Allow traffic from remote offices (ISP provided site-to-site VPN)

xtech — Tue, 16 Apr 2019 20:53:31 GMT

We have a customer moving to a new internet service. The ISP will be managing the site-to-site vpn tunnels between the different locations. At the main office, we are installing an ASA 5506-X to act as the gateway/router. I have posted the configuration I have so far below. The network objects correspond to the IP schemes at the remote offices. We need the device to allow traffic from each remote office without being NATed. (i.e. traffic from SLC, 192.168.208.x -> LocalSubnet 192.168.203.x) and I am unclear how to do this.

ip local pool vpnpool 192.168.168.1-192.168.168.50 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address <Public IP>
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.203.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/4
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/5
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa992-32-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LocalSubnet
subnet 192.168.203.0 255.255.255.0
object network SLC
subnet 192.168.201.0 255.255.255.0
object network COS
subnet 192.168.205.0 255.255.255.0
object network GRJ
subnet 192.168.202.0 255.255.255.0
object network FRD
subnet 192.168.208.0 255.255.255.0
object network PKR
subnet 192.168.207.0 255.255.255.0
object network FTC
subnet 192.168.206.0 255.255.255.0
object network Linux_Server
host 192.168.203.2
object network VPN
subnet 192.168.168.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 <Public Gateway> 1
access-list vpn-split standard permit 192.168.203.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static LocalSubnet LocalSubnet destination static VPN VPN no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 192.168.203.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.203.0 255.255.255.0 inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.203.100-192.168.203.250 inside
dhcpd dns 192.168.203.1 8.8.8.8 interface inside
dhcpd lease 845600 interface inside
dhcpd domain <domainname> interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.6.03049-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
dynamic-access-policy-record DfltAccessPolicy
username ***** password ***** privilege 15
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool vpnpool
default-group-policy RemoteVPN
tunnel-group RemoteVPN webvpn-attributes
group-alias RemoteVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Re: Allow traffic from remote offices (ISP provided site-to-site VPN)

Rob Ingram — Tue, 16 Apr 2019 20:59:13 GMT

Hi,
The example below will not nat traffic from your local network 192.168.203.x to the remote network FRD 192.168.208.x. This is similar to the nat configuration you already have in place for the destination network VPN.

nat (inside,outside) source static LocalSubnet LocalSubnet destination static FRD FRD no-proxy-arp route-lookup

HTH

topic Re: Allow traffic from remote offices (ISP provided site-to-site VPN) in Network Security

Allow traffic from remote offices (ISP provided site-to-site VPN)

Re: Allow traffic from remote offices (ISP provided site-to-site VPN)