ASA 5510, IPSEC VPN, Whitelisted Data Center IPs and Internal Machine Access?

Todd.Thiel · ‎09-07-2011

Folks,

New to the board, So I'll say in advance I appreciate any constructive feedback someone might offer. My networking experience isnt that of a certified network professional. However I've done an adiquate job thus far at figuring things out on my own, and would be grateful for any advice or direction in solving this problem.

Problem:

Developers need to access resources that are in a data center using our office HQ whitelisted IP. They also at the same time need to be able to access QA test boxes that are in our internal network.

Question:

Is this even possible to have both internal access to machines, and SSH, Telnet, HTTP/HTTPS access to outside resources, while inheriting our HQ's whitelisted IP?

All of that within the same VPN Group?

JORGE RODRIGUEZ · ‎09-15-2011

Hi Todd,

I think I understand your requirements but Im not too sure

if you could brake down your requirements we could provide some input.

Could you:

1- Provide a simple network topology where things are located example: HQ Whitelisted IP, QA test internal Network, developers etc..

2- Who are the developers ? are they located outside your network ?

3- What type of VPN are you refering to Remote Access VPN , L2L VPN ?

Regards

Jorge Rodriguez

Todd.Thiel · ‎09-16-2011

Network is rather simple, due to the fact that all our source code is stored in the cloud. We host no servers, only some build boxes/test machines, all of which are located on Vlan 1, which is the same Vlan as the office network. They're static IP's that people can SSH, or simply RDP into.

To expand on what was originally posted.

Our Developers and QA team can access all resources while inside our physical office network due to our whitelisted IP address.
When they're at home, or abroad, they use a IPSEC VPN.
I followed the directions here to create a VPN tunnel.
There are two VPN's, one for simply getting into the office network, Vlan 1. This is what has our test boxes on.
Another VPN, that is the tunnel VPN group. This cannot access the office network.

The reason behind the ricochet off the Outside interface was so that when the organization scales, people arent hammering my ASA for 8 hrs a day while they're doing work, or maybe watching netflix at the same time. We've got a lot of remote workers, and internationals. So the transparency isnt there, and I dont have the time to play traffic cop with bandwidth usage. So I decided to limit what traffic goes through the VPN with the Tunnel.

I'd like to be able to add our office network to the tunnel VPN group. However when I add our office range to the ACL Manager and Standard ACL group that corresponds with that VPN policy. It breaks the VPN.

My NAT rules are attached.

Please let me know if there's anything else I should provide.

And lastly, thank you very much for your interest in helping me. I appreciate any assitance you might offer.

JORGE RODRIGUEZ · ‎09-16-2011

Todd, thanks for clarifying a bit more.

I'd like to be able to add our office network to the tunnel VPN group. However when I add our office range to the ACL Manager and Standard ACL group that corresponds with that VPN policy. It breaks the VPN.

Would you be able to post sanatized config relevant to both tunnels, or all config better " show run " exclude any public IPs .

what you are saying once you add office network to the VPN group tunnel it brakes, remember that you need to not only add the nat excempt rule but also add it to the crypto access list pertaining to that tunnel.

again, coudl you post the config pls

Regards

Jorge Rodriguez

Todd.Thiel · ‎09-16-2011

Please see attached.