Solved: Use a server as gateway in remote site of l2l tunnel

Alan Huseyin Kayahan · ‎11-27-2007

Hi

I established a site-to-site tunnel (ASA 5540 here) with remote Datacenter(Netscreen), in which I have a server with IP 192.168.1.x. I added the 192.168.1.x in exempt nat rule, so I can establish connection to this IP (RDP telnet etc) from a server in my network 10.10.10.x over tunnel. No problem untill here

Here is the issue. Datacenter allowed connection from my server in there (192.168.1.x) to a global IP of them (xxx.75.yyy.89) on port 1111. 192.168.1.x can connect to xxx.75.yyy.89 via port 1111 fine.

What I want to achieve is; I want to reach xxx.75.yyy.89 on port 1111 from 10.10.10.x which is at this side of l2l tunnel.

I assume I have to setup RRAS on remote server, but how should the configuration be on ASA and tunnel?

Regards

JORGE RODRIGUEZ · ‎11-28-2007

that route should be entered in the netscrean firewall side as the traffic to xxx.75.yyy.89 is reacable through netscrean firewall, so in other words if netscreen does not have a route to get to yyy.89 your host behind ASA will not hit yyy.89, and netscreen firewall should have yyy.89 host in their crypto policy access list .

Who administers the netscrent firewall side?

Rgds

Jorge

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎11-27-2007

Hi Huseyin, let me try to understand your question so that we can help out. You have a tunnel established with Netscreen peer,your source host behind asa5540 is 192.168.1.x and you are not NATing this 192.168.1.x

address over this tunnel.The destination host on netscreen side is global NAT xxx.75.yyy.89 on destination port 111. Up to here you are fine.

Now you want source IP 10.10.10.x host behind asa5540 to be able to connect to xxx.75.yyy.89 on same port 111, from here you already have a tunnel with Netscreen and what you need to do is add another ACL in your tunnel access list to allow source 10.10.10.x connect to destination host xxx.75.yyy.89 on port 111, and othe side of tunnel on NetScreen have to allow 10.10.10.x source host in their tunnel access-list..

Is this what you are trying to accomplish?

pls rate any helpful post if it helps!

HTH

Jorge

Jorge Rodriguez

Alan Huseyin Kayahan · ‎11-27-2007

Hi Jorge

Thanks a lot for your concern and time

I attached the network diagram. I want 10.10.10.1 to be able to connect xxx.75.yyy.89:1111 . ASA's inside interface is 10.10.10.1 's gateway. So I need 2 things.

1)ASA must route the traffic, which has xxx.75.yyy.89 in destination, to 192.168.1.1 through the tunnel

2)192.168.1.1 windows server must act like a gateway (Routing and Remote Access Service)

Regards

JORGE RODRIGUEZ · ‎11-27-2007

Thanks for providing diagram , a picture's worth 1000 words !! but I am still unclear in your statement, Im definately missing something and please anyone may jump in to comment

" I want 10.10.10.1 to be able to connect

xxx.75.yyy.89:1111 " .

ASA current tunnel point is your outside-interface and the end point is net-screen-outside interface, and you allow hosts behind outside interface to traffic through the ipsec tunnel.

So you have for ASA Source 10.10.10.x

Netscree DATA Center:

Destination:192.168.1.1(Ports RDP telnet)

Destination:xxx.75.yyy.89( Port 111 )

On the current tunnel the asa will route anything you tell it through that tunnel and that is also reachable by Netscree side for the destination by adding the destination address xxx.75.yyy.89 and port in the access-list of tunnel policy ,in ASA you would add on the current crypto map policy an access-list with that information.

say you currently have an acl for RDPing to 192.168.1.1 from host 10.10.10.x

access-list outside_cryptomap_10 permit tcp host 10.10.10.x host 198.168.1.1 eq 3389

create a new one

access-list outside_cryptomap_10 permit tcp host 10.10.10.x host xxx.75.yyy.89 eq 111

Jorge Rodriguez

Alan Huseyin Kayahan · ‎11-27-2007

following is the config

crypto map outside_map 50 match address outside_50_cryptomap

crypto map outside_map 50 set peer netscreenip

crypto map outside_map 50 set transform-set ESP-3DES-MD5

access-list outside_50_cryptomap extended permit ip 10.10.10.0 255.255.255.0 host 192.168.1.1

access-list inside_nat0_outbound permit ip 10.10.10.0 255.255.255.0 host 192.168.1.1

10.10.10.1 can reach 192.168.1.1 by any port (RDP telnet was just example)

I wish xxx.75.yyy.89 server was at the end of the tunnel and it would be as easy as just adding the crypto acl as you mentioned, but only 192.168.1.1 can reach it, so 192.168.1.1 must be a gateway. And ASA must route traffic to 192.168.1.1 so that if 10.10.10.1 tries to reach xxx.75.yyy.89, traffic will flow through the tunnel.

Something like below for example

route outside xxx.75.yyy.89 255.255.255.255 192.168.1.1

can ASA route the traffic above to 192.168.1.1, which is an IP at the remote site of tunnel? Or any other suggestions?

JORGE RODRIGUEZ · ‎11-28-2007

that route should be entered in the netscrean firewall side as the traffic to xxx.75.yyy.89 is reacable through netscrean firewall, so in other words if netscreen does not have a route to get to yyy.89 your host behind ASA will not hit yyy.89, and netscreen firewall should have yyy.89 host in their crypto policy access list .

Who administers the netscrent firewall side?

Rgds

Jorge

Jorge Rodriguez

Alan Huseyin Kayahan · ‎12-08-2007

Thanks for your time and concern Jorge

Alan Huseyin Kayahan · ‎11-30-2007

Jorge, netscreen admin mentioned that this is not working correctly with cisco devices