02-04-2011 04:52 PM
We have an ASA5520 firewall, IOS 8.0(4), running in routed mode with an operational Cisco 2821 router to ASA-5520 L2L IPsec VPN.
:
All Internet searches explain how to enable a L2L IPsec VPN from the LOWER security-level interface to a HIGHER security-level interface- and this is how our setup is configured and it is operational and working fine.
:
We now have a need to setup another L2L IPsec VPN tunnel on the same firewall BUT this time traffic will be arriving on the HIGHER security-level interface destination is to a LOWER security-level interface.
:
Is it possible to enable a L2L IPsec VPN tunnel between a HIGHER security-level interface to a LOWER security-level interface?
Could you assist with any special configs?
I can paste my current operational config if needed.
Thanks
Frank
02-04-2011 05:16 PM
Hi fsebera,
can you explain your question in simple terms ? are you saying that you need to set up a tunnel between two sites lets say A and B , where all traffic including general internet from site B , will come into the tunnel and then head out to the internet ?
Manish
02-04-2011 05:23 PM
No Internet at ANY point.
No Inside or Outside nameif interfaces.
:
nameif DMZ-1 with a security-level 50
nameif DMZ-2 with a security-level 60
Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-2]---network
This is operational and working well.
:
Now we need to enable a new L2L IPsec VPN to arrive on DMZ-1 (security-level 50) to reach devices in DMZ-3 (security-level 20).
Also, the remote Cisco 2821 router will ALWAYS initiate the VPN connection, as this remote Cisco router is mobile.
Hope this is clear.
Tks
Frank
02-04-2011 05:46 PM
I have never tested something like this , but I think you will not need any special configuration for that. VPN terminating on the DMZ 1 means the traffic will get unencrypted on that interface and then will head to your DMZ 3 , where it will be scanned against the access list just like normal traffic.
VPN in your case is just to encrypt packets between site A to site B , after it reaches Site B , it is upto that firewall B to route it to its destination according to route table and access lists since the vpn is not terminating on that interface.
Manish
02-07-2011 08:35 AM
FYI,
:
Long story short -It does not matter and has no affect.
:
:
I cleared the config from the ASA 5520,
Reloaded, added in required static routes,
ASDM parameters for management,
Configured interfaces as:
:
nameif DMZ-1 with a security-level 50
nameif DMZ-2 with a security-level 60
nameif DMZ-3 with a security-level 30
:
I loaded ASDM, configured L2L VPN via the IPsec VPN Wizzard - same parameters as before, saved config.
:
From the remote site I made a successful conection to the lower security-level devices - no problem.
Security-level seems not to play a role in this setup as Most Cisco documentation implies (or perhaps something is wrong :})
:
Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-3]---network
Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-2]---network
This is operational and working well.
Regards
Frank
02-07-2011 12:20 PM
By default, the ASA allows decrypted traffic into the ASA. If you wanted to control traffic passing from higher to lower interface, you would need to disable "sysopt connection permit-vpn" and setup an access-list/access-group to deny the traffic. We generally dont recommend disabling this though because it will affect all VPN tunnels (so youll need to configure the necessary permits/denies for all of your VPNs rather than just this one)
Heres more information about that command from the command reference:
"By default, the security appliance allows VPN traffic to terminate on a security appliance interface; you do not need to allow IKE or ESP (or other types of VPN packets) in an interface access list. By default, you also do not need an interface access list for local IP addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using VPN security mechanisms, this feature simplifies configuration and maximizes the security appliance performance without any security risks. (Group policy and per-user authorization access lists still apply to the traffic.)
You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted."
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217
It sounds like youve got this figured out (if so please mark the post as resolved and remember to rate any posts that helped you).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide