Solved: VPN Configuration Guidance

ServerCaseUK · ‎06-14-2018

Hi, I am new to VPN's and need some help with implementing the right kind of VPN for us.

Our current setup is;

Site A - Datacentre
Cisco ASA
WAN IP (masked for security): 1.1.1.1
LAN IP (masked for security): 2.2.2.2/255.255.255.128
This ASA is set in routed mode. The LAN (inside) IP's are public IP's, routed by the ASA and by our datacentre who gave us the routed 1.1.1.1 address, a little beyond me, but it's setup on their side somehow. You can access various systems within 2.2.2.0 range online, all protected by rules etc.

Site B - Offices
DELL SonicWall NSA 2600
WAN IP (masked for security): 3.3.3.3
LAN IP: 192.168.10.0/255.255.255.0

What I need to do is connect the Site B to Site A, to create a secure link, so the PCs on Site B (our offices) have secure, encrypted connected to the servers in the datacentre. At present we use IP rules to restrict access to certain ports/hosts from our offices, which works well for SSL encrypted traffic, but we need to now use non-encrypted channels, which is why we need an encrypted VPN.

My question is, on the ASA, do I setup a VPN for Site to Site or Remote Access? My understanding of Site to Site is that it is bidrectional, e.g. Site A can talk to hosts on Site B and visa versa. We only need Site B to access Site A.

At the moment, I can access systems at Site B without a VPN (as none exists), but through IP rules. This is because the Site B IP's are public/Internet facing. However, if I connect a VPN, would I just continue to access the Site B public IP's when the VPN is active and would it simply tunnel the traffic for those, encrypted?

Thank you.

Rob Ingram · ‎06-14-2018

Hi,

You will require a Site to Site VPN. From the ASA you can use ASDM VPN Wizard to create the VPN, you'd specify the peer IP address (IP address of the Sonicwall), define your local LAN subnet (2.2.2.2/255.255.255.128) and the remote subnet (192.168.10.0/255.255.255.0) and a pre-shared key. The wizard should guide you through the steps, select the defaults for the crypto ike/ipsec values.

Once established, If you want to restrict access over the VPN you can use a vpn-filter to permit/deny access as appropriate.

HTH

View solution in original post

Rob Ingram · ‎06-14-2018

Once the VPN is in place, all traffic from Site B to Site A would go over the VPN encrypted.

Yes unrestricted, unless you lock down the VPN using the vpn-filter configuration to permit/deny traffic. You could restrict traffic aswell on the Sonicwall end if needs be.

View solution in original post

Rob Ingram · ‎06-14-2018

Hi,

You will require a Site to Site VPN. From the ASA you can use ASDM VPN Wizard to create the VPN, you'd specify the peer IP address (IP address of the Sonicwall), define your local LAN subnet (2.2.2.2/255.255.255.128) and the remote subnet (192.168.10.0/255.255.255.0) and a pre-shared key. The wizard should guide you through the steps, select the defaults for the crypto ike/ipsec values.

Once established, If you want to restrict access over the VPN you can use a vpn-filter to permit/deny access as appropriate.

HTH

ServerCaseUK · ‎06-14-2018

Thanks for the reply - That seems super simple and how I understood it, but nothing is that easy, surely?

There's a superb document on the SonicWall website for the setup that side.

So just to confirm, from Site B (office), when the sonicwall connects to the cisco via the site-to-site vpn, I can still access the 2.2.2.0 network as normal? I guess it would become "unrestricted" as in effect I would be connecting as if I was on the same network?

Seems a bit too simple :)

Rob Ingram · ‎06-14-2018

Once the VPN is in place, all traffic from Site B to Site A would go over the VPN encrypted.

Yes unrestricted, unless you lock down the VPN using the vpn-filter configuration to permit/deny traffic. You could restrict traffic aswell on the Sonicwall end if needs be.