Re: Config ASA5510 for multiple IPsec tunnels. - Page 2

acazarkov · ‎05-14-2013

Hi,

Can anyone help me to configure CISCO ASA 5510 for multiple IPsec tunnels?

On other side is CISCO 2801.

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

acazarkov · ‎05-15-2013

From the router side only host 192.168.1.3 should have access to 10.11.11.0 and 10.11.14.0

From ASA side hosts with address 10.11.11.0 /28 and address 10.11.11.14.0 /28 should have access to 192.168.1.0 /24

Is this possible?

Richard Burts · ‎05-15-2013

What you ask for is certainly not the way that site to site VPN is intended to work. The general principle is that if you permit 10.11.11.0 and 10.11.14.0 to access all of 192.168.1.0 then the router needs to permit all of 192.168.1.0 so that it can send responses. And to get the VPN tunnel to come up I believe that you would need to configure the access lists to permit the full range.

You might be able to achieve the selective option by a creative use of the vpn-filter command as part of the tunnel configuration.You might be able to achieve that only host 192.168.1.3 could initiate traffic and that all of 192.168.1.0 could send responses to traffic initiated from 10.11.11.0 or 10.11.14.0. But this would be pretty complex to do.

HTH

Rick

HTH

Rick

acazarkov · ‎05-15-2013

Ok, so I must allow on router all trafic from 192.168.1.0 to 10.11.11.11 and 10.11.14.0 . On ASA side ,all trafic from 10.11.11.0 and 10.11.14.0 to 192.168.1.0.

ip access-list extended NET011

permit ip 192.168.1.0 0.0.0.255 10.11.11.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.11.14.0 0.0.0.255

access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0

And VPN should strat up.

when I have an active tunnel , the rest will much easier to solve

Richard Burts · ‎05-15-2013

Yes these versions of the access lists look much better. I believe that they should work and that the VPN tunnel should come up.

HTH

Rick

HTH

Rick

acazarkov · ‎05-16-2013

it's work. I have created five connections to other sites.

But still have a problem . How to restrict traffic.

Now all host from 192.168.1.0 can access to 10.11.11.0 , and I want just few of them have access to .

Can you help me with this?

Richard Burts · ‎05-16-2013

I am glad that the VPN is now working. There are probably two approaches that might accomplish the restrictions on access. Does 10.11.11.0 need access to all addresses in 192.168.1.0? If they do not then you may be able to re-write the access list and instead of permitting the entire 192.168.1 you could permit the specific hosts. But if 10.11.11.0 does need access to all of 192.168.1.0 then the alternative to try would be vpn-filter. This is likely to get quite complex. The vpn-filter can be applied to the vpn tunnel and will permit only the traffic that you want. You will probably have to get down to the level of permitting specific tcp and udp ports. So that, for example, you might want to permit tcp port 23 as a destination port coming in but not as a source port gong out. That would allow the remote users to telnet in but would not allow local users to telnet out.

HTH

Rick

HTH

Rick