Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 634
  • Last Modified:

Site to site VPN with remote access to DMZ

Hi all,

I have two sites, lets call them A and B.
Both sites have an ASA firewall and there is an existing IPSEC site-to-site VPN between them.
This works well and hosts on each sites inside interface can access each other.
Also, hosts on inside site A can access certain services on the DMZ at site A.
What I require is that hosts on site B can access the DMZ at site A, how would I do this?

Here is the relevant configuration for each site:


Site A:
inside: 192.168.254.0/24
outside: 81.105.AAA.AAA/28
dmz: 10.30.30.1/24

global (outside) 1 interface
global (dmz) 1 10.30.30.100-10.30.30.200
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.254.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 81.105.AAA.AAA 1

access-list outside_20_cryptomap extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

static (dmz,outside) 81.105.CCC.CCC 10.30.30.30 netmask 255.255.255.255
static (inside,dmz) 192.168.254.0 192.168.254.0 netmask 255.255.255.0

Site B:
inside: 192.168.1.0/24
outside: 82.45.BBB.BBB/28

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.45.BBB.BBB 1

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

crypto map outside_map 20 set peer 81.105.AAA.AA
crypto map outside_map interface outside

If anyone can help that would be awesome, if you need more information then just ask!

Thanks,

F.
0
fraserc
Asked:
fraserc
  • 6
  • 4
1 Solution
 
MikeKaneCommented:
You would need to add the Site A DMZ subnet range to the Nonat and Crypto statements so that the DMZ traffic is also captured and sent across the VPN tunnel.  

Site A would need:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B would need:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0


IF everything else is working, then this should be all you need to add to the existing config.

0
 
frasercAuthor Commented:
Hi Mike,

Thanks for the feed back, I was pretty sure it was somthing like this but didn't want to break anything by playing with the current runnning config. I will try this out ASAP.

Thanks again.

Regards,

Fraser.
0
 
MikeKaneCommented:
As a tip, remember you can always make changes to the running config without touching the startup config until the 'WRITE MEM' is issued....   FYI.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
frasercAuthor Commented:
Hi,

Ok I applied the two examples like so:

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

I then tried to ping a server in the Site A DMZ from a server at site B.
This produced the following error on the site A ASA.

A_server No translation group found for icmp src outside:B_server dst dmz:A_server (type 8, code 0)
Any thoughts? I presumed the translation group would be the same as the existing one!

Regards,

F.
0
 
MikeKaneCommented:
Were those 2 sets applied to the same server?   Each server has its specific set... see my post above.   If this is what you used, then its incorrect.  

Please verify and post back.
0
 
frasercAuthor Commented:
No I applied the configs to the correct devices...

Site A:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0

Sorry for the confusion.

F
0
 
frasercAuthor Commented:
Hey Mike,

Ok I got it working, for some reason the line;

nat (dmz) 0 access-list dmz_nat0_outbound

Was missing from the Site A ASA.

I will award half marks for the help you gave, I hope you are ok with this?

Thanks again for all the help.

.
0
 
frasercAuthor Commented:
Thanks for the advice Mike. The information was correct.
0
 
frasercAuthor Commented:
...Couldn't see how to do that so I gave the full 500 (My boss is happy as am I) Hope you have a great day!
0
 
MikeKaneCommented:
Thanks - Glad I could help.

FYI,  The B rating is essentially half the points when assigned to the experts.    So you got the general idea across.  
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now