06-08-2020 03:01 PM - editado 06-09-2020 07:44 PM
Hola, buenas tardes a todos, primero que todo felicitarlo por esta excelente comunidad!
Les planteo la siguiente problemática: estoy configurando una VPN IPSEC L2L, el establecimiento del tunel se realiza con exito y tengo trafico a travez de el ( ICMP, RDP, HTTPS), el problema esta en que por el tunel estoy pasando dos redes, un segmento corresponde a las redes LAN ( LAN(local) - LAN(remota) ) y el segundo segmento es de las DMZ ( DMZ(local) - DMZ(remota), el trafico entre las redes del mismo tipo: LAN a LAN y DMZ a DMZ se realiza sin inconvenientes , pero el trafico que va de las redes LAN locales a las DMZ remotas "no esta pasando por el tunel", cree tanto las ACLs y NAT desde las interfaces INSIDE y DMZ pero aun asi no logro este trafico a travez del tunel IPSEC, envio mi configuracion por si alguien lo puede revisar y hecharme una manito con la configuracion, se los agradeceria mucho:
RED-LAN local RED-LAN remota
20.10.2.0/24 ---> 30.10.2.0/24 = trafico de datos sin problemas
RED-DMZ local RED-DMZ remota
20.10.1.0/24 ---> 30.10.1.0/24 = trafico de datos sin problemas
RED-LAN local RED-DMZ remota
20.10.2.0/24 ---> 30.10.1.0/24 = NO HAY TRAFICO DE DATOS ( NO HAY PING )
ASA LOCAL:
object-group network VPN-DMZ-LOCAL
network-object host 20.10.1.1
network-object host 20.10.1.2
network-object host 20.10.1.3
object-group network VPN-DMZ-REMOTA
network-object host 30.10.1.1
network-object host 30.10.1.2
network-object host 30.10.1.3
object-group network NAT-VPN-REDES-REMOTA
group-object VPN-LAN-REMOTA
group-object VPN-DMZ-REMOTA
object network RED-LAN
subnet 20.10.2.0 255.255.255.0
object network RED-DMZ
subnet 20.10.1.0 255.255.255.0
object network SERVER-I
range 20.10.1.1 20.10.1.3
access-list DMZ-ACCESS-IN remark ACCESO ICMP
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo-reply
access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply
access-list INSIDE-ACCESS-IN extended permit ip object RED-LAN any
access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark RESPUESTA ICMP RED-DMZ-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo-reply
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup
ASA REMOTO:
object-group network VPN-DMZ-LOCAL
network-object host 30.10.1.1
network-object host 30.10.1.2
network-object host 30.10.1.3
object-group network VPN-DMZ-REMOTA
network-object host 20.10.1.1
network-object host 20.10.1.2
network-object host 20.10.1.3
object-group network NAT-VPN-REDES-REMOTA
group-object VPN-LAN-REMOTA
group-object VPN-DMZ-REMOTA
object network RED-LAN
subnet 30.10.2.0 255.255.255.0
object network RED-DMZ
subnet 30.10.1.0 255.255.255.0
access-list DMZ-ACCESS-IN remark ACCESO ICMP INTERNO
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object RED-LAN
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object RED-LAN echo
access-list DMZ-ACCESS-IN remark ACCESO ICMP DMZ EXTERNA
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-DMZ-REMOTA
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-DMZ-REMOTA echo
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-DMZ-REMOTA echo-reply
access-list DMZ-ACCESS-IN remark RESPUESTA ICMP LAN EXTERNA
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-LAN-REMOTA echo
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-LAN-REMOTA echo-reply
access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply
access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark RESPUESTA ICMP RED-DMZ-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo-reply
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup
Saludos!!
el 06-08-2020 08:06 PM
Hola
Si de LAN a LAN, y DMZ a DMZ funciona, y de LAN a DMZ no funciona, debes crear un NAT estatico source LAN-LAN destination DMZ DMZ.
Prueba haciendolo 1 a 1, no utilizando el siguiente grupo:
object-group network NAT-VPN-REDES-REMOTA
group-object VPN-LAN-REMOTA
group-object VPN-DMZ-REMOTA
De igual manera revisa la ACL en ambos lados.
Saludos.
el 06-08-2020 09:36 PM
Hola Julio,, lo probare y te cuento,, muchas gracias!!!
el 06-09-2020 06:36 AM
Un gusto Daniel, quedo al pendiente.
Saludos
el 06-09-2020 03:55 PM
Hola Julio, te comento que realice los cambios pero aun no logro tener comunicación (ICMP) entre el segmento LAN-Local y la DMZ-Remota, se mantiene la conectibidad LAN-LAN y DMZ-DMZ:
asi quedo la config:
ASA LOCAL
access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list split_tunnel-VPN_USER-INTERNO remark ACCESO DESDE TUNEL VPN ANYCONNECT INTERNO
access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply
access-list DMZ-ACCESS-IN remark ACCESO ICMP
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo-reply
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-LAN-REMOTA VPN-LAN-REMOTA no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup
ASA REMOTO
access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list DMZ-ACCESS-IN remark ACCESO ICMP INTERNO
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ any
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ any echo
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ any echo-reply
access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-LAN-REMOTA VPN-LAN-REMOTA no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup
Saludos!
el 06-09-2020 06:44 PM
Hola,
Voy a revisar tu configuración.
Saludos
Descubra y salve sus notas favoritas. Vuelva a encontrar las respuestas de los expertos, guías paso a paso, temas recientes y mucho más.
¿Es nuevo por aquí? Empiece con estos tips. Cómo usar la comunidad Guía para nuevos miembros
Navegue y encuentre contenido personalizado de la comunidad