ACL subnets for host IP and duplicate networks

seanwaite · ‎03-28-2011

I have two inter-related questions. My first issue deals with VPN's using the same network address range. For example I have a ASA that is going to connect to two seperate remote sites, except both sites are using a 10.10.1.0/24 network. On one site I need to access servers located between ~.5 to ~.30, the other network I need to access servers that are ~.180 to ~.250.

So, I was thinking could I just set the ACL for site one to a subnet of /25 (giving me 10.10.1.1 - 10.10.1.126) and then the second site the subnet would be /25 (giving me 10.10.1.128 - 10.10.1.254). So my config would look like this:

access-list NO_NAT extended permit ip 192.168.101.0 255.255.255.0 10.10.1.0 255.255.255.128
access-list NO_NAT extended permit ip 192.168.101.0 255.255.255.0 10.10.1.128 255.255.255.128

access-list SITE_1 extended permit ip 192.168.101.0 255.255.255.0 10.10.1.0 255.255.255.128
access-list SITE_2 extended permit ip 192.168.101.0 255.255.255.0 10.10.1.128 255.255.255.128

crypto map OUTSIDE_MAP 1 match address SITE_1
crypto map OUTSIDE_MAP 1 match address SITE_2

Would the remote site need then matching ACL? My understanding is that changing the subnet in the ACL would only affect tunnel traffic, and would have no impact on the internal network since this is only for the tunnel's access. If the remote site uses a /24 subnet for the internal inside interface, I could still use a /25 just for the VPN ACL ?

My second question involves access through a tunnel to a single device, rather than a whole network.
So for this example I have 3 remote sites, each have a single server I want access to, but not the whole network. So instead I change the ACL from "ip" to "host"?:

access-list NO_NAT extended permit host 192.168.101.0 255.255.255.0 10.10.1.0 255.255.255.255
access-list NO_NAT extended permit host 192.168.101.0 255.255.255.0 10.10.1.128 255.255.255.255

access-list SITE_1 extended permit host 192.168.101.0 255.255.255.0 10.10.1.200 255.255.255.255
access-list SITE_2 extended permit host 192.168.101.0 255.255.255.0 10.10.1.201 255.255.255.255

crypto map OUTSIDE_MAP 1 match address SITE_1
crypto map OUTSIDE_MAP 1 match address SITE_2

What I want to do in this scenario is give access from the 192.168.101.0 network ONLY to a specific server, whereas I want the remote network sites to access the full 192.168.101.0/24 network. Can I do this through ACLs like above, or would I need to first do the ACL from ip to ip (i.e. network to network), then filter and deny all IPs except for the one server?

seanwaite · ‎03-28-2011

I added a Visio jpg that maybe better explains the two questions that I have.

Jennifer Halim · ‎03-31-2011

For your first question:

Yes, you are correct. You can configure 2 different vpn tunnels to 2 different remote sites, and configure crypto ACL that says /25 as per your example.

Minor error on the crypto map:

You have:

crypto map OUTSIDE_MAP 1 match address SITE_1

crypto map OUTSIDE_MAP 1 match address SITE_2

It should be:

crypto map OUTSIDE_MAP 10 match address SITE_1

crypto map OUTSIDE_MAP 20 match address SITE_2

The NONAT ACL can be combined into 1 line as follows:

access-list NO_NAT extended permit ip 192.168.101.0 255.255.255.0 10.10.1.0 255.255.255.0

BTW, your topology diagram has 10.150.1.0/24, however, your post says 10.10.1.0/24. You might want to change it accordingly.

For your second questions:

No, you can't use crypto map ACL to deny or allow access in one direction and not the other. You will need to use access-list on interface for that.

So basically on the inside interface ACL on the main site ASA, just configure access as follows:

access-list permit ip 192.168.100.0 255.255.255.0 host 10.150.1.10

All traffic initiated from the remote end will be allowed through the tunnel towards the main site LAN. From main site LAN, you can only access host 10.150.1.10 by configuring ACL to only allow that access.

If you have permit ip any any on your inside interface ACL, then you would need to configure the following:

access-list permit ip 192.168.100.0 255.255.255.0 host 10.150.1.10

access-list deny ip 192.168.100.0 255.255.255.0 10.150.1.0 255.255.255.0

access-list permit ip any any

Hope that helps.

seanwaite · ‎03-31-2011

Thanks for replying Jennifer. So if I understand you correctly I would have the following for Main Office, and the two Remote Sites:

Main Office - 192.168.101.0/24

access-list NO_NAT extended permit ip 192.168.101.0 255.255.255.0 10.150.1.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.101.0 255.255.255.0 10.150.2.0 255.255.255.0

access-list SITE_1 extended permit ip 192.168.101.0 255.255.255.0 host 10.150.1.200

access-list SITE_1 extended deny ip 192.168.101.0 255.255.255.0 10.150.1.0 255.255.255.0

access-list SITE_2 extended permit ip 192.168.101.0 255.255.255.0 host 10.150.2.200

access-list SITE_2 extended deny ip 192.168.101.0 255.255.255.0 10.150.2.0 255.255.255.0

nat (Inside) 0 access-list NO_NAT

nat (Inside) 1 192.168.101.0 255.255.255.0

crypto map OUTSIDE_MAP 10 match address SITE_1

crypto map OUTSIDE_MAP 20 match address SITE_2

Remote Site #1- 10.150.1.0/24

access-list NO_NAT extended permit ip 10.150.1.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list SITE_1 extended permit host 10.150.1.200 ip 192.168.101.0 255.255.255.0

access-list SITE_1 extended deny ip 10.150.1.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (Inside) 0 access-list NO_NAT

nat (Inside) 1 10.150.1.0 255.255.255.0

crypto map OUTSIDE_MAP 10 match address SITE_1

Remote Site #2- 10.150.2.0/24

access-list NO_NAT extended permit ip 10.150.2.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list SITE_2 extended permit host 10.150.2.200 ip 192.168.101.0 255.255.255.0

access-list SITE_2 extended deny ip 10.150.2.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (Inside) 0 access-list NO_NAT

nat (Inside) 1 10.150.2.0 255.255.255.0

crypto map OUTSIDE_MAP 10 match address SITE_2

I am confused however how I do specify that no NAT is to be applied to this VPN. If I put :

access-list NO_NAT extended permit ip 10.150.2.0 255.255.255.0 192.168.101.0 255.255.255.0

Then ALL traffic no matter what between these two networks would not use network translation. That in principle I understand, however the implimentation in the ASA has got me a little confused here. Would the above example for Remote Site #2 work? It states first and foremost that I do not use NAT for this traffic between the two networks, and it is the ACL for "SITE_2" that defines what is and is not allowed specifically.

However, the permitted traffic in "SITE_2" ACL is for host to ip, whereas I have the NO_NAT ACL for ip to ip. I guess what I am asking is whether I would need to simply match the "NO_NAT" ACL to that of "SITE_2" to do host to ip.

What I am mainly concerned with really is just getting traffic from one whole network to the one single remote server, and that one remote server to be able to contact the whole network on the other side. I think I understand better now at least that by permiting the specifc host, and then denying the network is what needs to be done.

Jennifer Halim · ‎04-03-2011

Sorry, now I am confused as you have changed the subnet again for the remote sites.

Initially you mention that there is duplicate networks, and the first remote will be the first /25 of the /24 network, and the second remote will be the second /25 of the same /24 network. Now, it looks like you are having 2 different subnets for your remote, ie: 10.150.1.0/24 and 10.150.2.0/24.

Can you please confirm.

Also, you don't need any "deny" statement at all. The following example:

access-list SITE_2 extended permit host 10.150.2.200 ip 192.168.101.0 255.255.255.0
access-list SITE_2 extended deny ip 10.150.2.0 255.255.255.0 192.168.101.0 255.255.255.0

You don't need the second line at all as there is an implicit deny at the end of any access-list, so you only need to configure the first line.