Solved: BIND SINGLE IP ADDRESS TO TUNNEL ON ASA

veltech · ‎11-23-2013

Hi All,

BACKGROUND

We have a site to site VPN set up between two ASAs using IPSEC.

PROBLEM

We will refer to this configuration as site A and site B. On site A we have a requirement to ensure that all traffic from a single host traverses the VPN tunnel whereas all other hosts at site A have local access to the internet and do not traverse the L2L tunnel. We are looking at the best solution for this including the possibilities of VLANs, static NATs and ACLs. Also on the client device we will need to bind a MAC address to ensure the same local IP address is handed out each time through DHCP, although if the client device sits in its own VLAN for example then MAC address binding would not be required. It is not possible to configure a static IP address on the particular host device.

Does anyone have any recomendations as to the best way to configure this requirement.

Thanks,

Marius Gunnerud · ‎11-24-2013

You are correct that the ASA, as of yet, does not support DHCP reservations. So your only option to get what you want to work is to place the client in a seperate VLAN where you can assign it a seperate scope (as you have already mentioned)

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎11-23-2013

As for the VPN side of this, you can control what traffic is allowed over the VPN by configuring the crypto ACL, which identifies what traffic should be encrypted, to only allow that one client device over the VPN. You can also set the destination as any which will cause all traffic from the client to be sent over the VPN tunnel.

access-list cryptoACL extended permit ip host any

crypto map MAP 5 match address cryptoACL

Also dont forget to exempt this traffic from being NATed. I have left out the NAT configuration as I do not know which version of ASA you are running, and the configuration differs greatly between pre and post 8.3

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

veltech · ‎11-23-2013

Hi Marius,

Yes, this is the sort of configuration we had considered but the client device does not have a static IP address so if its on the same LAN network scope we would need to bind the MAC address on the DHCP pool. In your opinion do you consider it is better practice to set up a MAC binding for a local IP address or put this client device in its own VLAN and then use an ACL to bind it to the crypto map.

regards,

veltech · ‎11-23-2013

UPDATE

Just remembered that this network does not have a Windows server for DHCP, it is in fact configured on the ASA which rules out a MAC address binding as it is my understanding that this is not possible on an ASA only on IOS devices.

Thanks,

Marius Gunnerud · ‎11-24-2013

You are correct that the ASA, as of yet, does not support DHCP reservations. So your only option to get what you want to work is to place the client in a seperate VLAN where you can assign it a seperate scope (as you have already mentioned)

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

veltech · ‎11-26-2013

Thanks Marius for your help.

We have now configured this using a combination of your inputs and our thoughts on the matter. We have selected correct answer.

Thanks,