03-28-2014 07:09 AM - edited 03-11-2019 09:00 PM
Is there anybody in the www who can give me a little help?
I replace a Linux firewall with an ASA 5505. Additionally there is an OpenVPN Server. The ASA 5505 is the default gateway.
The ASA 5505 works, but there is a little problem. The users use die VPN connection for a remote access to their desktops. The OpenVPN server is connected to the DMZ and LAN. The VPN connection works, I can ping the LAN IP-address of the OpenVPN server. But when I attempt to connect to a desktop I get no connection. In the report on the ASA 5505 I can see the response reach the firewall but will not be forwarding to the OpenVPN server.
We use the following addresses:
VPN address range 10.8.0.0/24
LAN address range 192.168.100.0/24
IP inside address of the ASA 192.168.100.252
LAN IP address of the OpenVPN server 192.168.100.251
On the Linux firewall I set route to the OpenVPN gateway and the OpenVPN connection works
I ´ve made the same the configuration on the ASA 5505, but the result isn´t the same
route inside 10.8.0.0 255.255.255.0 192.168.100.251 1
The ASA 5505 is even a routing firewall as the Linux Firewall. Or is there any difference
It is the first time I setup an ASA with this specially configuration and I´m little be stumped
Thanks for every help
For a better understanding I´ve made drawing, which shows the components and the way of a VPN Connection (arrows). The dashed arrow is the Connection with the problem
03-28-2014 07:59 AM
That's not a setup the ASA likes as there is no real hairpinning (routing on a stick) on the ASA.
What you can do:
03-31-2014 07:52 AM
Hi Karsten Iwen,
thanks fort he replies. Point 1 – 3 are ineligible. What do you mean with point 4. Should I change the static route from the LAN IP of the openvpn server to its DMZ IP? That should work? I will check it.
I have searched for solution using hairpinning associated with the ASA and I find several solutions where they explain how to reroute traffic, when you have a second router in your LAN. That stands to reason. But I have the problem to tell the VPN IP-Pool where to go.
The instructions for hairpinnig on the inside interface are:
Same-security-traffic permit intra-interface
Global (inside) 1 interface
What I am going to do now? Should I use NAT, or not? What about the TCP state bypass feature?
I tested some configurations, but the VPN connection doesn´t work. I think I´ve made an error in reasoning, but I don´t know where. Any ideas?
Regards
Joachim Schacht
04-02-2014 03:07 AM
I think what Karsten mentioned is point to the asymmetric routing issue, because your OpenVPN server has bridged your LAN and DMZ. Karsten has been provided many solution. I think 1 & (4+5) are most common to fix it in real world.
04-02-2014 04:02 AM
TCP bypass by itself will not solve your issue, as traffic would need to pass through the openVPN server to be encrypted. You would need to also add a static route on the ASA to point all VPN traffic to the openVPN server. I do not recommend doing this as it can get quite messy and troublesome if you need troubleshoot an issue.
So as Karsten has mentioned (I will try to put it in different words), you will need to either remove the link from the VPN server to the local LAN and have this traffic routed back through the firewall instead. this would also mean you need to add a route in the firewall for the VPN traffic so it points to the DMZ and the openVPN server.
The other option is to add static routes on the client PCs so that VPN traffic is sent directly to the openVPN server. This is not very scaleable if you have a lot of host machines that the static route needs to be configured on, but it might be doable using scripts...if you are good at that type of thing.
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: