Remote VPN over 2 inline firewalls

DanielMoz · ‎01-11-2016

Hi everyone, I'm a bit new with Cisco and networking so please bear with me. I'm aware this is a bit of a strange way of doing things, but it's what I've got to work with. I've changed the IP addresses from my real ones below as an example.

I'm having trouble with getting my VPN working as I need it.

Firstly, my network is set up as follows; I've got an external Cisco firewall connected to the internet on its outside interface (with a public IP - let's say 98.10.555.544), and my DMZ on its inside interface (IP 100.30.20.1). The DMZ contains various servers and an internal firewall connected via a switch.

My internal firewall is connected to the DMZ on its outside interface (100.30.20.2) and my internal lan on its inside interface (100.50.40.1), in a 2 firewall DMZ layout. I'm aware there are lots of debates and opinions on whether this is the recommended way of setting this up, however this is not why I'm here.

To begin with, I configured my VPN on the internal firewall only to check that it all worked. This was successful and I managed to get a remote Ipsec ikev2 VPN working when the public IP (98.10.555.544) was set on the outside interface of the internal firewall. I did this by creating a VPN pool on the internal firewall with IP's in the internal lan range. This allowed me to connect remotely to all of my internal lan servers perfectly, and all worked as it should.

I now wish to get the VPN to continue working when the external firewall is connected, with its outside interface using the public ip (98.10.555.544). I'm aware that I need to probably create a NAT rule to transfer the incoming VPN connection on the public ip of the external firewall to the internal firewall, but am unsure of how to do this. Would it be something to do with taking any incoming connections on ports 500 and 4500 and translating them to the internal firewall's external interface ip range? So that the VPN connects to the internal firewall and runs normal as it was configured before. Or is there a totally different way of doing this?

As stated, I'm aware the setup is strange, but I'm keen to make this work the way I've been asked to. If the above was a bit confusing, I've got the VPN set up on the internal firewall already, however this was when the internal fw's outside interface was set to my public ip (98.10.555.544). I now want to put this public ip on the external fw's outside interface. This means that the VPN will hit the external firewall's outside interface first, and will need to be forwarded onto the internal firewall to be able to access the internal lan.

I hope this makes sense and someone is able to help. Feel free to ask any questions to clear anything up, as I'm concerned I haven't explained it very well! Thanks in advance.

Richard Bradfield · ‎01-11-2016

You will need to enable NAT-T on the Internet facing Firewall. perhaps this old support forum link will help

https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec

DanielMoz · ‎01-12-2016

Hi, sorry if I'm totally confused, but does nat-t allow you to forward the connection to the second firewall? Or will it just allow for the ports to be changed?

Edit: Just to get this to work before fully configuring, I'm just trying to nat all incoming vpn connections to the internal firewall, where the configuration on this internal firewall should be able to deal with the incoming vpn requests? (As it did previously when it was the external firewall). To do this I've set up a static nat rule to nat all tcp 443 traffic to the internal firewall as follows:

object network internal-443

host (internal firewall outside ip)

nat (inside,outside) static interface service tcp 443 443

And some access control rules:

access-list vpn-in extended permit ip any4 object internal-443

access-group vpn-in in interface outside

My thinking around this is that since the initial packets sent to the firewall from the remote machine are TCP on port 443, that the external firewall will nat these to the internal firewall, where they will be dealt with. Am I misunderstanding? I've tried this and my VPN doesn't connect, but times out.

Richard Bradfield · ‎01-12-2016

Do you have more than 1 Public address from the ISP?

See if this links help

http://www.experts-exchange.com/questions/27971710/Cisco-ASA-5505-VPN-Passthrough.html

DanielMoz · ‎01-12-2016

No just the one public ip

Richard Bradfield · ‎01-17-2016

according to all the documentation I have seen that is going to be a problem

DanielMoz · ‎02-11-2016

Ok thanks Richard. I've managed to obtain a second public IP address. What would your suggestion be for how to forward the vpn traffic to the internal firewall?

DanielMoz · ‎02-12-2016

I got it working, as posted in my other thread, here is my solution:

I know how annoying it is when people have the same question as one already asked and still can't find an answer. I managed to get this working today, so I'm going to share what I did to configure a dual firewall DMZ setup to work with VPN. In summary, my network was set up like this:

Internet -> External FW -> DMZ -> Internal FW -> Internal network.

The VPN needed to access the internal network. I initially configured the VPN without the external firewall and DMZ connected, so it was essentially just Internet -> Internal FW -> Internal network. I set the VPN up as you normally would, using IPSEC IKEv2 with Cisco Anyconnect client to allow remote access to the internal network. This worked perfectly, but I was having trouble getting it to continue to work after adding the external firewall and DMZ in.

To fix this, I did not touch any of the configuration on the internal firewall. This did not need to be changed as it all worked perfectly before. The only thing changed was the IP address of the outside interface, which was changed to match the DMZ subnet, rather than continuing to use a public ip address from my ISP.

I obtained a second public IP address from my ISP, and made the outside interface of the external firewall use this IP (note this is a different IP to the one used for VPN traffic, but in the same subnet). So the final outcome for IP addresses were: (obviously changed to be published online)

-Internet-

(outside interface: 192.168.10.2)

-External firewall-

(inside interface: 12.50.1.1)

(outside interface: 12.50.1.2, previously 192.168.10.1 to set up VPN)

-Internal firewall-

(inside interface: 12.50.2.1)

Since the vpn was set up to work on the first public IP address that was previously used on the internal firewall's outside interface (192.168.10.1), I had to NAT the traffic coming in on the external firewall addressed to 192.168.10.1 to its new private IP address of 12.50.1.2.

This was done by first adding a couple of network objects:

object network internal_machine

host 12.50.1.2

object network VPN_traffic

host 192.168.10.1

Then adding a NAT rule within the internal_machine network object:

nat (inside,outside) static VPN_traffic

Then adding access-groups and access-list rules (not sure if they're all needed, but it works!):

access-group outside_access_in in interface outside

access-group inside_access_out out interface inside

access-list outside_access_in extended permit ip any object internal_machine

access-list inside_access_out extended permit ip any any

And everything works! Without having to change any VPN configuration, or any configuration on the internal firewall. Basically the external firewall NATs any incoming traffic addressed to the old outside interface IP (192.168.10.1, that was set up on the internal firewall to receive VPN connections on), to the new private IP (12.50.1.2), and vice-versa, allowing the VPN to work through two firewalls with minimal fuss.