Re: Vpn access

esakkimuthu · ‎04-03-2010

Hi,

I am working as Sr.Network Engineer and am maintaning all networks for my company. we have Site-to-Site vpn between HO and branch office.

We have Cisco-ASA 5520 firewall at HO and Cisco ASA-5510 firewall at branch end. we have three zones at branch office(Like Inside,managemnet and outside).

Site-to-Site vpn is working fine between HO lan to Branch managemnet zone.

Now we have one proxy server in inside network and want to access this via exisiting site-to-site vpn.We don't share or show any inside IP address into HO LAN.

Could you please help me how to implement this setup.

you can reach me @ muthu.kalyx@gmail.com or esakkimuthu1985@gmail.com

Mobile : +91 96557-77058

Thanks 'n Regards,

Muthu.

India

Jennifer Halim · ‎04-03-2010

What do you mean by you don't share or show any inside IP address into HO LAN? Do you mean you do not want to use the inside IP address when connecting to HO LAN? OR/ currently it has not been configured, and you would like to know how the branch's inside network can access HO proxy server?

esakkimuthu · ‎04-03-2010

Hi,

Please find the below mentioned IP address of Branch office.

Branch Office:

Inside IP address : 172.16.10.0/24

Management IP address : 192.168.10.0/24

Outside IP address : X.Y.Z.2

Head Office:

We have So many Lan subnet in LAN.But VPN is between below subnet to branch's managemnet subnet.

Inside IP address : 10.43.11.0/0

Outside IP address :A.B.C.10

Now We have one proxy at Branch office(IP address 172.16.10.99). It should be accessible thorugh VPN tunnel using one Managemnet IP address.

Let us assume free IP address : 192.168.10.99 Which is in Managent Zone.

HO <====VPN Tunnel=====>BO--Inside(proxy server here).

||

Managemnet.

Suppose remote admin he want to apply policy into BO's proxy mean,He will do take ssh and telnet 192.168.10.99. This traffic should to proxy server through existing VPN tunnel.

I hope, You understand my requirement.

Jennifer Halim · ‎04-03-2010

Sorry, still understand the requirement. But thanks for the ip address, diagram and subnetting, it helps.

So my understanding is you would like to SSH and telnet, from source: 192.168.10.99, towards destination: proxy server: 172.16.10.99? Is this what you are trying to achieve? But those traffic is just within branch office.

What traffic do you require to traverse from head office to branch office and vice versa?

esakkimuthu · ‎04-03-2010

Hi,

Traffic should traverse from HO to branch offices and vice verse if it possible.

Jennifer Halim · ‎04-03-2010

You would like 172.16.10.0/24 subnet (inside of branch office) to communicate with 10.43.11.0/0 subnet (inside of HQ office) and vice versa.

Is this what you are trying to achieve?

esakkimuthu · ‎04-03-2010

Hi,

Yes. is it possible without disturbing existing VPN tunnel?

Jennifer Halim · ‎04-04-2010

No, you would need to add the crypto ACL on both sides and create the corresponding NAT exemption, and clear the existing SAs once configuration has been added. It should only affect it for very short period time (a couple of seconds) when you clear the SAs.

esakkimuthu · ‎04-04-2010

HI,

Thanks. is there any other way to implement this setup?

Jennifer Halim · ‎04-04-2010

No, there is no other way to implement the solution.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

Hope that helps.

esakkimuthu · ‎04-05-2010

HI,

I have tried with Static NAT but i could not succeed.Now what is happening, as below confiured static nat to management zone.

static (inside,mgmt) tcp 192.168.10.99 ssh 172.16.10 ssh netmask 255.255.255.255

static (inside,mgmt) tcp 192.168.10.99 3128 172.16.10 3128 netmask 255.255.255.255

static (inside,mgmt) tcp 192.168.10.99 7777 172.16.10 7777 netmask 255.255.255.255

static (inside,mgmt) tcp 192.168.10.99 8080 172.16.10 8080 netmask 255.255.255.255

access-list mgmt extended permit tcp any host 192.168.10.99 eq ssh

access-list mgmt extended permit icmp any any

access-list mgmt extended permit icmp any any echo

access-list mgmt extended permit icmp any any echo-reply

access-list mgmt extended permit icmp any any time-exceeded

access-list mgmt extended permit tcp any host 192.168.10.99 eq 3128

access-list mgmt extended permit tcp any host 192.168.10.99 eq 7777

access-group mgmt in interface mgmt

Let us assume, i am sitting on management zone at branch office. i could able to reach proxy sever (172.20.0.99) if i iniate traffic to IP 192.168.172.99.

For you clarification i have attached asa configuration also.

But i could not reach form HO through tunnel(Means from 10.43.11.0/24).

Jennifer Halim · ‎04-05-2010

1) To access the proxy server from the management network, here is what needs to be configured if you do not want to translate the proxy server ip address:

static (inside,mgmt) 172.20.0.0 172.20.0.0 netmask 255.255.0.0

same-security-traffic permit inter-interface

And configure "mgmt" access-list to allow traffic towards the real ip address of proxy server (172.20.0.99).

Please also remove the static translation that you have configured if translation is not required for the proxy server.

2) To access the proxy server from the branch office, you would need to configure the following:

On the branch office:

access-list 100 extended permit ip 172.20.0.0 255.255.0.0 10.43.11.0 255.255.255.0

access-list nonat extended permit ip 172.20.0.0 255.255.0.0 10.43.11.0 255.255.255.0

On the HQ office:

Access-list for the crypto to branch office, you would need to add:

access-list extended permit ip 10.43.11.0 255.255.255.0 172.20.0.0 255.255.0.0

Access-list for NAT exemption, you would need to add:

access-list extended permit ip 10.43.11.0 255.255.255.0 172.20.0.0 255.255.0.0