Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
0
Helpful
2
Replies

VPN access to FWSM LAN through a 2801

flumburt31
Level 1
Level 1

‎03-27-2011 10:46 AM

Hello, I've come to the experts since i've exhausted every possible idea in my head.

I have a FWSM in my 6509, this firewall is managing three VLANs, one of which holds a file server. As you all know, FWSM do not support VPN like the ASAs and PIXs do.

I have been trying to add remote access to this file server LAN all week. The only VPN device i have is a 2801 router.

first layout

  • VPN router behind FWSM
  • static translation from FWSM LAN (private) to VPN WAN (public)
  • default route was facing back at FWSM
  • ip address pool was to be NAT'd on the interface facing the FWSM

the idea was that my VPN address pool would be NAT'd back to the FWSM on it's VLAN. since the FWSM was managing this VLAN and recognized the source IP of the translated address pool, i would have access to my precious file server. no luck.

second layout

  • VPN router fa 0/1 on a /30 with 6509 (public)
  • VPN router fa 0/0 still on the same LAN as FWSM (private)
  • address pool for VPN once again NAT'd to fa 0/0
  • default route pointed to fa 0/1
  • static route of FWSM LAN pointed to fa 0/0

this idea was to have more of a 'inside' and 'outside' interface on the VPN router. this too did not work, having used every trick in the book, i could still not ping anything on the FWSM LAN while VPN'd in the network (aside from the LAN interface on my router)

traceroute was showing that the all routes were headed out fa 0/1 (default route) and all to my FWSM died. i really don't think my address pool is being NAT'd, though my route map statement applied to the NAT policy is permitting my VPN address pool.

I am new to VPN technology, one of those things that happened to land on my lap. Can someone give a suggestion as to how this layout could work? there are no good VPN Remote access walkthroughs for a situation like this (2801 allowing access to a FWSM controlled LAN)

Thanks, and have a good weekend!

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-27-2011 01:06 PM

Frank,

To be honest it sound like you were facing routing issues rather than anythign VPN specific.

Typical solution is to advertise remote access prefixes into whatever RP you have. Ie. the FWSM needs to know where to route the RA IPsec users.

I also wouldn't try traceroute too much on FWSM ... by default at least ... FWSM doesn't decrease TTL by default (you'll find lots of links saying how this can be addressed).

As a note I'm not a fan of traffic having to traverse FWSM too many times for single flow so I would not put VPN router behind FWSM.

On the other hand FWSM will provide "protection" to VPN services.

So you have situation like this

Internet

|

|

|

FWSM ------- VPN router

|

|

|

Internal resources

You need static NAT on FWSM for VPN service (udp/4500 and udp/500).

VPN router (best use DVTI solutioN) - redistributes static routes to RP.

FWSM - add additional NAT statments as needed for traffic from VPN going out to internet or internal resources.

Marcin

0 Helpful

flumburt31
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-27-2011 02:05 PM

thanks for the reply, i'll go back and confirm my routes in the FWSM

0 Helpful
Customers Also Viewed These Support Documents