map type inspect match-any LAN-ALLOWED-PROTOCOLS
R1(config-cmap)#match protocol icmp
R1(config-cmap)#match protocol dns
R1(config-cmap)#match protocol ftp
R1(config-cmap)#match protocol https
R1(config-cmap)#match protocol http
R1(config-cmap)#match protocol tcp
R1(config-cmap)#match protocol udp
!
R1(config)#policy-map type inspect LAN-TO-INTERNET-POLICY
R1(config-pmap)#class type inspect LAN-ALLOWED-PROTOCOLS
R1(config-pmap-c)#inspect
R1(config-pmap)#class class-default
R1(config-pmap-c)#drop
!
R1(config)#zone-pair security ZP-LAN-TO-INTERNET source LAN destination INTERNET
R1(config-sec-zone-pair)# service-policy type inspect LAN-TO-INTERNET-POLICY
R1(config)#class-map type inspect match-any LAN-ALLOWED-PROTOCOLS
R2(config-cmap)#match protocol icmp
R2(config-cmap)#match protocol dns
R2(config-cmap)#match protocol ftp
R2(config-cmap)#match protocol https
R2(config-cmap)#match protocol http
R2(config-cmap)#match protocol tcp
R2(config-cmap)#match protocol udp
!
R2(config)#policy-map type inspect LAN-TO-INTERNET-POLICY
R2(config-pmap)#class type inspect LAN-ALLOWED-PROTOCOLS
R2(config-pmap-c)#inspect
R2(config-pmap)#class class-default
R2(config-pmap-c)#drop
!
R2(config)#zone-pair security ZP-LAN-TO-INTERNET source LAN destination INTERNET
R2(config-sec-zone-pair)# service-policy type inspect LAN-TO-INTERNET-POLICY

Step 11: Create two access-list, a class-map, policy-map, and zone-pair to allow traffic from the remote VPN router over the Internet into the self zone to establish the site-to-site VPN.

R1(config)#ip access-list extended ICMP
R1(config-ext-nacl)#permit icmp any any echo
R1(config-ext-nacl)#permit icmp any any echo-reply
R1(config-ext-nacl)#permit icmp any any traceroute
!
R1(config)#ip access-list extended ISAKMP_IPSEC
R1(config-ext-nacl)#permit udp any any eq isakmp
R1(config-ext-nacl)#permit ahp any any
R1(config-ext-nacl)#permit esp any any
R1(config-ext-nacl)#permit udp any any eq non500-isakmp
!
R1(config)#class-map type inspect match-all ICMP-POLICY
R1(config-cmap)#match access-group name ICMP
!
R1(config)#class-map type inspect match-all IPSEC-POLICY
R1(config-cmap)#match access-group name ISAKMP_IPSEC
!
R1(config)#policy-map type inspect INTERNET-TO-SELF-POLICY
R1(config-pmap)#class type inspect ICMP-POLICY
R1(config-pmap-c)#inspect
R1(config-pmap)#class type inspect IPSEC-POLICY
R1(config-pmap-c)#pass
R1(config-pmap)#class class-default
R1(config-pmap-c)#drop
!
R1(config)#zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
R1(config-sec-zone-pair)#service-policy type inspect INTERNET-TO-SELF-POLICY
R2(config)#ip access-list extended ICMP
R2(config-ext-nacl)#permit icmp any any echo
R2(config-ext-nacl)#permit icmp any any echo-reply
R2(config-ext-nacl)#permit icmp any any traceroute
!
R2(config)#ip access-list extended ISAKMP_IPSEC
R2(config-ext-nacl)#permit udp any any eq isakmp
R2(config-ext-nacl)#permit ahp any any
R2(config-ext-nacl)#permit esp any any
R2(config-ext-nacl)#permit udp any any eq non500-isakmp
!
R2(config)#class-map type inspect match-all ICMP-POLICY
R2(config-cmap)#match access-group name ICMP
!
R2(config)#class-map type inspect match-all IPSEC-POLICY
R2(config-cmap)#match access-group name ISAKMP_IPSEC
!
R2(config)#policy-map type inspect INTERNET-TO-SELF-POLICY
R2(config-pmap)#class type inspect ICMP-POLICY
R2(config-pmap-c)#inspect
R2(config-pmap)#class type inspect IPSEC-POLICY
R2(config-pmap-c)#pass
R2(config-pmap)#class class-default
R2(config-pmap-c)#drop
!
R2(config)#zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
R2(config-sec-zone-pair)#service-policy type inspect INTERNET-TO-SELF-POLICY

Step 12: Configure a policy-map and zone-pair to allow traffic from the local LAN to the site-to-site VPN. We will make use of the preexisting class-map called LAN-ALLOWED-PROTOCOLS.

R1(config)#policy-map type inspect S2SVPN-POLICY
R1(config-pmap)#class type inspect LAN-ALLOWED-PROTOCOLS
R1(config-pmap-c)#inspect
R1(config-pmap)#class class-default
R1(config-pmap-c)#drop
!
R1(config)#zone-pair security ZP-LAN-TO-S2SVPN source LAN destination S2SVPN
R1(config-sec-zone-pair)#service-policy type inspect S2SVPN-POLICY
R2(config)#policy-map type inspect S2SVPN-POLICY
R2(config-pmap)#class type inspect LAN-ALLOWED-PROTOCOLS
R2(config-pmap-c)#inspect
R2(config-pmap)#class class-default
R2(config-pmap-c)#drop
!
R2(config)#zone-pair security ZP-LAN-TO-S2SVPN source LAN destination S2SVPN
R2(config-sec-zone-pair)#service-policy type inspect S2SVPN-POLICY

Step 13: Configure a zone-pair to allow traffic from the site-to-site VPN to local LAN. We will make sure of the preexisting policy-map S2SVPN-POLICY and class-map LAN-ALLOWED-PROTOCOLS.

R1(config)#zone-pair security ZP-S2SVPN-TO-LAN source S2SVPN destination LAN
R1(config-sec-zone-pair)#service-policy type inspect S2SVPN-POLICY
R2(config)#zone-pair security ZP-S2SVPN-TO-LAN source S2SVPN destination LAN
R2(config-sec-zone-pair)#service-policy type inspect S2SVPN-POLICY

Step 14: Repeat the exact same configurations for the spoke routers R3 and R4 with the only change being you will need to assign two tunnels to the S2SVPN zone.

R3(config-sec-zone)#interface Tunnel1
R3(config-if)# zone-member security S2SVPN
!
R3(config-sec-zone)#interface Tunnel2
R3(config-if)# zone-member security S2SVPN
R4(config-sec-zone)#interface Tunnel1
R4(config-if)# zone-member security S2SVPN
!
R4(config-sec-zone)#interface Tunnel2
R4(config-if)# zone-member security S2SVPN

Verify the configuration

Now that the configuration is finished lets verify the configuration. Using the show dmvpnshow crypto engine connection activeshow crypto sessionshow crypto isakmp sa, and show crypto ipsec sa commands you can verify the VPN deployment. You can also use the show ip route and show ip eigrp neighbors command to verify dynamic routing is properly working. Lastly, use the ping command to verify connectivity.

Categories: Cisco FirewallCisco NetworkingCisco RoutingCisco VPNInternet Routing

Related Posts

Cisco Networking

BGP Load Sharing

Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP paths that are learned from different ASs, which Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that are known as Provider Edge routers (PEs), as they sit on Read more…

Cisco Firewall

Configuring Site-to-Site IPsec VPN and Zone Based Firewall

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data as if their computers were directly connected to the private network.  A site-to-site VPN Read more…