Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1089
Views
0
Helpful
4
Replies

ASA 5505 inside routing

Joachim Schacht
Level 1
Level 1

‎03-28-2014 07:09 AM - edited ‎03-11-2019 09:00 PM

Is there anybody in the www who can give me a little help?

 

I replace a Linux firewall with an ASA 5505. Additionally there is an OpenVPN Server. The ASA 5505 is the default gateway.

The ASA 5505 works, but there is a little problem. The users use die VPN connection for a remote access to their desktops. The OpenVPN server is connected to the DMZ and LAN. The VPN connection works, I can ping the LAN IP-address of the OpenVPN server. But when I attempt to connect to a desktop I get no connection. In the report on the ASA 5505 I can see the response reach the firewall but will not be forwarding to the OpenVPN server.

We use the following addresses:

VPN address range                                        10.8.0.0/24

LAN address range                                        192.168.100.0/24

IP inside address of the ASA                         192.168.100.252

LAN IP address of the OpenVPN server       192.168.100.251

 

On the Linux firewall I set route to the OpenVPN gateway and the OpenVPN connection works

I ´ve made the same the configuration on the ASA 5505, but the result isn´t the same

route inside 10.8.0.0 255.255.255.0 192.168.100.251 1

 

The ASA 5505 is even a routing firewall as the Linux Firewall. Or is there any difference

It is the first time I setup an ASA with this specially configuration and I´m little be stumped

 

Thanks for every help

 

For a better understanding I´ve made drawing, which shows the components and the way of a VPN Connection (arrows). The dashed arrow is the Connection with the problem

Labels:
Preview file
22 KB
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎03-28-2014 07:59 AM

That's not a setup the ASA likes as there is no real hairpinning (routing on a stick) on the ASA.

What you can do:

  1. If you want to keep that setup you can configure all internal systems with a static route for your VPN-network that points to the openVPN-Server.
  2. You can make the Linux-Box the default-gateway and reroute the internet-traffic to the ASA. That probaly needs some Routing-voodoo on the linux-side.
  3. Migrate from openVPN to AnyConnect on the ASA and eliminate the openVPN-server.
  4. Remove the internal link of the openVPN-server. With that, the IP-Pool of the openVPN has to be routed from the ASA to the server on the DMZ-Link and the openVPN works as a "gateway on a stick" which is a quite common scenario.
  5. Based on 4) you can place the inside interface of the openVPN-server on a new firewall interface on the ASA. Then you have one ASA-interface that only carries VPN-traffic and one inteface that only carries the decrypted traffic.
0 Helpful

Joachim Schacht
Level 1
Level 1
In response to Karsten Iwen

‎03-31-2014 07:52 AM

Hi Karsten Iwen,

thanks fort he replies. Point 1 – 3 are ineligible. What do you mean with point 4. Should I change the static route from the LAN IP of the openvpn server to its DMZ IP? That should work? I will check it.

I have searched for solution using hairpinning associated with the ASA and I find several solutions where they explain how to reroute traffic, when you have a second router in your LAN. That stands to reason. But I have the problem to tell the VPN IP-Pool where to go.

The instructions for hairpinnig on the inside interface are:

Same-security-traffic permit intra-interface

Global (inside) 1 interface

What I am going to do now? Should I use NAT, or not? What about the TCP state bypass feature?

I tested some configurations, but the VPN connection doesn´t work. I think I´ve made an error in reasoning, but I don´t know where. Any ideas?

Regards

Joachim Schacht

0 Helpful

JY109
Level 1
Level 1
In response to Joachim Schacht

‎04-02-2014 03:07 AM

I think what Karsten mentioned is point to the asymmetric routing issue, because your OpenVPN server has bridged your LAN and DMZ. Karsten has been provided many solution. I think 1 & (4+5) are most common to fix it in real world.

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Joachim Schacht

‎04-02-2014 04:02 AM

TCP bypass by itself will not solve your issue, as traffic would need to pass through the openVPN server to be encrypted. You would need to also add a static route on the ASA to point all VPN traffic to the openVPN server.  I do not recommend doing this as it can get quite messy and troublesome if you need troubleshoot an issue.

So as Karsten has mentioned (I will try to put it in different words), you will need to either remove the link from the VPN server to the local LAN and have this traffic routed back through the firewall instead.  this would also mean you need to add a route in the firewall for the VPN traffic so it points to the DMZ and the openVPN server.

The other option is to add static routes on the client PCs so that VPN traffic is sent directly to the openVPN server.  This is not very scaleable if you have a lot of host machines that the static route needs to be configured on, but it might be doable using scripts...if you are good at that type of thing.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card