Re: ASA 5505 two sites, isp, public ip, L2L

workorderps · ‎09-22-2009

Hi, have to ask, as I've struggled long with this now. We have two sites, ASA in both ends. Can configure dmz to access inside, and static address translations for the outside, and vpn-tunnel in between the two inside networks.

But we have trouble getting the two dmz's to talk to one another, plus from the inside of site A to the dmz on site B.

Surely this example must exist, and I'm just too stupid to find it?

Layout, in general

outside/Site A - dmzA(10.0.1.0) - insideA(192.168.1.0)

| |

vpn_tunnel_2 vpn_tunnel_1

| |

outside/site B - dmzB(10.0.2.0) - insideB(192.168.2.0)

I've tried routing f.ex. rdp from insideB to dmzA over the vpn_tunnel_1, but somehow I fail doing this.

Any pointers would be most appreciated, as services in dmzA has to be able to reach f.ex. smtp servers in dmzB

Next step for me to try is a vpn-tunnel (vpn_tunnel_2) between the two dmz's, so that services can be utilized between the two - or is this a noob idea?

cheers / Peter

But we have trouble getting the two dmz's to talk to one another, plus from the inside of site A to the dmz on site B.

Surely this example must exist, and I'm just too stupid to find it?

Next step for me to try is a vpn-tunnel between the two dmz's, so that services can be utilized between the two - or is this a noob idea?

Layout, in general

outside - Site A - dmzA(10.0.1.0) - inside (192.168.1.0)

acomiskey · ‎09-22-2009

Add the traffic for the dmz's to your crypto acl.

Site A

access-list extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list extended permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list extended permit ip 192.168.1.0 255.255.255.0 10.0.2.0 255.255.255.0

Site B

access-list extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list extended permit ip 192.168.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list extended permit ip 10.0.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Then add the traffic to a nat 0 acl for the dmz's.

Site A

access-list nonat extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list nonat extended permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (dmz) 0 access-list nonat

Site B

access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat extended permit ip 10.0.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (dmz) 0 access-list nonat

workorderps · ‎09-22-2009

thanks, I had forgotten to add the dmz's to the crypto acl.

Now works between dmzA and dmzB, but not between dmzB to localA, ie 10.0.2.20 -> 192.168.1.8 - says in packet inspector, (vpn) flow denied - I must have missed something haven't I?

cheers / Peter

acomiskey · ‎09-22-2009

Post your config if you're still having issues.

Please rate helpful posts.

workorderps · ‎09-22-2009

I managed to solve the vpn-pair problems, and the access from dmz-to inside, so traffic now flows properly between hosts not in any static translations. What remains to solve are traffic involving hosts in static translations, as that traffic does not get routed via the tunnel, but instead to the outside world. We have this to be able to have dns servers in both locations, that do report the correct external IP when you query any server either from inside or from outside our sites.

Here's a more complete listing with your included fix for the traffic between the nets, that I'm truly grateful for.

But how do we solve traffic between hosts in static translation over the tunnel?

cheers / Peter

object-group service DMZ_to_Inside

service-object icmp

service-object tcp-udp eq domain

service-object tcp eq 3389

service-object tcp-udp eq 389

service-object tcp range 2221 2222

service-object tcp-udp eq 636

service-object tcp eq 135

service-object tcp range 3268 3269

service-object udp eq 4500

service-object udp eq isakmp

service-object tcp eq 445

service-object tcp eq netbios-ssn

service-object udp eq netbios-dgm

service-object udp eq netbios-ns

service-object tcp-udp range 1024 1026

service-object tcp-udp eq 88

service-object udp eq ntp

service-object tcp-udp range 1433 1434

Site A

access-list extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list extended permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list extended permit ip 192.168.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip any 10.0.0.0 255.0.0.0

access-list nonat extended permit ip any 192.168.0.0 255.255.0.0

nat (dmz) 0 access-list nonat

access-list dmz_access_in extended permit object-group DMZ_to_Inside any 192.168.1.0 255.255.255.0

access-list dmz_access_in remark permit all traffic to less secure networks

access-list dmz_access_in extended permit ip any any

access-group dmz_access_in in interface dmz

static (outside,inside) 192.168.2.3 83.209.68.195 netmask 255.255.255.255 dns

Site B

access-list extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list extended permit ip 10.0.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list extended permit ip 192.168.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip any 10.0.0.0 255.0.0.0

access-list nonat extended permit ip any 192.168.0.0 255.255.0.0

nat (dmz) 0 access-list nonat

access-list dmz_access_in extended permit object-group DMZ_to_Inside any 192.168.2.0 255.255.255.0

access-list dmz_access_in remark permit all traffic to less secure networks

access-list dmz_access_in extended permit ip any any

access-group dmz_access_in in interface dmz

static (inside,outside) 83.209.68.195 192.168.2.3 netmask 255.255.255.255 dns

acomiskey · ‎09-23-2009

I think you're referring to something like this...

Site B

nat (inside) 0 access-list nonat_inside

access-list nonat_inside extended permit ip host 192.168.2.3 10.0.1.0 255.255.255.0

access-list nonat_inside extended permit ip host 192.168.2.3 192.168.1.0 255.255.255.0

Please rate helpful posts.

workorderps · ‎09-23-2009

No, that's already in place with the following ruleset:

access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

The entire problem lies with the

static (outside,inside)

of Site B, as the UN-IP process already at the flow level stops to analyze the flow when it realises the translate of the other side is an external address, and it doesn't pair the static outside // actually local // address with the configured vpn-tunnel.

See the below packet trace, as communicating from 2.150 to 1.14 goes via the outside, but 2.150 to 1.8 takes the desired path over the vpn-tunnel. I think I can resolve this by skipping the dns translate rules, which is the only reason to keep the outside static on SiteB - but it makes it necessary to have a local domain, and another domain that is the public one. So - not the preferred way, but atleast an option. If you have a better suggestion I'm happy to try it.

The packet trace is within the attachment, as it just barely exceeds 4000 characters.

workorderps · ‎09-24-2009

My sweet solution isn't at all sweet. By having two domains, one for the outside, and the other for the inside, all services that rely on the host header (ie web sites, certs etc) also has to be duplicated.

So to recap the problem, internal network, at two sites - interconnected via vpn, and dns-servers at both sites. How do we get the dns-rewrite feature to work inbound and outbound from both sites, so that all traffic regarding any internal site still is routed over the vpn-tunnel? - or is this an oversight in the design of the ASA/IOS route logic - and only solution is to go BGP4 all the way?