cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11769
Views
0
Helpful
33
Replies

Allow only one host access to VPN site to site tunnel

ubergeek1
Level 1
Level 1

Hello,

I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host.  How can I set this up? Any code examples would be great. Thanks

3 Accepted Solutions

Accepted Solutions

No worries, have fun!!

View solution in original post

Ohhhh, and just realise, where do you actually try to send the traffic ffrom?

I don't see any route inside for the ip address in your static NAT acl: 192.168.5.40.

I think it would be best if you advise me your requirement again, ie: which subnet are you trying to send the traffic from, and what are you trying to NAT to, and what is the destination subnet.

View solution in original post

Yup, you would need the route inside command, otherwise, it won't know how to route the traffic back.

route inside 192.168.5.40 255.255.255.255 172.16.85.253

View solution in original post

33 Replies 33

Jennifer Halim
Cisco Employee
Cisco Employee

Pls share your existing configuration to understand your topology. Where is this 172.16.33.x network connected to?

Hi Jennifer,

Thank you for your reply. Here is what I have, please excuse my rudimentray drawing:

[HOST 172.16.33.x]---------VLAN------------[3750G]------------------------[ASA 5510]

The entire network is a 192.168.5.x network space. The vlan is the only subnet in the 172.16.33.x range with one host connected.

Thanks

From this diagram it looks like your 3750 is terminating the vlan and doing the routing between the two vlans?

Yes that is correct. I currently do not have a vlan on the ASA.

On the ASA, you would need to have the following configured:

1) Route for 172.16.33.x towards the 3750G 192.168.5.x ip address.

2) VPN crypto ACL should include the 172.16.33.x host/network

3) NAT exemption also need to include the 172.16.33.x host/network

On the remote end, you would need to have a mirror image crypto acl that include the 172.16.33.x as well. NAT exemption on the remote end should also include that.

If you can share your config from both ends, I can assist to incorporate that into your existing configuration.

Hi Jennifer,

Here is the ASA config:

ASA Version 8.2(1)

!

hostname fw

domain-name xxxxx

enable password k4HlcGX2lC1ypFOm encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.75.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif DMZ

security-level 50

ip address 192.168.75.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxxxxxxxxxxxxxxxxx

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www

access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (management) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) tcp xxx.xxx.xxx.xxx www 192.168.75.5 www netmask 255.255.255.255

static (DMZ,outside) tcp xxx.xxx.xxx.xxx https 192.168.75.5 https netmask 255.255.255.255

static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group DMZtoInside in interface DMZ

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside 192.168.5.xx 255.255.255.255 172.16.75.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e6f986d4427

504d675bb1

ca51a81534

5

: end

Thanks

I don't see any VPN configuration on this ASA. Are you terminating the VPN somewhere else?

Hi Jennifer,

My apologies, I should have clarified. Currently there are no VPN configurations on this ASA. After I am done with this tunnel, I plan to migrate several other tunnels that now terminate on a old PIX 515 to this ASA. I don't have access to the other side but this is what they require:

IKE =>  3DES/SHA/DH2
IPSEC => 3DES/SHA - no PFS

Local network: 198.xx.xxx.xx   (their svr address)
Remote network: 172.xx.xx.xx  (will need to translate into this
address.) 

Thanks

The configuration on the ASA version 8.2.1 is the same as your PIX. The only difference is the pre-shared key is now configured under the tunnel-group configuration. Other than that, all the config is pretty much the same.

Do you actually have 172.16.33.x configured on your host/network? or you actually need to translate your internal subnet to 172.16.33.x when accessing the remote LAN?

I dont have a 172.16.33.x on my internal network, I would need to translate the host on my internal network to the 172.16.33.x when accessing the remote LAN. I also want only the one host to access the remote LAN.

I looked at the PIX config for the site2site VPNs that I will have to migrate eventually and here is what I have:

crypto map ch-vpn 20 ipsec-isakmp
crypto map ch-vpn 20 match address encrypt-location
crypto map ch-vpn 20 set peer xx.xx.xx.xx
crypto map ch-vpn 20 set transform-set ch-strong

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

All I need is an access-list and a route inside and outside to add to the above to migrate each one over. I have 6 site2site VPNs to migrate, so the crypto map starts at 10 and ends at 60, however the isakmp policy starts at 10 and ends at 20. Shouldn't I have a isakmp policy for each crypto map entry? Thanks

No, you don't need 1 isakmp policy for each crypto map entry. The isakmp policy needs to be listed so it can be negotiated with the remote end as long as there is a match policy. It will go down the list of isakmp policies configured until a match is found.

If you want to NAT your internal network to 172.16.33.x when going to the remote end, here is the NAT statement:

access-list nat-to-remote permit ip

nat (inside) 5 access-list nat-to-remote

global (outside) 5 172.16.33.x

The crypto ACL will say:

access-list crypto-acl permit ip host 172.16.33.x

Hi Jennifer,

What do you think of this:

access-list nat-to-remote permit ip

nat (inside) 5 access-list nat-to-remote

global (outside) 5 172.16.33.x

route outside [Public IP of Remote Network] 255.255.255.255 {Public IP of my ASA] 1

route outside 172.XX.XX.XX 255.255.255.0 [ASA Default Gateway] 1

crypto map ch-vpn 60 ipsec-isakmp

crypto map ch-vpn 60 match address encrypt-tran

crypto map ch-vpn 60 set peer xx.xx.xx.xx

crypto map ch-vpn 60 set transform-set ch-strongcrypto map ch-vpn 60 ipsec-isakmp
crypto map ch-vpn 60 match address encrypt-tran
crypto map ch-vpn 60 set peer xx.xx.xx.xx
crypto map ch-vpn 60 set transform-set ch-strong

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

or

Would it be easier to place this host in its own subnet (172.16.33.xx) in a vlan off the switch and point it to the ASA as the default gateway for the remote network?

Thanks for all your help on this Jennifer!

You don't need to configure the following 2 routes as it would just route via your ASA default gateway:

route outside [Public IP of Remote Network] 255.255.255.255 {Public IP of my ASA] 1

route outside 172.XX.XX.XX 255.255.255.0 [ASA Default Gateway] 1

It's probably easier to configure those NAT statement on the ASA because even if you place it on its own VLAN, you still need to configure:

1) route on the ASA to point the 172.x.x.x network back off your ASA inside interface

2) NAT exemption on your ASA

While with the NAT statement advised earlier, those are all you need, no need to configure static route on the ASA.

So all I need then is:

access-list nat-to-remote permit ip

nat (inside) 5 access-list nat-to-remote

global (outside) 5 172.16.33.x

access-list crypto-acl permit ip host 172.16.33.x

crypto map ch-vpn 60 ipsec-isakmp

crypto map ch-vpn 60 match address encrypt-tran

crypto map ch-vpn 60 set peer xx.xx.xx.xx

crypto map ch-vpn 60 set transform-set ch-strongcrypto map ch-vpn 60 ipsec-isakmp
crypto map ch-vpn 60 match address encrypt-tran
crypto map ch-vpn 60 set peer xx.xx.xx.xx
crypto map ch-vpn 60 set transform-set ch-strong

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

Does that look right?

Review Cisco Networking for a $25 gift card