Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1768
Views
0
Helpful
9
Replies

Edge Router lite VPN device behind the cisco ASA firewall

Go to solution
sfarazaz123
Level 1
Level 1

‎01-04-2017 05:22 AM

Hi all respected members,

I am having problem to setup the vpn through the edge router which is behind the asa firewall to remote edge router.

Details:

We have a customer who buy managed office network from us. We have a firewall for them which can support VPN for them but the customer has the VPN solution purchased from the different VPN solution provider.

VPN solution provider wants to put the VPN concentrator behind the firewall. so did for him connected to the inside interface.

What we did :

VPN concentrator connected to inside network through the switch having ip address 192.168.0.2/24 i.e. 0.1/24 is the gateway in the cisco ASA

we Make the NAT rule for that translating the inside IP to outside address.

Access list allowed the VPN from inside to any with VPN protocols.

Result:

No success fro VPN solution provider. He can connect to the VPN device remotely. i make that happen through the firewall.

But the VPN is not working for him.

Help needed:

Give me examples or way forward how i can make this happen. guide me :)

Thanks

Best Regards

fa

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to sfarazaz123

‎01-04-2017 08:36 AM

The NAT for your VPN-Box is wrong. Ideally you would use a dedicated IP for that box. Then the config will be the following:

no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2
 nat (kontor1,outside) static x.x.x.11

If you can't reserve an IP for the box, then you can use the interface IP, but you can't terminate IPSec VPNs on the ASA itself:

no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2-UDP500
 host 192.168.0.2
 nat (kontor1,outside) static interface service udp 500 500
object network 192.168.0.2-UDP4500
 host 192.168.0.2
 nat (kontor1,outside) static interface service udp 4500 4500

You don't need to allow ESP and AH, all will be encapsulated in UDP:

object-group service DM_INLINE_SERVICE_2
 no service-object esp
 no service-object ah

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Karsten Iwen
VIP
VIP

‎01-04-2017 07:22 AM

  1. What kind of VPN will be used?
  2. What have you configured exactly? Please show the config (NAT and ACL).
0 Helpful

Go to solution
sfarazaz123
Level 1
Level 1
In response to Karsten Iwen

‎01-04-2017 08:12 AM

I have trim the running config as follow.

1) The type of VPN is site to site.

2) The NAT and ACLs are as follow


interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.10 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet1/2.10
description office-vlan
vlan 10
nameif kontor1
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/2.50
description guest-vlan
vlan 50
nameif kontor2
security-level 100
ip address 192.168.50.1 255.255.255.0
!

ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.2
host 192.168.0.2
object network x.x.x.x
host x.x.x.x
object service vpn-esp
service esp
object-group service DM_INLINE_SERVICE_1
service-object esp
service-object ah
service-object udp destination eq 4500
service-object udp destination eq isakmp
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object esp
service-object ah
service-object tcp destination eq https
service-object udp destination eq 4500
service-object udp destination eq isakmp
access-list kontor1_access_in extended permit object-group DM_INLINE_SERVICE_1 object 192.168.0.2 any
access-list kontor1_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object 192.168.0.2
access-list kontor2_access_in extended permit ip any any
pager lines 24

nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
object network 192.168.0.2
nat (kontor1,outside) static interface service tcp https 8443
access-group outside_access_in in interface outside
access-group office1_access_in in interface office1
access-group office2_access_in in interface office2

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to sfarazaz123

‎01-04-2017 08:36 AM

The NAT for your VPN-Box is wrong. Ideally you would use a dedicated IP for that box. Then the config will be the following:

no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2
 nat (kontor1,outside) static x.x.x.11

If you can't reserve an IP for the box, then you can use the interface IP, but you can't terminate IPSec VPNs on the ASA itself:

no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2-UDP500
 host 192.168.0.2
 nat (kontor1,outside) static interface service udp 500 500
object network 192.168.0.2-UDP4500
 host 192.168.0.2
 nat (kontor1,outside) static interface service udp 4500 4500

You don't need to allow ESP and AH, all will be encapsulated in UDP:

object-group service DM_INLINE_SERVICE_2
 no service-object esp
 no service-object ah

0 Helpful

Go to solution
sfarazaz123
Level 1
Level 1
In response to Karsten Iwen

‎01-05-2017 03:05 AM

Thanks karsten,

The tunnel seems to be working now. thanks alot. The other part i am think about the two subnets local and remote subnet.

How they will communicate with each other. do we need static routes for that.

the provider told me to add static routes for there remote subnets pointing to 192.168.0.2 (VPN concentrator devide ip).

i will remove the extra stuff as well.

Best Regards

Faraz

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to sfarazaz123

‎01-05-2017 08:17 AM

Yes, I would suspect that your ASA needs a route for the remote subnet pointing to the VPN-Box.

0 Helpful

Go to solution
sfarazaz123
Level 1
Level 1
In response to Karsten Iwen

‎01-05-2017 09:58 AM

i have made the static routes now for the remote subnets but they are telling me that their clients from local subnets are not reaching the remote subnet DNS server.

1) I already check that dns inspection is on.

2) The ACL is there from local subnet to remote subnet and is ip allowed right now.

i can see this error

Deny inbound UDP from x.x.x.x/highport to x.x.x.x/53 due to DNS Query

But thanks again for your time :)

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to sfarazaz123

‎01-05-2017 02:52 PM

The traffic that comes from the VPN-concentrator wants to flow through the ASA and als has to be allowed if desired.

0 Helpful

Go to solution
sfarazaz123
Level 1
Level 1
In response to Karsten Iwen

‎01-08-2017 03:50 AM

HI karsten,

I think you mean, i need to put an ACL from inside to any or outside and allow the dns or other traffic

but there is a general rule that allows the ip allow from inside to outside for their internet.

Can you explain what exactly you by als ?

Thanks in advance

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to sfarazaz123

‎01-08-2017 03:59 AM

You config looks as if there are ACLs applied. But you obfuscated the config and error-message so only you know ...

0 Helpful
Customers Also Viewed These Support Documents