Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
9
Replies

Site to Site VPN question

Go to solution
mahesh18
Level 6
Level 6

‎11-24-2015 09:34 AM

Hi Everyone,

Vendor is setting up server in our environment.

We are setting up site to site VPN.

Interesting traffic is subnet 192.168.50.x

server IP 192.168.50.1------Switch1--ASA-------------------Site to site VPN ---------------Vendor ASA-------------

Server gateway is on switch1 if that server needs access to internet need to know what config i need on ASA at my site?

I want server to access the internet via vendor network

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Henrik Grankvist
Level 4
Level 4

‎11-24-2015 10:11 AM

Hi

Your crypto ACL would be:

ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any

The vendors crypto ACL would be:

ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0

Any traffic coming from 192.168.50.0/24 going out the interface where the crypto map is applied destined to any destination would be sent through the VPN to the vendor.

Hope it helps.

View solution in original post

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to mahesh18

‎11-29-2015 01:48 AM

Hi

Actually i realised you don't need to edit the crypto ACL. This is because the NAT process is done before you classify if traffic should traverse the VPN. So if you do a dynamic NAT to the outside interface it will not match the crypto ACL.

I would have done a standard object NAT statement for the server and then keep the after-auto NAT statement for the remaining traffic.

ASA2

access-list CRYPTO-ACL-ASA1 extended permit ip 10.1.1.0 255.255.255.0 any4 

object network obj-10.1.1.0-24
 subnet 10.1.1.0 255.255.255.0

object network server1
 host 10.1.1.25
 nat (INSIDE,WAN) dynamic interface

nat (INSIDE,WAN) after-auto source static obj-10.1.1.0-24 obj-10.1.1.0-24

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Henrik Grankvist
Level 4
Level 4

‎11-24-2015 10:11 AM

Hi

Your crypto ACL would be:

ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any

The vendors crypto ACL would be:

ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0

Any traffic coming from 192.168.50.0/24 going out the interface where the crypto map is applied destined to any destination would be sent through the VPN to the vendor.

Hope it helps.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Henrik Grankvist

‎11-24-2015 10:17 AM

if i need to allow ssh and smtp over VPN then any will cover that also?

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to mahesh18

‎11-24-2015 10:28 AM

Yes, IP includes tcp traffic like SSH and SMTP.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Henrik Grankvist

‎11-24-2015 10:37 AM

if i need to restrict traffic on certain ports and Internet IP address then crypto ACL need to match

at both ends?

Regards

MAhesh

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to mahesh18

‎11-24-2015 10:58 AM

The crypto ACL does not need to match. So you can restrict the traffic by using a deny statement infront of the permit in the crypto ACL.

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Henrik Grankvist

‎11-24-2015 02:03 PM

I think the tricky part is the NAT rules.

I used the topology below, but wont be much of a difference if you use the VPN over the internet. I just had my lab set up this way at the moment.

So basically I have a IKEv2 VPN set up between two ASAs and ASA2 is forwarding all its traffic to ASA1 and out to the internet, except for telnet traffic to 155.0.35.3.

To achive this I had to first have a deny statement in the crypto ACL on the ASA2 for traffic to R3 and then also do dynamic NAT for telnet traffic towards R3.

It's a bit of reverse logic from normal NAT statements when dealing with IPsec. In section 1 of NAT I do dynamic NAT, and then in section 3 I do dynamic NAT.

ASA2

crypto map CRYPTOMAP-WAN 1 match address CRYPTO-ACL-ASA1
crypto map CRYPTOMAP-WAN 1 set peer 155.0.105.10 
crypto map CRYPTOMAP-WAN 1 set ikev2 ipsec-proposal AES256_SHA512
crypto map CRYPTOMAP-WAN interface WAN

access-list CRYPTO-ACL-ASA1 extended deny ip 10.1.1.0 255.255.255.0 155.0.35.5 255.255.255.255 
access-list CRYPTO-ACL-ASA1 extended permit ip 10.1.1.0 255.255.255.0 any4 

object network obj-10.1.1.0-24
 subnet 10.1.1.0 255.255.255.0

object network obj-10.2.2.0-24
 subnet 10.2.2.0 255.255.255.0

object network obj-155.0.35.3
 host 155.0.35.3

object service tcp-23
 service tcp destination eq telnet 

nat (INSIDE,WAN) source dynamic obj-10.1.1.0-24 interface destination static obj-155.0.35.3 obj-155.0.35.3 service tcp-23 tcp-23

nat (INSIDE,WAN) after-auto source static obj-10.1.1.0-24 obj-10.1.1.0-24

ASA1

crypto map CRYPTOMAP_WAN 1 match address CRYPTO-ACL-ASA2
crypto map CRYPTOMAP_WAN 1 set peer 155.0.205.20 
crypto map CRYPTOMAP_WAN 1 set ikev2 ipsec-proposal AES-256_SHA-512
crypto map CRYPTOMAP_WAN interface WAN

access-list CRYPTO-ACL-ASA2 extended permit ip any 10.1.1.0 255.255.255.0 

object network obj-10.1.1.0-24
 nat (WAN,OUTSIDE) dynamic interface

object network obj-10.1.1.0-24
 subnet 10.1.1.0 255.255.255.0

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Henrik Grankvist

‎11-28-2015 09:50 PM

Hi Henrik,

Seems network design is changed now.

We want that server should get access to internet via our network

I have attached the network diagram

Now we want that server in our environment should go to internet using our existing internet connection.

For that i need to create acl to allow internet traffic right?

What NAT config should i do on our ASA1?

It needs PAT rule.

Regards

Mahesh

Preview file
19 KB
0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to mahesh18

‎11-29-2015 01:48 AM

Hi

Actually i realised you don't need to edit the crypto ACL. This is because the NAT process is done before you classify if traffic should traverse the VPN. So if you do a dynamic NAT to the outside interface it will not match the crypto ACL.

I would have done a standard object NAT statement for the server and then keep the after-auto NAT statement for the remaining traffic.

ASA2

access-list CRYPTO-ACL-ASA1 extended permit ip 10.1.1.0 255.255.255.0 any4 

object network obj-10.1.1.0-24
 subnet 10.1.1.0 255.255.255.0

object network server1
 host 10.1.1.25
 nat (INSIDE,WAN) dynamic interface

nat (INSIDE,WAN) after-auto source static obj-10.1.1.0-24 obj-10.1.1.0-24
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Henrik Grankvist

‎12-01-2015 02:14 PM

Many thanks Henrik for your help

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents