11-13-2013 03:58 PM
Hello,
I'm new to this version of ASDM / CLI
ASA 9.1(3) ASDM 7.1(4)
I'm currently running TWO 5512x. They are connected through VPN.
NETWORK_OBJ_192.168.42.0_24: 192.168.42.1 / 24
Filmtrack-Dev: 192.168.43.1 / 24
AWSV: 10.1.0.0 /16
RSORD: 192.168.200.0 / 24
Traffic is passing fine for both main and dev. However I cannot pass traffic to dev for the AWSV and RSORD subnets. ASWSV and RSORD are connected to MAIN through VPN. Main can connect to AWSV and RSORD
I've seen a couple of discussions which address the same thing. I've attempted to make those changes, but it's still not working. Maybe a fresh pair of eyes can see what I've missing or misconfigured. Thanks for any insight and input.
Most of these entries were created when the wizard was used to create the tunnels.
Message was edited by: Chuck Ostlie - Updated attachments
11-14-2013 08:36 AM
Hi,
I think we have to open up the actual layout of this whole network.
All the "object" and "object-group" are making my eyes bleed
What I gather from the partial configurations is that there are following sites
MAIN: 192.168.42.0/24
DEV: 192.168.43.0/24
But then theres the question where are the following networks located which assume are the problem now
VIRGINIA: 10.1.0.0/16
LON(DON?): 192.168.200.0/24
I assume that these are both located behind separate L2L VPN connections through the MAIN site?
So I assume that you want to have the traffic first flow from the DEV site to the MAIN site and then to VIRGINIA and LONDON. All of the sites are connected by L2L VPN which central point is the MAIN site.
Let me know how the actual setup is.
- Jouni
11-14-2013 10:41 AM
Hello Jouni,
Thanks for the fast response. You've hit the nail on the head! All the Wizard created objects were causing my eyes and brain to bleed!
As you have stated, we want the traffic to flow from DEV to MAIN, then to LONDON or VIRGINIA or CHICAGO for now. London, VA and CHI are hosting providers. We have VM's hosted at these locations. So we want to be able to manage them.
London, Virginia and Chicago are all connected to MAIN through L2L.
I've updated the attachments. They should contain the full configs now.
11-14-2013 10:59 AM
Hi,
I will be able to take a look at this a bit later (maybe in a few hours).
I'll get back to you then.
A couple of additional questions in the mean while
- Jouni
11-14-2013 11:09 AM
Hello Jouni,
Thanks again. The answer to your question is. I only manage the DEV and MAIN. I do not have direct access to the other firewalls. I have to submit a request to Verizon or Amazon, if I need to make changes to their FW.
Cheers,
Chuck
UPDATE: I've made a change to the MAIN FW. It looks like traffic is getting all the way from DEV to MAIN, but not beyond. When I look at the ASDM Monitoring. I see the DEV FW transmit 60bytes of ping traffic to 192.168.100.0/24 and the 60bytes being received on the MAIN FW.
This is what I am doing. From the DEV network (192.168.43.0/24), I ping 192.168.100.45/24. I receive the Request Timed Out.
Should I be adding routes?
11-14-2013 03:24 PM
Hi,
Ok, so lets see what we need to do.
There a basically 2 options on how you can enable traffic from the DEV site through the MAIN site to all 3 HOSTING sites.
Naturally of the above options the second one enables you to do the changes without waiting around for all the HOSTING sites to make the required changes. If the current traffic from MAIN site works to all the HOSTING sites then you should have no problems getting the traffic from DEV to HOSTING work.
I will go through the second options needed configuration compared to the full configurations you attached earlier. Judging by your UPDATE they might have changed in some parts so take that into account. I will try to use different "access-list" , "object" and "object-group" configurations and naturally introduce net "nat" configurations. If something was to get broken for reason or another then you should be able to revert back to using the old "nat" and "access-list" configurations.
Lets start with the DEV site configurations
DEV SITE
My doubt regarding the DEV SITE is how do you manage the ASA? I can only see management enabled from behind the local networks? Do you perhaps use the VPN Client connection to jump to some internal device and use it to manage the ASA and DEV SITE? I was originally about to remove the NAT configuration for the VPN Client but I imagine that you are using the VPN to manage the ASA in the above mentioned way so we could not do that change without you loosing that connectivity so we would have to leave the current NAT in place UNLESS you enable SSH connectivity through public Internet first so you can have CLI access to the ASA at all times even though you wasnt able to use any VPN connection to DEV SITE. Let me know how you have handle making changes to DEV SITE before making any changes.
The below configurations contain the following steps
object-group network REMOTE-SITES
description MAIN and HOSTING sites
network-object 192.168.42.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 10.1.0.0 255.255.0.0
object network DEV-SITE
subnet 192.168.43.0 255.255.255.0
access-list MAIN-SITE-L2LVPN remark Encryption Domain for MAIN site L2LVPN
access-list MAIN-SITE-L2LVPN permit ip object DEV-SITE object-group REMOTE-SITES
no nat (Inside,Outside) source static NETWORK_OBJ_192.168.43.0_24 NETWORK_OBJ_192.168.43.0_24 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
no crypto map Outside_map 1 match address Outside_cryptomap
nat (Inside,Outside) source static DEV-SITE DEV-SITE destination static REMOTE-SITES REMOTE-SITES
crypto map Outside_map 1 match address MAIN-SITE-L2LVPN
MAIN SITE
The MAIN SITE is a bit more configuration work simply because it holds 4 L2L VPN connections. With regards to the below changes I presume you are also on site to manage the ASA
The below configurations contain the following steps
object-group network HOSTING-SITES
description HOSTING sites
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 10.1.0.0 255.255.0.0
object network MAIN-SITE
subnet 192.168.42.0 255.255.255.0
object network DEV-SITE
subnet 192.168.43.0 255.255.255.0
object network HOSTING-VIRGINIA
subnet 10.1.0.0 255.255.0.0
object network HOSTING-CHICAGO
subnet 192.168.100.0 255.255.255.0
object network HOSTING-LONDON
subnet 192.168.200.0 255.255.255.0
object network DEV-PAT-ADDRESS
host 192.168.42.254
access-list DEV-SITE-L2LVPN remark Encryption Domain for DEV site L2LVPN
access-list DEV-SITE-L2LVPN permit ip object HOSTING-SITES object DEV-SITE
access-list DEV-SITE-L2LVPN permit ip object MAIN-SITE object DEV-SITE
access-list HOSTING-VIRGINIA-L2LVPN remark Encryption Domain for HOSTING VIRGINIA site L2LVPN
access-list HOSTING-VIRGINIA-L2LVPN permit ip object MAIN-SITE object HOSTING-VIRGINIA
access-list HOSTING-CHICAGO-L2LVPN remark Encryption Domain for HOSTING CHICAGO site L2LVPN
access-list HOSTING-CHICAGO-L2LVPN permit ip object MAIN-SITE object HOSTING-CHICAGO
access-list HOSTING-LONDON-L2LVPN remark Encryption Domain for HOSTING LONDON site L2LVPN
access-list HOSTING-LONDON-L2LVPN permit ip object MAIN-SITE object HOSTING-LONDON
no nat (Inside,Outside) source static NETWORK_OBJ_192.168.42.0_24 NETWORK_OBJ_192.168.42.0_24 destination static Filmtrack-Dev Filmtrack-Dev no-proxy-arp route-lookup
no nat (Inside,Outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static Rackspace-ORD Rackspace-ORD no-proxy-arp route-lookup
no nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static Filmtrack-Dev Filmtrack-Dev no-proxy-arp route-lookup
no nat (Inside,Outside) source static NETWORK_OBJ_192.168.42.0_24 NETWORK_OBJ_192.168.42.0_24 destination static Amazon-Virginia Amazon-Virginia no-proxy-arp route-lookup
no nat (Inside,Outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static Amazon-Virginia Amazon-Virginia no-proxy-arp route-lookup
no nat (Inside,Outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static Rackspace-LON Rackspace-LON no-proxy-arp route-lookup
no nat (Outside,Outside) source static Filmtrack-Dev Filmtrack-Dev destination static Rackspace-ORD Rackspace-ORD no-proxy-arp
no nat (Outside,Outside) source static Rackspace-ORD Rackspace-ORD destination static Filmtrack-Dev Filmtrack-Dev no-proxy-arp route-lookup
no crypto map Outside_map 1 match address Outside_cryptomap
no crypto map Outside_map 2 match address Outside_cryptomap_1
no crypto map Outside_map 3 match address Outside_cryptomap_2
no crypto map Outside_map 4 match address Outside_cryptomap_3
crypto map Outside_map 1 match address DEV-SITE-L2LVPN
crypto map Outside_map 2 match address HOSTING-CHICAGO-L2LVPN
crypto map Outside_map 3 match address HOSTING-VIRGINIA-L2LVPN
crypto map Outside_map 4 match address HOSTING-LONDON-L2LVPN
nat (Inside,Outside) 1 source static MAIN-SITE MAIN-SITE destination static DEV-SITE DEV-SITE
nat (Outside,Outside) 2 source dynamic DEV-SITE DEV-SITE-PAT destination static HOSTING-CHICAGO HOSTING-CHICAGO
nat (Outside,Outside) 3 source dynamic DEV-SITE DEV-SITE-PAT destination static HOSTING-VIRGINIA HOSTING-VIRGINIA
nat (Outside,Outside) 4 source dynamic DEV-SITE DEV-SITE-PAT destination static HOSTING-LONDON HOSTING-LONDON
The main diffence in the above configurations for MAIN SITE are how we do NAT and how we configure the new L2L VPN ACLs.
The above contains quite a bit of configurations and text. I hope you are able to make out what I aiming with my example configurations. My main worry (as mentioned before) is the fact that you should make sure that you have CLI access to both MAIN SITE and DEV SITE ASA so you are in no way reliant on any VPN connection to manage each ASA during these changes. So if you are at MAIN SITE LAN when doing changes then make sure that you can log onto the DEV SITE ASA using the external public IP of the DEV SITE ASA. You should allow the SSH connections from the MAIN SITE public IP address of the ASA. This way remote management of DEV SITE ASA should stay unchanged.
Since it seems you have not yet used SSH on the DEV SITE you would need these configurations possibly
ssh version 2
ssh timeout 30
ssh
ssh
crypto key generate rsa modulus 1024
With
You could also consider doing the same with the "http" commands you already have so you can atleast temporarily use ASDM from the external network also.
Hope I made any sense
Let me know what the situation is and if you can try the changes out
- Jouni
11-14-2013 04:30 PM
Hello Jouni,
WOW! Thanks for taking the time to compile this email. I really appreciate it. I'll go through it. From what I've read so far, it looks pretty and pretty straight forward. I'll see about getting it implemented.
Answering some of the question you asked...
I console directly into the DEV ASA. As for the MAIN ASA, I go through the current L2L VPN. I believe I can also connect through a different VPN at the main site and connect to the MAIN ASA that way. I don't have to connect through any other machine to connect to the MAIN ASA.
-Chuck
11-15-2013 04:14 AM
Hi,
If you are at the DEV SITE I would suggest configuring the MAIN SITE ASA so that you can use the Internet connection of the DEV SITE (and its public IP address) to connecto the MAIN SITE ASA with SSH. Since we are doing changes to the L2L VPN and NAT on both MAIN and DEV site there is a risk that your remote connection might be affected and that could cause problems.
If you have the ability to connect to the MAIN SITE ASA directly through the Internet then no VPN or NAT related changes at either of your sites will effect that SSH connection and you should not have risk of loosing the management connection.
Do let me know how it goes if you are going to attempt the changes.
Hope it all goes well.
Remember to save the current configurations if there is a need to roll back to the original setup.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide