Solved: Re: Using Cisco ASA outside interface for IPSEC tunnel and Remote VPN

mahesh18 · ‎05-01-2020

Hi Everyone,

We have Cisco ASA 5520 configured for remote VPN where users running windows laptop use vpn client software to connect to

the company network.

Now for new project I need to config site to site IPSEC tunnel for vendor to connect to our network.

For this I need to use the ASA outside interface.

Need to know if i config ASA outside interface for site to site ipsec will it cause any issues with ASA config for Remote VPN users?

Any issues will it cause to Remote VPN connections?

Regards

Mahesh

Sheraz.Salim · ‎05-02-2020

yes correct. here is the sample configuration.

crypto isakmp enable outside
!
crypto isakmp policy 1
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
!
 tunnel-group 8.8.8.8 type ipsec-l2l
 tunnel-group 8.8.8.8 ipsec-attributes 
  pre-shared-key superman
!
access-list 100 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map outside_map 10 set peer 8.8.8.8
crypto map outside_map 10 match address 100
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set pfs
crypto map outside_map interface outside
!
group-policy SITE_A internal
 vpn-tunnel-protocol ipsec
!
group-policy SITE_A attributes
 vpn-idle-timeout none
!
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITE_A
!
NAT Exemption
access list that defines the traffic to be exempted from the NAT checks. In this version, it appears similar to the access list that you defined for 
the traffic of interest:
!
access-list nonat line 1 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248
!
The access list is used with the NAT, as shown here:
!
nat (inside) 0 access-list nonat
!
Note: The inside here refers to the name of the inside interface on which the ASA receives the traffic that matches the access list.

please do not forget to rate.

View solution in original post

Rob Ingram · ‎05-02-2020

Hi.
There should be no issues running a Site-to-Site VPN and Remote Access VPN on the same outside interface.

HTH

Marius Gunnerud · ‎05-02-2020

This will work fine. I do this all the time. What you do is NAT your interesting traffic to your interface IP with destination of the remote side of the VPN, then configure your site to site VPN with the public IP of your ASA.

NAT example:

object network LOCAL-LAN

subnet 10.1.1.0 255.255.255.0

object network REMOTE-LAN

subnet 11.1.1.0 255.255.255.0

nat (inside,outside) source dynamic LOCAL-LAN interface destination static REMOTE-LAN REMOTE-LAN

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎05-02-2020

Hi Marius,

Happy to see reply from you.

We are running old code

Cisco Adaptive Security Appliance Software Version 8.2(5)59
Device Manager Version 6.4(9)

What we want is that inside traffic subnet 10.96.96.0/24 going to vendor network can access the 10.70.160.0/29 network.

This is Private network connection that goes via our ISP and it is using 172.24.x.x and 10.x.x.x network.

Outside Interface IP is 10.61.10.20.

We do not want any NAT.

So this NAT config is good

static (inside,outside) 10.96.96.0 10.96.96.0 netmask 255.255.255.0

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.010.71.160.0 255.255.255.248

tunnel-group 172.24.32.115 type ipsec-l2l
tunnel-group 172.24.32.115 ipsec-attributes
pre-shared-key XXXXXXXXXX

crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.24.32.115
crypto map L2L 1 set transform-set L2L

crypto map L2L interface outside

IS this config good.

Please check?

And security policy will allow any traffic from 10.96.96.x to 10.70.160.x right?

Also I need security policy to allow traffic from vendor to our network if vendor ping from subnet 10.70.160.0 to 10.96.96.2 right?

Sheraz.Salim · ‎05-02-2020

Yes configuration looks good. however you running old software which is EOL so consider doing upgrade. here document mentioned how to setup a site to site vpn version 8.0.

you configuration for nat will be like this

nat (inside) 0 access-list inside_nat0_outbound
!
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 remote 255.255.255.0

And security policy will allow any traffic from 10.96.96.x to 10.70.160.x right?

correct.

Also I need security policy to allow traffic from vendor to our network if vendor ping from subnet 10.70.160.0 to 10.96.96.2 right?

correct

please do not forget to rate.

mahesh18 · ‎05-02-2020

Need to confirm that NAT config below is correct

Also this NAT will only apply to the below NAT config right?

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.96.96.0 255.255.255.0  10.70.10.0 255.255.248

Sheraz.Salim · ‎05-02-2020

yes correct. here is the sample configuration.

crypto isakmp enable outside
!
crypto isakmp policy 1
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
!
 tunnel-group 8.8.8.8 type ipsec-l2l
 tunnel-group 8.8.8.8 ipsec-attributes 
  pre-shared-key superman
!
access-list 100 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map outside_map 10 set peer 8.8.8.8
crypto map outside_map 10 match address 100
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set pfs
crypto map outside_map interface outside
!
group-policy SITE_A internal
 vpn-tunnel-protocol ipsec
!
group-policy SITE_A attributes
 vpn-idle-timeout none
!
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITE_A
!
NAT Exemption
access list that defines the traffic to be exempted from the NAT checks. In this version, it appears similar to the access list that you defined for 
the traffic of interest:
!
access-list nonat line 1 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248
!
The access list is used with the NAT, as shown here:
!
nat (inside) 0 access-list nonat
!
Note: The inside here refers to the name of the inside interface on which the ASA receives the traffic that matches the access list.

please do not forget to rate.

mahesh18 · ‎05-02-2020

Hi Sheraz,

Many thanks for answering all the questions.

Regards

Mahesh

mahesh18 · ‎05-05-2020

Seems one thing need too confirm as we want to allow traffic which is initiated from outside to inside like below

access-list outside_acl extended permit tcp host 10.70.160.2 10.96.96.0 255.255.255.0 eq 554 log
access-list outside_acl extended permit tcp host 10.70.160.3 10.96.96.0 255.255.255.0 eq 554 log

Also for inside interface i have below acl already configured say

access-list inside_acl extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 80 log
access-list inside_acl extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 80 log

so in crypto map how i will refer which name i need to refer to?

do i need to create new acl and name it say nonat and config the above acl there?