11-23-2013 12:45 PM
Hi All,
BACKGROUND
We have a site to site VPN set up between two ASAs using IPSEC.
PROBLEM
We will refer to this configuration as site A and site B. On site A we have a requirement to ensure that all traffic from a single host traverses the VPN tunnel whereas all other hosts at site A have local access to the internet and do not traverse the L2L tunnel. We are looking at the best solution for this including the possibilities of VLANs, static NATs and ACLs. Also on the client device we will need to bind a MAC address to ensure the same local IP address is handed out each time through DHCP, although if the client device sits in its own VLAN for example then MAC address binding would not be required. It is not possible to configure a static IP address on the particular host device.
Does anyone have any recomendations as to the best way to configure this requirement.
Thanks,
Solved! Go to Solution.
11-24-2013 02:18 AM
You are correct that the ASA, as of yet, does not support DHCP reservations. So your only option to get what you want to work is to place the client in a seperate VLAN where you can assign it a seperate scope (as you have already mentioned)
--
Please rate all helpful posts
11-23-2013 12:52 PM
As for the VPN side of this, you can control what traffic is allowed over the VPN by configuring the crypto ACL, which identifies what traffic should be encrypted, to only allow that one client device over the VPN. You can also set the destination as any which will cause all traffic from the client to be sent over the VPN tunnel.
access-list cryptoACL extended permit ip host
crypto map MAP 5 match address cryptoACL
Also dont forget to exempt this traffic from being NATed. I have left out the NAT configuration as I do not know which version of ASA you are running, and the configuration differs greatly between pre and post 8.3
--
Please rate all helpful posts
11-23-2013 01:22 PM
Hi Marius,
Yes, this is the sort of configuration we had considered but the client device does not have a static IP address so if its on the same LAN network scope we would need to bind the MAC address on the DHCP pool. In your opinion do you consider it is better practice to set up a MAC binding for a local IP address or put this client device in its own VLAN and then use an ACL to bind it to the crypto map.
regards,
11-23-2013 02:09 PM
UPDATE
Just remembered that this network does not have a Windows server for DHCP, it is in fact configured on the ASA which rules out a MAC address binding as it is my understanding that this is not possible on an ASA only on IOS devices.
Thanks,
11-24-2013 02:18 AM
You are correct that the ASA, as of yet, does not support DHCP reservations. So your only option to get what you want to work is to place the client in a seperate VLAN where you can assign it a seperate scope (as you have already mentioned)
--
Please rate all helpful posts
11-26-2013 04:36 AM
Thanks Marius for your help.
We have now configured this using a combination of your inputs and our thoughts on the matter. We have selected correct answer.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide