01-04-2017 05:22 AM
Hi all respected members,
I am having problem to setup the vpn through the edge router which is behind the asa firewall to remote edge router.
Details:
We have a customer who buy managed office network from us. We have a firewall for them which can support VPN for them but the customer has the VPN solution purchased from the different VPN solution provider.
VPN solution provider wants to put the VPN concentrator behind the firewall. so did for him connected to the inside interface.
What we did :
VPN concentrator connected to inside network through the switch having ip address 192.168.0.2/24 i.e. 0.1/24 is the gateway in the cisco ASA
we Make the NAT rule for that translating the inside IP to outside address.
Access list allowed the VPN from inside to any with VPN protocols.
Result:
No success fro VPN solution provider. He can connect to the VPN device remotely. i make that happen through the firewall.
But the VPN is not working for him.
Help needed:
Give me examples or way forward how i can make this happen. guide me :)
Thanks
Best Regards
fa
Solved! Go to Solution.
01-04-2017 08:36 AM
The NAT for your VPN-Box is wrong. Ideally you would use a dedicated IP for that box. Then the config will be the following:
no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2
nat (kontor1,outside) static x.x.x.11
If you can't reserve an IP for the box, then you can use the interface IP, but you can't terminate IPSec VPNs on the ASA itself:
no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2-UDP500
host 192.168.0.2
nat (kontor1,outside) static interface service udp 500 500
object network 192.168.0.2-UDP4500
host 192.168.0.2
nat (kontor1,outside) static interface service udp 4500 4500
You don't need to allow ESP and AH, all will be encapsulated in UDP:
object-group service DM_INLINE_SERVICE_2
no service-object esp
no service-object ah
01-04-2017 07:22 AM
01-04-2017 08:12 AM
I have trim the running config as follow.
1) The type of VPN is site to site.
2) The NAT and ACLs are as follow
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.10 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet1/2.10
description office-vlan
vlan 10
nameif kontor1
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/2.50
description guest-vlan
vlan 50
nameif kontor2
security-level 100
ip address 192.168.50.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network 192.168.0.2
host 192.168.0.2
object network x.x.x.x
host x.x.x.x
object service vpn-esp
service esp
object-group service DM_INLINE_SERVICE_1
service-object esp
service-object ah
service-object udp destination eq 4500
service-object udp destination eq isakmp
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object esp
service-object ah
service-object tcp destination eq https
service-object udp destination eq 4500
service-object udp destination eq isakmp
access-list kontor1_access_in extended permit object-group DM_INLINE_SERVICE_1 object 192.168.0.2 any
access-list kontor1_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object 192.168.0.2
access-list kontor2_access_in extended permit ip any any
pager lines 24
nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
object network 192.168.0.2
nat (kontor1,outside) static interface service tcp https 8443
access-group outside_access_in in interface outside
access-group office1_access_in in interface office1
access-group office2_access_in in interface office2
01-04-2017 08:36 AM
The NAT for your VPN-Box is wrong. Ideally you would use a dedicated IP for that box. Then the config will be the following:
no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2
nat (kontor1,outside) static x.x.x.11
If you can't reserve an IP for the box, then you can use the interface IP, but you can't terminate IPSec VPNs on the ASA itself:
no nat (kontor1,outside) source static 192.168.0.2 192.168.0.2 no-proxy-arp
object network 192.168.0.2-UDP500
host 192.168.0.2
nat (kontor1,outside) static interface service udp 500 500
object network 192.168.0.2-UDP4500
host 192.168.0.2
nat (kontor1,outside) static interface service udp 4500 4500
You don't need to allow ESP and AH, all will be encapsulated in UDP:
object-group service DM_INLINE_SERVICE_2
no service-object esp
no service-object ah
01-05-2017 03:05 AM
Thanks karsten,
The tunnel seems to be working now. thanks alot. The other part i am think about the two subnets local and remote subnet.
How they will communicate with each other. do we need static routes for that.
the provider told me to add static routes for there remote subnets pointing to 192.168.0.2 (VPN concentrator devide ip).
i will remove the extra stuff as well.
Best Regards
Faraz
01-05-2017 08:17 AM
Yes, I would suspect that your ASA needs a route for the remote subnet pointing to the VPN-Box.
01-05-2017 09:58 AM
i have made the static routes now for the remote subnets but they are telling me that their clients from local subnets are not reaching the remote subnet DNS server.
1) I already check that dns inspection is on.
2) The ACL is there from local subnet to remote subnet and is ip allowed right now.
i can see this error
But thanks again for your time :)
01-05-2017 02:52 PM
The traffic that comes from the VPN-concentrator wants to flow through the ASA and als has to be allowed if desired.
01-08-2017 03:50 AM
HI karsten,
I think you mean, i need to put an ACL from inside to any or outside and allow the dns or other traffic
but there is a general rule that allows the ip allow from inside to outside for their internet.
Can you explain what exactly you by als ?
Thanks in advance
01-08-2017 03:59 AM
You config looks as if there are ACLs applied. But you obfuscated the config and error-message so only you know ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide