cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2386
Views
0
Helpful
10
Replies

CISCO ASA 5510 / DUAS INTERFACE OUTSIDE

aporcaro01
Level 1
Level 1

Pessoal,

     Estou configurando um CISCO ASA com duas interfaces de saida (outside)

     1 - Uma interface named outside para saide de navegação web dos usuários corporativos

     2 - Outra interfce named int_vpn para fechar vpns com os parceiros e clientes.

     Meu problema é a rota default do ASA de internet é saida pela outside, e a rota para responder pela vpn é pela int_vpn.  A interface outside esta conectada diretamente a um equipamento que faz balanceamento de cargo da empresa A10 Networks e a interface int_vpn esta conectada diretamente no link de internet.

     Quando a origem é conhecida, tudo certo, eu consigo fechar a VPN seja site-to-site ou client-to-site atravês de um client Cisco em um notebook por exemplo, mas quando a origem é desconhecida no caso de alguns client-to-site o ASA responde pela interface outside e não pela int_vpn

     Tem algum jeito de eu falar para o asa responder pela mesma interface que ele recebe a conexão da VPN????

   Obrigado|

Adriano Porcaro

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Adriano,

You might need to go here,

https://supportforums.cisco.com/community/portuguese

Do you understand english so I can post the answer to this query as I was able to understand the question,

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

10 Replies 10

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Adriano,

You might need to go here,

https://supportforums.cisco.com/community/portuguese

Do you understand english so I can post the answer to this query as I was able to understand the question,

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes, I do...

   I need to know if its possible to work around this issue??  Can you give me a tip??

    Tks

Adriano Porcaro

Hello,

Let me see If I understood the question?

You have 2 outside interfaces

One that goes to the Internet

One that goes only to another company site (for a L2L)

You should be able to route properly as long as you send it via the right interface ( a more specific route for the other VPN site and a default route for the internet)

Let me know if you can explain the issue a little bit on detail and on english

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I used Google Translate to understand your first post ;).  If I understand it right, you already know to route the Remote VPN networks to the "int_vpn" interface, but that only works with your Site-Site VPNs (where you know the other VPN networks).

But with your Client VPN connections, since you don't know the other party's private IP addresses, you can't have a Route in place, so it therefore goes out the default route through the Outside interface.

The solution is to point a route to the IP Pool you assign to your Client VPN users to something out your "int_vpn" interface.  This will take traffic directed to a Client VPN User out that interface, which should be the interface that your Crypto Map for your Client VPN users exists on.

Hope this helps.

-Eddie

Eddie,

I try to point a route to IP Pool of the client but the asa still try to returns to the outside interface...the default route of the asa.

Thanks

Adriano

Hi,

   Yes, I have two outside interface but the both is to the INTERNET,  one of the Interface is connect to a box in order to do a Balance around 3 ISP provider, called AX from A10 Networks and this box is connected to the internet.

The other interface is connected direct to the Internet, I have to do this because the box AX can't work with VPN Ipsec...  just with PPTP :-( ...  

  The question here is when I receive  a packet from int_vpn the asa must answer to this interface...  and not for the default route that point to the balancer,

   As Edie wrote, when the other peer is a site-to-site vpn I know the public ip address, and I just point  route to the int_vpn but when the client is using a Cisco Client VPN we don't know the IP public address...   the packet arrives from int_vpn interface but they try to answer to the outside interface that is the default route of the asa.

Now i'm at home..   tomorrow early I'll try to point a route the IP Pool that of the client.  After I let you know if its works well..

By the way, is anybody here knows the balancer AX from A10 Networks???  The seller told to my boss that the VPN will work's fine...but don't....  something goes wrong when he try the Fase 2 of the VPN...  I think that is because between the AX and the ASA I'm using a internal vlan on....

Thanks for all...

Regards,

Adriano

Could you post the output of the following commands?

show run crypto

show run interface

show run route

show ip address


Following the information. ==================================================== FWHSL01# show names name 172.22.1.0 REDE_ASA_A10 name 172.22.1.6 IP_GATEWAY_A10 name 200.232.28.129 IP_GATEWAY_LINK_VIVO_01 ====================================================== FWHSL01# show run crypto crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set TESTEAX esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map INT_VPN01_map 1 match address INT_VPN01_1_cryptomap crypto map INT_VPN01_map 1 set pfs crypto map INT_VPN01_map 1 set connection-type answer-only crypto map INT_VPN01_map 1 set peer 177.69.140.200 crypto map INT_VPN01_map 1 set transform-set ESP-AES-256-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set connection-type answer-only crypto map outside_map 1 set peer 177.69.140.200 crypto map outside_map 1 set transform-set ESP-AES-256-SHA crypto map outside_map 1 set reverse-route crypto map outside_map0 1 match address outside_1_cryptomap_1 crypto map outside_map0 1 set pfs crypto map outside_map0 1 set connection-type answer-only crypto map outside_map0 1 set peer 177.69.140.200 crypto map outside_map0 1 set transform-set ESP-AES-256-SHA crypto map outside_map0 1 set reverse-route crypto map INT_VPN_map 1 match address INT_VPN_1_cryptomap crypto map INT_VPN_map 1 set pfs crypto map INT_VPN_map 1 set connection-type answer-only crypto map INT_VPN_map 1 set peer 177.69.140.200 crypto map INT_VPN_map 1 set transform-set ESP-AES-256-SHA crypto map INT_VPN_map 1 set reverse-route crypto map INT_VPN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map INT_VPN_map interface INT_VPN crypto isakmp enable outside crypto isakmp enable INT_VPN crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 crypto isakmp policy 2 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal FWHSL01# ===================================================== FWHSL01# show run interface ! interface Ethernet0/0 description Trunk Interface for Outside Networks no nameif security-level 0 no ip address ! interface Ethernet0/0.1 vlan 172 nameif outside security-level 0 ip address 172.22.1.1 255.255.255.240 ! interface Ethernet0/0.2 vlan 900 nameif INT_VPN security-level 10 ip address 200.232.28.134 255.255.255.128 ! interface Ethernet0/1 description Trunk Interface for Inside Networks no nameif no security-level no ip address ! interface Ethernet0/1.1 description INSIDE INTERFACE vlan 100 nameif inside security-level 100 ip address 10.132.0.3 255.255.252.0 ! interface Ethernet0/1.2 description DMZ INTERFACE vlan 804 nameif DMZ security-level 90 ip address 192.168.17.1 255.255.255.0 ! interface Ethernet0/1.3 vlan 811 nameif dmz_teste security-level 30 ip address 192.100.0.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 no ip address management-only FWHSL01# ====================================================== FWHSL01(config)# show run route route outside 0.0.0.0 0.0.0.0 IP_GATEWAY_A10 1 route inside 10.7.0.0 255.255.0.0 10.132.0.1 1 route INT_VPN 10.151.64.0 255.255.255.0 IP_GATEWAY_LINK_VIVO_01 1 ==================================================== FWHSL01# sh ip address System IP Addresses: Interface                Name                  IP address      Subnet mask    Method Ethernet0/0.1            outside                172.22.1.1      255.255.255.240 CONFIG Ethernet0/0.2            INT_VPN                200.232.28.134  255.255.255.128 manual Ethernet0/1.1            inside                10.132.0.3      255.255.252.0  CONFIG Ethernet0/1.2            DMZ                    192.168.17.1    255.255.255.0  CONFIG Ethernet0/1.3            dmz_teste              192.100.0.1    255.255.255.0  manual Current IP Addresses: Interface                Name                  IP address      Subnet mask    Method Ethernet0/0.1            outside                172.22.1.1      255.255.255.240 CONFIG Ethernet0/0.2            INT_VPN                200.232.28.134  255.255.255.128 manual Ethernet0/1.1            inside                10.132.0.3      255.255.252.0  CONFIG Ethernet0/1.2            DMZ                    192.168.17.1    255.255.255.0  CONFIG Ethernet0/1.3            dmz_teste              192.100.0.1    255.255.255.0  manual ================================================================

The error is: 6 Jul 17 2013 16:31:35 200.232.28.134 62465 177.69.140.200 62465 Routing failed to locate next hop for udp from NP Identity Ifc:200.232.28.134/62465 to INT_VPN:177.69.140.200/62465

Is there anyway for you to post the output while keeping the line-breaks intact?  Its rather difficult to sift through currently.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: