• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

How do I configure an ASA to route two internal VLANs through a VPN?

I am trying to separate some servers on the inside of my network from the workstations. Currently the servers and workstations are on the same network. So far I have configured a second internal VLAN. The servers are plugged into a switch and then into port 0/2 on the ASA. Workstations are connected to a switch and then to port 0/1 on the ASA. The ISP router is on 0/0. I am able to get out to the internet from both VLANs, however I cannot to the VPN at home office from both. My ASA 5510 only allows me to have one private network configured from the public IP of the remote site. I tried to rename the connection and I get a warning saying something about "names  that aren't IP addresses won't work properly" I can get both VPN tunnels up separately, but not at the same time.

Problem 2: I need to be able to route between the two internal VLANs is this possible with a base model 5505 or do I need an upgrade license. I was forced to put a no forward command in. Is there a way around this? configuration of the 5505 is below.



: Saved
:
ASA Version 8.0(4)
!
hostname PCATest
domain-name chavezpropteries.com
enable password *****************
passwd ********************** encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.34.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ***.***.***.*** ***.***.***.***
!
interface Vlan33
 no forward interface Vlan1
 nameif creditcard
 security-level 100
 ip address 172.16.33.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 33
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
banner motd AUTHORIZED ACCESS ONLY
banner motd Authorized Access Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name chavezpropteries.com
same-security-traffic permit inter-interface
access-list 110 extended permit ip 192.168.34.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 110 extended permit ip 172.16.33.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 120 extended permit ip 172.16.33.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 250000
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu creditcard 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
nat (creditcard) 0 access-list 110
nat (creditcard) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 ***.***.***.***1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map newmap 10 match address 110
crypto map newmap 10 set peer ***.***.***.***
crypto map newmap 10 set transform-set myset
crypto map newmap 10 set security-association lifetime seconds 86400
crypto map newmap 10 set security-association lifetime kilobytes 4608000
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.34.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 30
dhcpd dns 205.171.3.65 205.171.2.65
dhcpd auto_config outside
!
dhcpd address 192.168.34.150-192.168.34.180 inside
dhcpd dns 208.13.143.36 199.2.252.10 interface inside
dhcpd domain chavezpropteries.com interface inside
dhcpd option 3 ip 192.168.34.1 interface inside
dhcpd enable inside
!
dhcpd address 172.16.33.150-172.16.33.180 creditcard
dhcpd dns 4.2.2.2 interface creditcard
dhcpd domain chavezpropteries.com interface creditcard
dhcpd option 3 ip 172.16.33.1 interface creditcard
dhcpd enable creditcard
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 2
tunnel-group ***.***.***.*** type ipsec-l2l
tunnel-group ***.***.***.*** ipsec-attributes
 pre-shared-key ********
 isakmp keepalive threshold 60 retry 2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6f0e19fd32f57d555b5ed8723ab46fe7
: end
0
bbogle2007
Asked:
bbogle2007
  • 3
  • 3
1 Solution
 
donaldchapellCommented:
If you're trying to reach anything on the inside you need to have routes set up to be able to reach them.

route inside  192.168.0.0 255.255.0.0 192.168.x.x 1 (Whatever your gw is on the inside)
route inside  172.16.0.0 255.255.0.0 172.16.x.x 1 (Whatever your gw on the inside is)

I see the PAT statements, but no routing.  I think this may be your problem.

0
 
bbogle2007Author Commented:
When I try to put these commands in, I get a message that says the routes already exist. Since the interfaces are on the same device, aren't the routes automatically configured?
0
 
wilsjCommented:
I don't quite understand what you are asking with the first question. are you trying to configure a VPN tunnel to your home office to both interface VLAN1 and VLAN33?

The 2nd question might be solved with the below statement.

>>access-list 110 extended permit ip 192.168.34.0 255.255.255.0 192.168.0.0 255.255.255.0

I believe this above ACl should read.

access-list 110 extended permit ip 192.168.32.0 255.255.255.0 172.16.33.0 255.255.255.0
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
bbogle2007Author Commented:
I think I have been a little confusing. Let me start over. I have two problems.

1. I am looking for a way to configure both of these VLANs to route back to my home office. Home office subnet is 192.168.0.0/24. I can get both of them to work individually, but not simultaneously. That leads me to believe that the ACL is correct, but I am missing something here. My ASA 5510 at my home office will not allow me to have two private addresses mapped from one public. I get a message that says that the entry exists. So then I tried to name them xxx.xxx.xx.xxx-1 and -2. I received a warning for both entries that said that I couldn't use a name other than the IP address unless the remote VPN was in aggressive mode. There has to be a way to configure two LANS from one device.

2. I was forced to put one of my VLANs in no forward mode. It restricts me from forwarding to both the other inside VLAN and the outside VLAN. I have to chose one or the other. I was looking for a workaround that didn't include purchasing the extra security liscense.

0
 
wilsjCommented:
you can have multiple private IP's mapped to a single public by using pat. The below config will tell anything in access-list homeoffice_nat to be patted to 2.2.2.2. Then on the home office network you just change your ACL's to except traffice from 2.2.2.2. Of course change 2.2.2.2 to match the public IP that you are using. Also the public IP that you are using is different from the outside interface correct?


access-list homeoffice permit ip host 2.2.2.2 192.168.0.0 255.255.0.0
access-list homeoffice_nat permit ip 172.16.33.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list homeoffice_nat permit ip 192.168.34.0 255.255.255.0 192.168.0.0 255.255.0.0

global (outside) 10 2.2.2.2
nat (inside) 10 access-list homeoffice_nat

crypto map newmap 10 match address homeoffice
crypto map newmap 10 set peer ***.***.***.***
crypto map newmap 10 set transform-set myset
crypto map newmap 10 set security-association lifetime seconds 86400
crypto map newmap 10 set security-association lifetime kilobytes 4608000
0
 
bbogle2007Author Commented:
How do I get this to work on my ASA 5510 at home office?  If I use the IP address, I can only put one connection in (192.168.34.0). When I go in to set up the second connection (172.16.33.0), I get an error that says entry already esists. So I uncheck the box that says use IP for Name and I get another error that says I need to use the IP address as the name of the connection.

Is 2.2.2.2 the public interface of the 5505 at the remote site? or the public interface of my ASA 5510 at home office, which is the peer in the crypto map statement.
0
 
wilsjCommented:
Ok, here is the deal. The above statements were to map networks 172.16.33.0/24 and 192.168.32.0/24 to 2.2.2.2(this would change to a Public IP if you have one). But if you want them to go over seperate you have to do a nat on the 192.168.32.0/24 network because you already have network 192.168.0.0 at your home office. Here is a version without natting. You do not need a public ip to route through the VPN tunnel all you need is an outside interface with a public and then you can start adding hosts.

This is the traffic going from you asa 5505 to the 5510 at your home office

access-list 110 permit ip 172.16.33.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list homeoffice permit ip 10.10.10.0 255.255.255.0(natted network change if needed) 192.168.0.0 255.255.0.0
access-list homeoffice permit ip 172.16.33.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list homeoffice_nat permit ip 192.168.34.0 255.255.255.0 192.168.0.0 255.255.0.0

static (inside,outside) 10.10.10.0 access-list homeoffice_nat

crypto map newmap 10 match address homeoffice
crypto map newmap 10 set peer ***.***.***.***
crypto map newmap 10 set transform-set myset
crypto map newmap 10 set security-association lifetime seconds 86400 (make sure these statements are mirrored on other end)
crypto map newmap 10 set security-association lifetime kilobytes 4608000(make sure these statements are mirrored on other end)
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now