cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1142
Views
0
Helpful
6
Replies

Complex network design HELP!

howithink
Level 1
Level 1

Hi,

I am tasked with setting up ipsec vpn access to a network with multiple servers and it is setup as follows:

 

GW: 172.20.x.1

 

device1: 192.168.1.10

 

device2: 192.168.1.20

 

mobile device pool: 10.10.10.0/24

 

There is a layer 3 switch to which all servers are connected to and to which i do not have access.

 

On it, there are multiple vlans and some ports trunked to allow above vlan traffic to come through. I am given one port to that switch which i connect to my ASA. I presume its a trunk port, may not be.

 

Remote techs need access to this network, primarily devices1, and device2. Also need access to 10.x pool for testing.

 

My question is, how do i setup my ASA5505 to allow access to these remote techs to these devices? This is a brand new ASA5505 out of the box.

 

What network do i setup in the inside network of the ASA.

 

I am confused, please help!

 

1 Accepted Solution

Accepted Solutions

All you need to do is add those IPs and subnet to the crypto ACL and also make sure those IPs are part of the No NAT / NAT 0 statement.

So the remote company have given you 3 IPs that want access to the two devices and the mobile IP pool?  If that is the case then your crypto ACL will look something like the following:

access-list VPN-ACL extended permit ip host 192.168.1.10 host <remote IP>

access-list VPN-ACL extended permit ip host 192.168.1.20 host <remote IP>

access-list VPN-ACL extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

crypto map VPNMAP 5 match address VPN-ACL

 

access-list NO-NAT extended permit ip host 192.168.1.10 host <remote IP>

access-list NO-NAT extended permit ip host 192.168.1.20 host <remote IP>

access-list NO-NAT extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

nat (inside) 0 access-list NO-NAT

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

johnd2310
Level 8
Level 8

Hi,

 

What is the version of code  running on the ASA? Is the remote access required from the Internet or is it from a private network?

 

Thanks

John

**Please rate posts you find helpful**

ASA is using 8.2.x code and the access to my set will be via a site to site vpn tunnel from another private network. 

I am assuming we are talking about remote access VPN?  in any case, this is not a very complex thing to do and is quite common when using 3rd party IT support.  Keep in mind that the configuration will be slightly different depending on what ASA version you are running (pre 8.3 or post 8.3).  Are we talking Anyconnect VPN or remote access IPsec VPN?

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts

ASA is using 8.2.5 i believe. It's pre 8.3. No one is using Anyconnect. This is only for a site to site vpn tunnel. The remote company has sent me 3 IP addresses that they want me to exempt.

My confusion is how do i  enable my ASA to grant access to the  following servers: GW: 172.20.x.1,   device1: 192.168.1.10,  device2: 192.168.1.20, and mobile device IP pool: 10.10.10.0/24.

thanks for your help.

All you need to do is add those IPs and subnet to the crypto ACL and also make sure those IPs are part of the No NAT / NAT 0 statement.

So the remote company have given you 3 IPs that want access to the two devices and the mobile IP pool?  If that is the case then your crypto ACL will look something like the following:

access-list VPN-ACL extended permit ip host 192.168.1.10 host <remote IP>

access-list VPN-ACL extended permit ip host 192.168.1.20 host <remote IP>

access-list VPN-ACL extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

crypto map VPNMAP 5 match address VPN-ACL

 

access-list NO-NAT extended permit ip host 192.168.1.10 host <remote IP>

access-list NO-NAT extended permit ip host 192.168.1.20 host <remote IP>

access-list NO-NAT extended permit ip 10.10.10.0 255.255.255.0 host <remote IP>

nat (inside) 0 access-list NO-NAT

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

i will give this a try and if need be, post the config here. Stay tuned...thanks.