Solved: Need assistance with VPN Config on ASA5505

HARPREET SINGH · ‎08-23-2012

Our client has a vendor who needs to establish a VPN tunnel to their own router which sits behind our Firewall.

VPN Concentrator (Vendor) <------> ASA5505 Client (7.2) <-------> 3750 Switch <-------> VPN router(Vendor)

Here is the set up info:

ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3

ASA Inside Interface - 172.20.58.13/30

3750 Switch Interface Connected to ASA - 172.20.58.14/30 and DG - 172.20.58.13

3750 Switch Interface connected to VPN router - 172.20.58.21

VPN Router Interface connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21

I have also attached a Visio for this and the running configuration from the ASA and 3750. We don't have access to the TNS VPN router.

Our responsibility is to just to make sure the tunnel comes up.

Could you kindly help me with this?

Here is what I am planning to do :

1) Create a static NAT on the ASA for Public to Private IP of the VPN router

Public - 208.64.1x.x5 / 28

Private - 172.20.58.21 / 30

Will the ASA automatically ARP for this address or do i have to configure another interface on the ASA with this public IP?

2) What would the access list look like on the ASA?

3) The client gave us some config to copy the stuff on the ASA so that they can create the tunnel but i couldn't put those commands in the ASA. How would this be applied and on what interface?

Firewall Access: The following information pertains to access between the VPN router and the

VPN concentrator. If a firewall/router is present in front of the VPN the following services need to be

allowed:

permit esp host 208.224.x.x any

permit gre host 208.224.x.x any

permit udp host 208.224.x.x any eq isakmp

permit udp host 208.224.x.x any eq non500-isakmp

permit esp host 204.8.x.x any

permit gre host 204.8.x.x any

permit udp host 204.8.x.x any eq isakmp

permit udp host 204.8.x.x any eq non500-isakmp

permit tcp 206.x.x.0 0.0.0.255 any eq 22

permit tcp 206.x.x.0 0.0.0.255 any eq telnet

permit udp host 208.224.x.x any

Can someone assist me with the commands that i need to run this on the ASA? The 5505 is running 7.2(4) code.

Thanks in advance.

HS

Jennifer Halim · ‎08-24-2012

Your steps are correct, you would need to configure static NAT as well as the access-list to allow access.

Static NAT would be as follows:

static (Inside,outside) 208.64.1x.x5 172.20.58.21 netmask 255.255.255.255

You would also need a route pointing towards the inside interface to reach 172.20.58.21:

route Inside 172.20.58.21 255.255.255.255 172.20.58.14

Do you already have access-list on the outside interface? if you have, then just add into the existing access-list, if you haven't, then add the following:

access-list outside-acl permit udp any host 208.64.1x.x5 eq 500

access-list outside-acl permit udp any host 208.64.1x.x5 eq 4500

access-list outside-acl permit esp any host 208.64.1x.x5

access-group outside-acl in interface outside

If you also have an access-list on the inside interface, you would also need to allow the traffic through as follows:

access-list permit udp host 172.20.58.21 any eq 500

access-list permit udp host 172.20.58.21 any eq 4500

access-list permit esp host 172.20.58.21 any

If you haven't had any access-list on the inside interface, then you don't have to configure it.

Hope that helps.

View solution in original post

Jennifer Halim · ‎08-24-2012