10-20-2011 07:24 AM
Here is my scenerio.
If I can get a VPN established on my ASA5505 Internal device to the Remote VPN device, how can I get my local devices on the 192.168.100.0 network to be able to access 192.168.192.3 server.
Our normal GW is 192.168.100.254 and this cannot change.
Solved! Go to Solution.
10-20-2011 10:24 AM
Yes, if the remote subnet is 192.168.192.0/24.
Bear in mind that the other end must configure the same subnets so if you have agreed on 192.168.100.0/24 to any you will need to let them know you are going to be more specific and use 192.168.192.0/24 instead of any.
Jon
10-20-2011 09:40 AM
Ronald
Edited this post.
Is your internal gateway really pointing out of the inside interface ?
If so how do you get access to the internet ?
Jon
10-20-2011 09:43 AM
Can I send you my config on the internal ASA to see what might need to change. I am not totally sure I got the VPN setup right.
10-20-2011 09:53 AM
Ronald
Yes, but do you really point your default-route via the inside interface ?
How do you get normal internet access ?
Normally ie. virtually every internet firewall points the default route to the ISP upstream device.
Edit - it looks from your diagram that you are actually bypassing your firewall althogether. Without a bit more detail your config isn't going to make a lot of sense.
Jon
10-20-2011 09:54 AM
Our internal clients GW is 192.168.100.254
10-20-2011 09:57 AM
But what about the default route on the ASA ?
Also your diagram seems to show a connection from the inside bypassing the firewall and connecting into a modem on the other side of your firewall.
Jon
10-20-2011 10:00 AM
Here is my ASA Internal config that I want the VPN established from. The ASA Internal has a default route of 10.255.255.1.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.220 255.255.255.0
!
interface Vlan11
nameif DMZ
security-level 10
ip address 172.16.0.1 255.255.255.240
!
interface Vlan21
nameif Outside
security-level 0
ip address 10.255.255.2 255.255.255.0
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 21
!
interface Ethernet0/7
switchport access vlan 11
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ASA
object-group service RDP tcp
port-object eq 1433
object-group service SQLClient tcp
port-object eq 1433
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
service-object tcp eq https
service-object esp
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq www
service-object tcp eq https
service-object esp
object-group service VPNPorts udp
port-object eq 4500
port-object eq isakmp
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list DMZ_access_in extended permit tcp any 192.168.100.0 255.255.255.0 object-group SQLClient
access-list DMZ_access_in extended permit udp any any object-group VPNPorts
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp any any object-group SQLClient
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 172.16.0.0 255.255.255.240
access-list Outside_access_in extended permit udp any any object-group VPNPorts
access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu Outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.255.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 216.220.46.72
crypto map Outside_map 1 set transform-set ESP-AES256-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 216.X.X.72 type ipsec-l2l
tunnel-group 216.X.X.72 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
10-20-2011 10:03 AM
So the clients on your internal network have a default-gateway of 192.168.100.254. This is not on the firewall.
So is this firewall not used to protect your network from the internet ?
Edit - i guess what i am asking is, what is the purpose of this firewall if your clients simply bypass it ?
Jon
10-20-2011 10:04 AM
Correct.
The ASA I working with is only for one other application and I want to use it to make a VPN connection to the remote company.
10-20-2011 10:08 AM
Do you have a L3 device internally ? If so what is it ?
If not there is no way to do what you want unless you add host specific routes on the clients that need to use the VPN ie. you would need to manually add routes to each client in your LAN for the remote VPN devices and the next-hop would have to be the inside interface of your ASA.
Otherwise there is no way of getting the traffic to go through the ASA.
Using host specific routes is a bad idea but in your case, unless you redesign your setup so all traffic goes through the ASA there is no other way to do it, assuming you don't have a L3 device internally.
Jon
10-20-2011 10:10 AM
I can add specific routes to the my hosts if needed. I only have a couple that need access to the remote site.
10-20-2011 10:12 AM
Okay, you will have to do that.
Then if the traffic goes through the ASA it should work fine.
Jon
10-20-2011 10:15 AM
Does the config look correct. I have never setup one before. I used the AES-256-SHA group 2 as instructed by the remote company.
10-20-2011 10:19 AM
Ronald
access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 any
generally you specify the destination subnet as well whereas you have used any. It's better to use the specific destination subnet(s) in your crypto map access-list.
Other than that it looks okay but IPSEC tunnels can be quite picky so you won't really know until you test because the settings must match on either end.
Jon
10-20-2011 10:21 AM
Would it be like this:
access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.192.0 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide