Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
3
Replies

VPN design guideliness.

Albert Wong
Level 1
Level 1

‎06-18-2013 08:26 PM

Sorry if this is a very newbie question.

I have have done many to many single IP block VPNs, but I am now working on much larger network interconnecting sites within a group of companies and each site has got 9 IP blocks and VLANs.

So far I have done something simple and only enabled "server" networks between sites.

Each site has a class be on the 10.x.x.x network and I want to start putting multiple subnets through the VPN. In some cases I want VPNs where multiple subnets access one single subnet over the VPN. Do I set up the NAT to do the whole class B and then use access lists or what is the correct way of doing this?

What would be the most elegant way of setting utilizing the Management network. Basically I want the Management networks of all the sites to talk to one another but don't want anyone  else to be able to reach the Management networks.

Thanks.

Labels:
0 Helpful
3 Replies 3

Andrew Phirsov
Level 7
Level 7

‎06-18-2013 11:00 PM

To completely separate the subnets (say management one from the others) it's possible to user vrf-avare IPSec, when using ISRs. In case of the ASA, i think it could be done py proper configuration of proxy-identities.

So, for example, you've got two sites with two subnets (management and LAN):

Site A has - 10.100.0.0/16 - management

                    10.1.0.0/16 - LAN

Siet B has -  10.200.0.0/16 -management

                     10.2.0.0/16

If in this case you configure your proxy ACL like this (on site A gateway):

access-list PROXY_ID extended permit ip 10.100.0.0 255.255.0.0 10.200.0.0 255.255.0.0

access-list PROXY_ID extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0

and vise-versa on site B,

the traffic from in the management subnet will be separated from the traffic from LAN.

So, if some host from 10.100.0.0 tries to access something in the 10.2.0.0 - it won't be possible, cause this traffic won't hit the proxy-ACL and this traffic won't go throug hthe tunnel.

0 Helpful

Albert Wong
Level 1
Level 1
In response to Andrew Phirsov

‎07-12-2013 08:29 AM

I discovered the best way of doing this is to use object-groups and then doing the VPN as normal... not sure why no one came up with this simple answer. Then if you have to block anything use and ACL.

The subnet-masks etc have to be correct, you can't just will card the whole network with a bigger subnet mask.

Eg.

say you have 10.1.1.0/24  you can't just do a 255.255.0.0 as the subnet mask....

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Albert Wong

‎07-13-2013 10:55 AM

I'm not sure what you're talking about, when talking about object-groups, etc. If you're talking about filtering traffic (by ACL) after it traversed the tunnel, then it's not optimal solution, cause you should not send traffic through the tunnel, if you're gonna filter it on the other end in the first place. It'll save some resources on the ASAs.

say you have 10.1.1.0/24  you can't just do a 255.255.0.0 as the subnet mask....

Sure you cant. Who proposed you to do such a thing? If you're talking about what i wrote, that was just an example.

0 Helpful
Customers Also Viewed These Support Documents