Solved

Site to site VPN with remote access to DMZ

Posted on 2009-05-20
10
632 Views
Last Modified: 2012-05-07
Hi all,

I have two sites, lets call them A and B.
Both sites have an ASA firewall and there is an existing IPSEC site-to-site VPN between them.
This works well and hosts on each sites inside interface can access each other.
Also, hosts on inside site A can access certain services on the DMZ at site A.
What I require is that hosts on site B can access the DMZ at site A, how would I do this?

Here is the relevant configuration for each site:


Site A:
inside: 192.168.254.0/24
outside: 81.105.AAA.AAA/28
dmz: 10.30.30.1/24

global (outside) 1 interface
global (dmz) 1 10.30.30.100-10.30.30.200
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.254.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 81.105.AAA.AAA 1

access-list outside_20_cryptomap extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

static (dmz,outside) 81.105.CCC.CCC 10.30.30.30 netmask 255.255.255.255
static (inside,dmz) 192.168.254.0 192.168.254.0 netmask 255.255.255.0

Site B:
inside: 192.168.1.0/24
outside: 82.45.BBB.BBB/28

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.45.BBB.BBB 1

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

crypto map outside_map 20 set peer 81.105.AAA.AA
crypto map outside_map interface outside

If anyone can help that would be awesome, if you need more information then just ask!

Thanks,

F.
0
Comment
Question by:fraserc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24432318
You would need to add the Site A DMZ subnet range to the Nonat and Crypto statements so that the DMZ traffic is also captured and sent across the VPN tunnel.  

Site A would need:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B would need:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0


IF everything else is working, then this should be all you need to add to the existing config.

0
 
LVL 3

Author Comment

by:fraserc
ID: 24432586
Hi Mike,

Thanks for the feed back, I was pretty sure it was somthing like this but didn't want to break anything by playing with the current runnning config. I will try this out ASAP.

Thanks again.

Regards,

Fraser.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24432672
As a tip, remember you can always make changes to the running config without touching the startup config until the 'WRITE MEM' is issued....   FYI.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 3

Author Comment

by:fraserc
ID: 24432983
Hi,

Ok I applied the two examples like so:

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

I then tried to ping a server in the Site A DMZ from a server at site B.
This produced the following error on the site A ASA.

A_server No translation group found for icmp src outside:B_server dst dmz:A_server (type 8, code 0)
Any thoughts? I presumed the translation group would be the same as the existing one!

Regards,

F.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24434298
Were those 2 sets applied to the same server?   Each server has its specific set... see my post above.   If this is what you used, then its incorrect.  

Please verify and post back.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439184
No I applied the configs to the correct devices...

Site A:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0

Sorry for the confusion.

F
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439895
Hey Mike,

Ok I got it working, for some reason the line;

nat (dmz) 0 access-list dmz_nat0_outbound

Was missing from the Site A ASA.

I will award half marks for the help you gave, I hope you are ok with this?

Thanks again for all the help.

.
0
 
LVL 3

Author Closing Comment

by:fraserc
ID: 31583411
Thanks for the advice Mike. The information was correct.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439953
...Couldn't see how to do that so I gave the full 500 (My boss is happy as am I) Hope you have a great day!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24441438
Thanks - Glad I could help.

FYI,  The B rating is essentially half the points when assigned to the experts.    So you got the general idea across.  
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question