11-14-2022 12:36 PM
I am trying to setup a quite unusual VPN configuration. For me anyway.
I thought it would be easy, and maybe it is, but I am not able to get things running the way I want.
This is my goal:
I have two ASA 5515x firewalls, #1 and #2. I want to setup SSL client VPN on #1 and I want the VPN users to be able to reach servers behind #2. The servers are located on two VLANs behind #2, 801 & 802.
This is the result so far:
VPN clients are able to ping the hosts on vlans 801 & 802 behind ASA #2, but they cannot connect to them using SSH or RDP.
Relevant conf for ASA #1:
interface GigabitEthernet0/2 no nameif no security-level no ip address no shutdown ! interface GigabitEthernet0/2.801 vlan 801 nameif vlan801 security-level 50 ip address 192.168.15.5 255.255.255.0 ! interface GigabitEthernet0/2.802 vlan 802 nameif vlan802 security-level 50 ip address 192.168.16.5 255.255.255.0 object network net_vpnclients subnet 10.10.10.0 255.255.255.0 object network net_vlan801 subnet 192.168.15.0 255.255.255.0 object network net_vlan802 subnet 192.168.16.0 255.255.255.0 ip local pool vpn_pool 10.10.10.32-10.10.10.63 mask 255.255.255.0 access-list splitTunnelAcl standard permit 192.168.15.0 255.255.255.0 access-list splitTunnelAcl standard permit 192.168.16.0 255.255.255.0 nat (vlan801,outside) source static net_vlan801 net_vlan801 destination static net_vpnclients net_vpnclients nat (vlan802,outside) source static net_vlan802 net_vlan802 destination static net_vpnclients net_vpnclients group-policy GroupPolicy_vpn internal group-policy GroupPolicy_vpn attributes wins-server none vpn-idle-timeout 1200 vpn-session-timeout none vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl address-pools value vpn_pool tunnel-group vpn_profile type remote-access tunnel-group vpn_profile general-attributes address-pool vpn_pool default-group-policy GroupPolicy_vpn tunnel-group vpn_profile webvpn-attributes group-alias Profile10 enable
Relevant conf for ASA #2:
interface GigabitEthernet0/2 no nameif no security-level no ip address no shutdown ! interface GigabitEthernet0/2.801 vlan 801 nameif vlan801 security-level 50 ip address 192.168.15.1 255.255.255.0 ! interface GigabitEthernet0/2.802 vlan 802 nameif vlan802 security-level 50 ip address 192.168.16.1 255.255.255.0 object network host1 host 192.168.15.150 object network host2 host 192.168.16.150 object network net_vpnclients subnet 10.10.10.0 255.255.255.0 object network net_vlan801 subnet 192.168.15.0 255.255.255.0 object network net_vlan802 subnet 192.168.16.0 255.255.255.0 object-group network all_internal_networks network-object object net_vlan801 network-object object net_vlan802 route vlan801 10.10.10.0 255.255.255.0 192.168.15.5 1 access-list acl_vlan801 extended permit ip any object net_vpnclients log disable access-list acl_vlan801 extended deny ip any object-group all_internal_networks access-list acl_vlan801 extended permit ip any any access-list acl_vlan802 extended permit ip any object net_vpnclients log disable access-list acl_vlan802 extended deny ip any object-group all_internal_networks access-list acl_vlan802 extended permit ip any any access-group acl_vlan801 in interface vlan801 access-group acl_vlan802 in interface vlan802
Without the route in ASA #2 I cannot ping the hosts.
And I don't know if the ACL for VPN clients acutally helps...
What am I missing?
11-14-2022 12:55 PM - edited 11-14-2022 01:11 PM
@manoman How are these firewalls connected, one in front of the other or in parallel?
Provide a diagram
What's the point of the first firewall?
What device is the default gateway of the servers?
11-14-2022 01:13 PM
They are not in front of each other. They are side by side and handling different external IP addresses and different internal vlans (two different customers with their own quite normal setup with NAT:ed hosts etc). vlans 801 & 802 are only added to ASA #1 to be able to communicate on these vlans which until now only existed behind ASA #2.
ASA #2 is the gateway for the servers.
Hope this helps...
11-14-2022 01:17 PM
@manoman so the clients would route traffic destined for ASA #1 via ASA#2, that's not a good idea.
Create a different routed link/VLAN between the ASAs and the switch, let the switch do the routing to ASA#1 with a static route for the VPN IP pool and other traffic would be routed via ASA #2.
11-14-2022 01:19 PM
between ASA1 and ASA2 you need to config different vlan
in ASA1 config static route for server vlan toward the outside of ASA2
in ASA2 config static route for anyconnect pool toward the inside of ASA1
in ASA2 you must allow anyconnect pool via ACL to IN to ASA2 (config ACL direction IN in outside of ASA2).
11-15-2022 02:04 AM
Ok, I understand the difference. What would these routes and ACLs look like? Like below?
On ASA #1: route outside 192.168.15.0 255.255.255.0 OUTSIDE_IP_ASA_2 1 route outside 192.168.16.0 255.255.255.0 OUTSIDE_IP_ASA_2 1 On ASA #2: route vlan801 10.10.10.0 255.255.255.0 192.168.15.5 1 access-list outside_access_in extended permit tcp object net_vpnclients object host1 eq ssh access-list outside_access_in extended permit tcp object net_vpnclients object host2 eq ssh
Or maybe I can get the desired behaviour by using an IPSec-tunnel with hair pinning between my two ASAs? Maybe overkill when the ASAs stand next to each other.
11-16-2022 04:14 AM
I solved this for now by setting up an IPSec tunnel and hair pinning. Works the way I wanted. Will have to test the other solution again when I have the time. Thanks everyone.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: