Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
6
Replies

Complex network design HELP!

Go to solution
howithink
Level 1
Level 1

‎12-30-2014 09:18 AM

Hi,

I am tasked with setting up ipsec vpn access to a network with multiple servers and it is setup as follows:

 

GW: 172.20.x.1

 

device1: 192.168.1.10

 

device2: 192.168.1.20

 

mobile device pool: 10.10.10.0/24

 

There is a layer 3 switch to which all servers are connected to and to which i do not have access.

 

On it, there are multiple vlans and some ports trunked to allow above vlan traffic to come through. I am given one port to that switch which i connect to my ASA. I presume its a trunk port, may not be.

 

Remote techs need access to this network, primarily devices1, and device2. Also need access to 10.x pool for testing.

 

My question is, how do i setup my ASA5505 to allow access to these remote techs to these devices? This is a brand new ASA5505 out of the box.

 

What network do i setup in the inside network of the ASA.

 

I am confused, please help!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to howithink

‎01-05-2015 09:26 AM

All you need to do is add those IPs and subnet to the crypto ACL and also make sure those IPs are part of the No NAT / NAT 0 statement.

So the remote company have given you 3 IPs that want access to the two devices and the mobile IP pool?  If that is the case then your crypto ACL will look something like the following:

access-list VPN-ACL extended permit ip host 192.168.1.10 host <remote IP>

access-list VPN-ACL extended permit ip host 192.168.1.20 host <remote IP>

access-list VPN-ACL extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

crypto map VPNMAP 5 match address VPN-ACL

 

access-list NO-NAT extended permit ip host 192.168.1.10 host <remote IP>

access-list NO-NAT extended permit ip host 192.168.1.20 host <remote IP>

access-list NO-NAT extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

nat (inside) 0 access-list NO-NAT

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
johnd2310
Level 8
Level 8

‎01-01-2015 04:49 PM

Hi,

 

What is the version of code  running on the ASA? Is the remote access required from the Internet or is it from a private network?

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
howithink
Level 1
Level 1
In response to johnd2310

‎01-05-2015 08:33 AM

ASA is using 8.2.x code and the access to my set will be via a site to site vpn tunnel from another private network. 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-04-2015 02:45 AM

I am assuming we are talking about remote access VPN?  in any case, this is not a very complex thing to do and is quite common when using 3rd party IT support.  Keep in mind that the configuration will be slightly different depending on what ASA version you are running (pre 8.3 or post 8.3).  Are we talking Anyconnect VPN or remote access IPsec VPN?

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
howithink
Level 1
Level 1
In response to Marius Gunnerud

‎01-05-2015 08:32 AM

ASA is using 8.2.5 i believe. It's pre 8.3. No one is using Anyconnect. This is only for a site to site vpn tunnel. The remote company has sent me 3 IP addresses that they want me to exempt.

My confusion is how do i  enable my ASA to grant access to the  following servers: GW: 172.20.x.1,   device1: 192.168.1.10,  device2: 192.168.1.20, and mobile device IP pool: 10.10.10.0/24.

thanks for your help.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to howithink

‎01-05-2015 09:26 AM

All you need to do is add those IPs and subnet to the crypto ACL and also make sure those IPs are part of the No NAT / NAT 0 statement.

So the remote company have given you 3 IPs that want access to the two devices and the mobile IP pool?  If that is the case then your crypto ACL will look something like the following:

access-list VPN-ACL extended permit ip host 192.168.1.10 host <remote IP>

access-list VPN-ACL extended permit ip host 192.168.1.20 host <remote IP>

access-list VPN-ACL extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

crypto map VPNMAP 5 match address VPN-ACL

 

access-list NO-NAT extended permit ip host 192.168.1.10 host <remote IP>

access-list NO-NAT extended permit ip host 192.168.1.20 host <remote IP>

access-list NO-NAT extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

nat (inside) 0 access-list NO-NAT

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
howithink
Level 1
Level 1
In response to Marius Gunnerud

‎01-05-2015 12:22 PM

i will give this a try and if need be, post the config here. Stay tuned...thanks.

0 Helpful
Customers Also Viewed These Support Documents