11-24-2015 09:34 AM
Hi Everyone,
Vendor is setting up server in our environment.
We are setting up site to site VPN.
Interesting traffic is subnet 192.168.50.x
server IP 192.168.50.1------Switch1--ASA-------------------Site to site VPN ---------------Vendor ASA-------------
Server gateway is on switch1 if that server needs access to internet need to know what config i need on ASA at my site?
I want server to access the internet via vendor network
Regards
Mahesh
Solved! Go to Solution.
11-24-2015 10:11 AM
Hi
Your crypto ACL would be:
ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any
The vendors crypto ACL would be:
ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0
Any traffic coming from 192.168.50.0/24 going out the interface where the crypto map is applied destined to any destination would be sent through the VPN to the vendor.
Hope it helps.
11-29-2015 01:48 AM
Hi
Actually i realised you don't need to edit the crypto ACL. This is because the NAT process is done before you classify if traffic should traverse the VPN. So if you do a dynamic NAT to the outside interface it will not match the crypto ACL.
I would have done a standard object NAT statement for the server and then keep the after-auto NAT statement for the remaining traffic.
access-list CRYPTO-ACL-ASA1 extended permit ip 10.1.1.0 255.255.255.0 any4
object network obj-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
object network server1
host 10.1.1.25
nat (INSIDE,WAN) dynamic interface
nat (INSIDE,WAN) after-auto source static obj-10.1.1.0-24 obj-10.1.1.0-24
11-24-2015 10:11 AM
Hi
Your crypto ACL would be:
ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any
The vendors crypto ACL would be:
ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0
Any traffic coming from 192.168.50.0/24 going out the interface where the crypto map is applied destined to any destination would be sent through the VPN to the vendor.
Hope it helps.
11-24-2015 10:17 AM
if i need to allow ssh and smtp over VPN then any will cover that also?
11-24-2015 10:28 AM
Yes, IP includes tcp traffic like SSH and SMTP.
11-24-2015 10:37 AM
if i need to restrict traffic on certain ports and Internet IP address then crypto ACL need to match
at both ends?
Regards
MAhesh
11-24-2015 10:58 AM
The crypto ACL does not need to match. So you can restrict the traffic by using a deny statement infront of the permit in the crypto ACL.
11-24-2015 02:03 PM
I think the tricky part is the NAT rules.
I used the topology below, but wont be much of a difference if you use the VPN over the internet. I just had my lab set up this way at the moment.
So basically I have a IKEv2 VPN set up between two ASAs and ASA2 is forwarding all its traffic to ASA1 and out to the internet, except for telnet traffic to 155.0.35.3.
To achive this I had to first have a deny statement in the crypto ACL on the ASA2 for traffic to R3 and then also do dynamic NAT for telnet traffic towards R3.
It's a bit of reverse logic from normal NAT statements when dealing with IPsec. In section 1 of NAT I do dynamic NAT, and then in section 3 I do dynamic NAT.
crypto map CRYPTOMAP-WAN 1 match address CRYPTO-ACL-ASA1
crypto map CRYPTOMAP-WAN 1 set peer 155.0.105.10
crypto map CRYPTOMAP-WAN 1 set ikev2 ipsec-proposal AES256_SHA512
crypto map CRYPTOMAP-WAN interface WAN
access-list CRYPTO-ACL-ASA1 extended deny ip 10.1.1.0 255.255.255.0 155.0.35.5 255.255.255.255
access-list CRYPTO-ACL-ASA1 extended permit ip 10.1.1.0 255.255.255.0 any4
object network obj-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
object network obj-10.2.2.0-24
subnet 10.2.2.0 255.255.255.0
object network obj-155.0.35.3
host 155.0.35.3
object service tcp-23
service tcp destination eq telnet
nat (INSIDE,WAN) source dynamic obj-10.1.1.0-24 interface destination static obj-155.0.35.3 obj-155.0.35.3 service tcp-23 tcp-23
nat (INSIDE,WAN) after-auto source static obj-10.1.1.0-24 obj-10.1.1.0-24
crypto map CRYPTOMAP_WAN 1 match address CRYPTO-ACL-ASA2
crypto map CRYPTOMAP_WAN 1 set peer 155.0.205.20
crypto map CRYPTOMAP_WAN 1 set ikev2 ipsec-proposal AES-256_SHA-512
crypto map CRYPTOMAP_WAN interface WAN
access-list CRYPTO-ACL-ASA2 extended permit ip any 10.1.1.0 255.255.255.0
object network obj-10.1.1.0-24
nat (WAN,OUTSIDE) dynamic interface
object network obj-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
11-28-2015 09:50 PM
Hi Henrik,
Seems network design is changed now.
We want that server should get access to internet via our network
I have attached the network diagram
Now we want that server in our environment should go to internet using our existing internet connection.
For that i need to create acl to allow internet traffic right?
What NAT config should i do on our ASA1?
It needs PAT rule.
Regards
Mahesh
11-29-2015 01:48 AM
Hi
Actually i realised you don't need to edit the crypto ACL. This is because the NAT process is done before you classify if traffic should traverse the VPN. So if you do a dynamic NAT to the outside interface it will not match the crypto ACL.
I would have done a standard object NAT statement for the server and then keep the after-auto NAT statement for the remaining traffic.
access-list CRYPTO-ACL-ASA1 extended permit ip 10.1.1.0 255.255.255.0 any4
object network obj-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
object network server1
host 10.1.1.25
nat (INSIDE,WAN) dynamic interface
nat (INSIDE,WAN) after-auto source static obj-10.1.1.0-24 obj-10.1.1.0-24
12-01-2015 02:14 PM
Many thanks Henrik for your help
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide