10-04-2013 05:04 AM
Hello,
I have a cisco 881 router and an asa 5520 SW 8.4
I have configured EZVPN using NEM mode between the ASA & 881 router. However the 881 can access network resources on the inside interface of the ASA where it is terminating. However the site using the 881 cannot access the internet. I know I could configure split tunnel and the site would only use the tunnel for our internal network (10.0.0.0). However I would like this site to use our ASA to access the internet so that the restrictions will apply to this site too. I apologise in advance if I have not provided enough information.
Config for the 881 router is below, ASA config is too big to post but if you tell me what precisely you would like me to post i will;
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
license udi pid CISCO881-K9 sn FCZ17219082
!
username netadmin privilege 15 secret 4 N2rcMRAZjsOjF7Kp/KUkH4cfBtBYp.1Cc.V8E0utmSI
!
crypto ipsec client ezvpn EZVPN
connect auto
group TG_EZVPN key ourkey
mode network-extension
peer FIREWALL IP
username user password password
xauth userid mode local
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description *** Outside Interface ***
ip address dhcp
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN
!
interface Vlan1
description *** EZVPN Inside ***
ip address 172.16.217.1 255.255.255.0
ip helper-address 10.1.4.60
ip helper-address 10.1.4.61
ip tcp adjust-mss 1452
crypto ipsec client ezvpn EZVPN inside
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 dhcp
Solved! Go to Solution.
10-04-2013 06:10 AM
Hi,
Provided that traffic destined to any other network other than the remote sites own network flows through the VPN connection then the most typical things that the central ASA might be missing are the following
same-security-traffic permit intra-interface
Whether this configurations is already in use can be checked with
show run same-security-traffic
The setting mentioned above enables the ASA to pass a packet incoming on an interface back through that same interface it came initially. Without this setting its not possible.
Then you will naturally need to have a NAT configurations for the users connections from the remote LAN
If we were to use Auto NAT / Network Object NAT (since I dont know how you have built the basic Dynamic PAT for your central site ASA) the configuration could look something like this
object network REMOTE-SITE-PAT
subnet 172.16.217.0 255.255.255.0
nat (outside,outside) dynamic interface
The above should provide the Dynamic PAT to the "outside" interface of the central ASA when the hosts are connecting to the Internet.
Since the NEM Mode VPN is probably connected at this moment you can test what would happen to an Internet bound packet coming through the VPN connection (before even changing any of the above settings)
packet-tracer input outside tcp 172.16.217.100 12345 8.8.8.8 80
This should tell what would happen to the packet. If you are missing the first command I suggest the "packet-tracer" output will be very short and should see a Phase with DROP pretty soon
- Jouni
10-16-2013 05:38 AM
Hi,
Only thing I am unclear about is the NAT-DESTINATION group?
Is this supposed to be some object that defines the actual NAT address the remote users use? I am just wondering as we first used the "outside" interface IP addresss as the PAT address. Has this changed?
If I were to configure the above and had a requirement that I would want to add multiple source network beforehand to the Dynamic PAT configurations to avoid adding every single new site then I would configure it with Manual NAT instead of my original suggested Auto NAT
object-group network REMOTE-SOURCE-NETWORKS
network-object
network-object
network-object
network-object
nat (outside,outside) after-auto source dynamic REMOTE-SOURCE-NETWORKS interface
I assume that you have preallocated parts of some networks as subnets for the remote sites and because of this could already set all those subnets/networks to the "object-group" and have a PAT configuration ready for everyone.
Let me know if this was what you were looking for.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-04-2013 06:10 AM
Hi,
Provided that traffic destined to any other network other than the remote sites own network flows through the VPN connection then the most typical things that the central ASA might be missing are the following
same-security-traffic permit intra-interface
Whether this configurations is already in use can be checked with
show run same-security-traffic
The setting mentioned above enables the ASA to pass a packet incoming on an interface back through that same interface it came initially. Without this setting its not possible.
Then you will naturally need to have a NAT configurations for the users connections from the remote LAN
If we were to use Auto NAT / Network Object NAT (since I dont know how you have built the basic Dynamic PAT for your central site ASA) the configuration could look something like this
object network REMOTE-SITE-PAT
subnet 172.16.217.0 255.255.255.0
nat (outside,outside) dynamic interface
The above should provide the Dynamic PAT to the "outside" interface of the central ASA when the hosts are connecting to the Internet.
Since the NEM Mode VPN is probably connected at this moment you can test what would happen to an Internet bound packet coming through the VPN connection (before even changing any of the above settings)
packet-tracer input outside tcp 172.16.217.100 12345 8.8.8.8 80
This should tell what would happen to the packet. If you are missing the first command I suggest the "packet-tracer" output will be very short and should see a Phase with DROP pretty soon
- Jouni
10-16-2013 03:45 AM
Hello
Thanks so much for your help.
The above NAT-RULE allows my users to NAT to anywhere on the internet. Ideally I would like to create a NAT rule that would allow any source on the outside,outside nat rule to be able to NAT to a group named NAT-DESTINATION.
This would stop me from having to add each site in manually everytime I add a new EZVPN site whilst maintaining a restricted NAT-DESTINATION group.
Would you reccomend using access list maybe ?
Thanks
tom
10-16-2013 05:38 AM
Hi,
Only thing I am unclear about is the NAT-DESTINATION group?
Is this supposed to be some object that defines the actual NAT address the remote users use? I am just wondering as we first used the "outside" interface IP addresss as the PAT address. Has this changed?
If I were to configure the above and had a requirement that I would want to add multiple source network beforehand to the Dynamic PAT configurations to avoid adding every single new site then I would configure it with Manual NAT instead of my original suggested Auto NAT
object-group network REMOTE-SOURCE-NETWORKS
network-object
network-object
network-object
network-object
nat (outside,outside) after-auto source dynamic REMOTE-SOURCE-NETWORKS interface
I assume that you have preallocated parts of some networks as subnets for the remote sites and because of this could already set all those subnets/networks to the "object-group" and have a PAT configuration ready for everyone.
Let me know if this was what you were looking for.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-16-2013 06:39 AM
Hello Jouni,
Thanks for the reply.
That sounds good for me to allow the Remote Networks to nat. However using you command above they would be able to NAT to anywhere on the internet. I would like these networks to only be able to access specific networks on the internet. e.g. office 365 ip addresses etc.
10-16-2013 06:45 AM
Hi,
I suppose you could do it by configuring
object-group network REMOTE-SOURCE-NETWORKS
network-object
network-object
network-object
network-object
object-group network ALLOWED-FOR-REMOTE
network-object host
network-object
nat (outside,outside) after-auto source dynamic REMOTE-SOURCE-NETWORKS interface destination static ALLOWED-FOR-REMOTE ALLOWED-FOR-REMOTE
I guess for the above configuration to apply you would have to remove the current Auto NAT / Network Object NAT configuration (as its higher priority than this) Optionally you could remove the "after-auto" parameter from the "nat" command which would make it higher priority than the Auto NAT / Network Object NAT
Though I would personally prefer controlling this with ACLs at some point of the network. You could even do it at the remote devices LAN interface ACL so that the traffic/connection attempt would never even go through the VPN.
Cisco doesnt really suggest using NAT as a means to do access control.
- Jouni
10-16-2013 06:51 AM
spot on
Thanks for your help Jouni
01-17-2016 09:52 PM
hi tomasroberton,
i am also trying the same scenario, but i am getting some error can you post your server config as well,
i have configured it by using the cisco client it is working. my internet traffic going out via tunnel but in the hardware client i am getting the following error.
5 | Jan 16 2016 | 09:38:30 | 713050 | Group = EasyVPN, Username = hardware1, IP = y.y.y.y, Connection terminated for peer hardware1. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0 |
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: