06-18-2013 08:26 PM
Sorry if this is a very newbie question.
I have have done many to many single IP block VPNs, but I am now working on much larger network interconnecting sites within a group of companies and each site has got 9 IP blocks and VLANs.
So far I have done something simple and only enabled "server" networks between sites.
Each site has a class be on the 10.x.x.x network and I want to start putting multiple subnets through the VPN. In some cases I want VPNs where multiple subnets access one single subnet over the VPN. Do I set up the NAT to do the whole class B and then use access lists or what is the correct way of doing this?
What would be the most elegant way of setting utilizing the Management network. Basically I want the Management networks of all the sites to talk to one another but don't want anyone else to be able to reach the Management networks.
Thanks.
06-18-2013 11:00 PM
To completely separate the subnets (say management one from the others) it's possible to user vrf-avare IPSec, when using ISRs. In case of the ASA, i think it could be done py proper configuration of proxy-identities.
So, for example, you've got two sites with two subnets (management and LAN):
Site A has - 10.100.0.0/16 - management
10.1.0.0/16 - LAN
Siet B has - 10.200.0.0/16 -management
10.2.0.0/16
If in this case you configure your proxy ACL like this (on site A gateway):
access-list PROXY_ID extended permit ip 10.100.0.0 255.255.0.0 10.200.0.0 255.255.0.0
access-list PROXY_ID extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
and vise-versa on site B,
the traffic from in the management subnet will be separated from the traffic from LAN.
So, if some host from 10.100.0.0 tries to access something in the 10.2.0.0 - it won't be possible, cause this traffic won't hit the proxy-ACL and this traffic won't go throug hthe tunnel.
07-12-2013 08:29 AM
I discovered the best way of doing this is to use object-groups and then doing the VPN as normal... not sure why no one came up with this simple answer. Then if you have to block anything use and ACL.
The subnet-masks etc have to be correct, you can't just will card the whole network with a bigger subnet mask.
Eg.
say you have 10.1.1.0/24 you can't just do a 255.255.0.0 as the subnet mask....
07-13-2013 10:55 AM
I'm not sure what you're talking about, when talking about object-groups, etc. If you're talking about filtering traffic (by ACL) after it traversed the tunnel, then it's not optimal solution, cause you should not send traffic through the tunnel, if you're gonna filter it on the other end in the first place. It'll save some resources on the ASAs.
say you have 10.1.1.0/24 you can't just do a 255.255.0.0 as the subnet mask....
Sure you cant. Who proposed you to do such a thing? If you're talking about what i wrote, that was just an example.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide