topic Help Please!! in Network Security

Help Please!!

omer_babiker — Tue, 12 Mar 2019 00:21:57 GMT

Hi All,

Please consider the attached diagram.

- There is no direct connection to side 2 from PC-1.

- There is an MPLS link between side1 & side 2, and both local networks can access each other.

My question:

Can I acess 10.0.1.0/24 network (side 2) through side 1, as I can access FW1 using VPN client?

If that possible, what configuration should I do?

Your help is appreciated

Thanks

Help Please!!

omer_babiker — Mon, 12 Nov 2012 06:47:52 GMT

Help Please!!

Jennifer Halim — Tue, 13 Nov 2012 02:07:36 GMT

Yes you can.

If you have split tunnel configured, then just add the side 2 LAN in the split tunnel ACL.

Also, add the NAT exemption from side 2 LAN towards the VPN Client pool.

Let me know if it doesn't work, and pls share your FW configuration.

Help Please!!

omer_babiker — Wed, 14 Nov 2012 05:24:14 GMT

Thanks Jennifer for your helpful response as usual.

So, the config will be:

access-list NEW-Split-List standard permit 10.0.1.0 255.255.255.0

ip local pool NEW_POOL 192.168.18.1-192.168.18.15 mask 255.255.255.240

group-policy NEW internal
group-policy NEW attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NEW-Split-List
address-pools value NEW_POOL

tunnel-group NEW-TUNNEL type remote-access
tunnel-group NEW-TUNNEL general-attributes
default-group-policy NEW
tunnel-group NEW-TUNNEL ipsec-attributes
pre-shared-key *

Now; do I need to allow those IPs ( in th pool ) in the FW2-side2 or it is allowed by default?

Thanks,

Help Please!!

Jennifer Halim — Wed, 14 Nov 2012 05:37:18 GMT

You will also need to configure NAT exemption on FW1.

Now, on FW2, depending on the security levels, you would also need to configure NAT exemption as well as access-list on the interface to allow the traffic through. Plus assuming that FW2 has default route towards the MPLS link?

Help Please!!

omer_babiker — Wed, 14 Nov 2012 05:52:09 GMT

Yea that makes sense to me.

On FW1; we have default route to the internet, but I'll configure static route for side2 network twards mpls link. Am I right?

On FW2: either it will be the same case as FW1 or all the trafic will be routed twards mpls link.

I'm working on the mpls link with the serive provider and it may come up by tomorrow. I'll definitely get back to you with the results.

I really appreciate your help Jennifer.

Help Please!!

Jennifer Halim — Wed, 14 Nov 2012 05:58:51 GMT

Correct, on FW1 you would need to configure static route for side 2 network towards mpls link.

On FW2, if all traffic is routed towards the mpls link, then you don't need to worry about routing. You just have to configure NAT exemption for traffic destined towards the vpn pool, and ACL accordingly.

If internet traffic is routed via local ISP, and only traffic destined towards FW1 is routed via the MPLS link then you would also need to add route for the vpn pool to route via the MPLS link towards FW1.