cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
0
Helpful
16
Replies

VPN Route Issue

Here is my scenerio.

SP32-20111020-102140.gif

If I can get a VPN established on my ASA5505 Internal device to the Remote VPN device, how can I get my local devices on the 192.168.100.0 network to be able to access 192.168.192.3 server.

Our normal GW is 192.168.100.254 and this cannot change.

1 Accepted Solution

Accepted Solutions

Yes, if the remote subnet is 192.168.192.0/24.

Bear in mind that the other end must configure the same subnets so if you have agreed on 192.168.100.0/24 to any you will need to let them know you are going to be more specific and use 192.168.192.0/24 instead of any.

Jon

View solution in original post

16 Replies 16

Jon Marshall
Hall of Fame
Hall of Fame

Ronald

Edited this post.

Is your internal gateway really pointing out of the inside interface ?

If so how do you get access to the internet ?

Jon

Can I send you my config on the internal ASA to see what might need to change. I am not totally sure I got the VPN setup right.

Ronald

Yes, but do you really point your default-route via the inside interface ?

How do you get normal internet access ?

Normally ie. virtually every internet firewall points the default route to the ISP upstream device.

Edit - it looks from your diagram that you are actually bypassing your firewall althogether. Without a bit more detail your config isn't going to make a lot of sense.

Jon

Our internal clients GW is 192.168.100.254

But what about the default route on the ASA ?

Also your diagram seems to show a connection from the inside bypassing the firewall and connecting into a modem on the other side of your firewall.

Jon

Here is my ASA Internal config that I want the VPN established from.  The ASA Internal has a default route of 10.255.255.1.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.220 255.255.255.0
!
interface Vlan11
nameif DMZ
security-level 10
ip address 172.16.0.1 255.255.255.240
!
interface Vlan21
nameif Outside
security-level 0
ip address 10.255.255.2 255.255.255.0
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 21
!
interface Ethernet0/7
switchport access vlan 11
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ASA
object-group service RDP tcp
port-object eq 1433
object-group service SQLClient tcp
port-object eq 1433
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
service-object tcp eq https
service-object esp
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq www
service-object tcp eq https
service-object esp
object-group service VPNPorts udp
port-object eq 4500
port-object eq isakmp
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list DMZ_access_in extended permit tcp any 192.168.100.0 255.255.255.0 object-group SQLClient
access-list DMZ_access_in extended permit udp any any object-group VPNPorts
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp any any object-group SQLClient
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 172.16.0.0 255.255.255.240
access-list Outside_access_in extended permit udp any any object-group VPNPorts
access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu Outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.255.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 216.220.46.72
crypto map Outside_map 1 set transform-set ESP-AES256-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 216.X.X.72 type ipsec-l2l
tunnel-group 216.X.X.72 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context

So the clients on your internal network have a default-gateway of 192.168.100.254. This is not on the firewall.

So is this firewall not used to protect your network from the internet ?

Edit - i guess what i am asking is, what is the purpose of this firewall if your clients simply bypass it ?

Jon

Correct.

The ASA I working with is only for one other application and I want to use it to make a VPN connection to the remote company.

Do you have a L3 device internally ? If so what is it ?

If not there is no way to do what you want unless you add host specific routes on the clients that need to use the VPN ie. you would need to manually add routes to each client in your LAN for the remote VPN devices and the next-hop would have to be the inside interface of your ASA.

Otherwise there is no way of getting the traffic to go through the ASA.

Using host specific routes is a bad idea but in your case, unless you redesign your setup so all traffic goes through the ASA there is no other way to do it, assuming you don't have a L3 device internally.

Jon

I can add specific routes to the my hosts if needed. I only have a couple that need access to the remote site.

Okay, you will have to do that.

Then if the traffic goes through the ASA it should work fine.

Jon

Does the config look correct.  I have never setup one before. I used the AES-256-SHA group 2 as instructed by the remote company.

Ronald

access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 any

generally you specify the destination subnet as well whereas you have used any. It's better to use the specific destination subnet(s) in your crypto map access-list.

Other than that it looks okay but IPSEC tunnels can be quite picky so you won't really know until you test because the settings must match on either end.

Jon

Would it be like this:

access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.192.0 255.255.255.0