08-23-2012 11:08 AM
Our client has a vendor who needs to establish a VPN tunnel to their own router which sits behind our Firewall.
VPN Concentrator (Vendor) <------> ASA5505 Client (7.2) <-------> 3750 Switch <-------> VPN router(Vendor)
Here is the set up info:
ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA Inside Interface - 172.20.58.13/30
3750 Switch Interface Connected to ASA - 172.20.58.14/30 and DG - 172.20.58.13
3750 Switch Interface connected to VPN router - 172.20.58.21
VPN Router Interface connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for this and the running configuration from the ASA and 3750. We don't have access to the TNS VPN router.
Our responsibility is to just to make sure the tunnel comes up.
Could you kindly help me with this?
Here is what I am planning to do :
1) Create a static NAT on the ASA for Public to Private IP of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will the ASA automatically ARP for this address or do i have to configure another interface on the ASA with this public IP?
2) What would the access list look like on the ASA?
3) The client gave us some config to copy the stuff on the ASA so that they can create the tunnel but i couldn't put those commands in the ASA. How would this be applied and on what interface?
Firewall Access: The following information pertains to access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN the following services need to be
allowed:
permit esp host 208.224.x.x any
permit gre host 208.224.x.x any
permit udp host 208.224.x.x any eq isakmp
permit udp host 208.224.x.x any eq non500-isakmp
permit esp host 204.8.x.x any
permit gre host 204.8.x.x any
permit udp host 204.8.x.x any eq isakmp
permit udp host 204.8.x.x any eq non500-isakmp
permit tcp 206.x.x.0 0.0.0.255 any eq 22
permit tcp 206.x.x.0 0.0.0.255 any eq telnet
permit udp host 208.224.x.x any
permit udp host 208.224.x.x any
Can someone assist me with the commands that i need to run this on the ASA? The 5505 is running 7.2(4) code.
Thanks in advance.
HS
Solved! Go to Solution.
08-24-2012 07:05 AM
Your steps are correct, you would need to configure static NAT as well as the access-list to allow access.
Static NAT would be as follows:
static (Inside,outside) 208.64.1x.x5 172.20.58.21 netmask 255.255.255.255
You would also need a route pointing towards the inside interface to reach 172.20.58.21:
route Inside 172.20.58.21 255.255.255.255 172.20.58.14
Do you already have access-list on the outside interface? if you have, then just add into the existing access-list, if you haven't, then add the following:
access-list outside-acl permit udp any host 208.64.1x.x5 eq 500
access-list outside-acl permit udp any host 208.64.1x.x5 eq 4500
access-list outside-acl permit esp any host 208.64.1x.x5
access-group outside-acl in interface outside
If you also have an access-list on the inside interface, you would also need to allow the traffic through as follows:
access-list
access-list
access-list
If you haven't had any access-list on the inside interface, then you don't have to configure it.
Hope that helps.
08-24-2012 07:05 AM
Your steps are correct, you would need to configure static NAT as well as the access-list to allow access.
Static NAT would be as follows:
static (Inside,outside) 208.64.1x.x5 172.20.58.21 netmask 255.255.255.255
You would also need a route pointing towards the inside interface to reach 172.20.58.21:
route Inside 172.20.58.21 255.255.255.255 172.20.58.14
Do you already have access-list on the outside interface? if you have, then just add into the existing access-list, if you haven't, then add the following:
access-list outside-acl permit udp any host 208.64.1x.x5 eq 500
access-list outside-acl permit udp any host 208.64.1x.x5 eq 4500
access-list outside-acl permit esp any host 208.64.1x.x5
access-group outside-acl in interface outside
If you also have an access-list on the inside interface, you would also need to allow the traffic through as follows:
access-list
access-list
access-list
If you haven't had any access-list on the inside interface, then you don't have to configure it.
Hope that helps.
08-24-2012 07:15 AM
Hello Jennifer,
Thank you so much. This is exactly what I was looking for. I really appreciate it.
Regards.
HS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide