Solved

Site to site VPN with remote access to DMZ

Posted on 2009-05-20
10
625 Views
Last Modified: 2012-05-07
Hi all,

I have two sites, lets call them A and B.
Both sites have an ASA firewall and there is an existing IPSEC site-to-site VPN between them.
This works well and hosts on each sites inside interface can access each other.
Also, hosts on inside site A can access certain services on the DMZ at site A.
What I require is that hosts on site B can access the DMZ at site A, how would I do this?

Here is the relevant configuration for each site:


Site A:
inside: 192.168.254.0/24
outside: 81.105.AAA.AAA/28
dmz: 10.30.30.1/24

global (outside) 1 interface
global (dmz) 1 10.30.30.100-10.30.30.200
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.254.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 81.105.AAA.AAA 1

access-list outside_20_cryptomap extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

static (dmz,outside) 81.105.CCC.CCC 10.30.30.30 netmask 255.255.255.255
static (inside,dmz) 192.168.254.0 192.168.254.0 netmask 255.255.255.0

Site B:
inside: 192.168.1.0/24
outside: 82.45.BBB.BBB/28

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.45.BBB.BBB 1

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

crypto map outside_map 20 set peer 81.105.AAA.AA
crypto map outside_map interface outside

If anyone can help that would be awesome, if you need more information then just ask!

Thanks,

F.
0
Comment
Question by:fraserc
  • 6
  • 4
10 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24432318
You would need to add the Site A DMZ subnet range to the Nonat and Crypto statements so that the DMZ traffic is also captured and sent across the VPN tunnel.  

Site A would need:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B would need:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0


IF everything else is working, then this should be all you need to add to the existing config.

0
 
LVL 3

Author Comment

by:fraserc
ID: 24432586
Hi Mike,

Thanks for the feed back, I was pretty sure it was somthing like this but didn't want to break anything by playing with the current runnning config. I will try this out ASAP.

Thanks again.

Regards,

Fraser.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24432672
As a tip, remember you can always make changes to the running config without touching the startup config until the 'WRITE MEM' is issued....   FYI.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24432983
Hi,

Ok I applied the two examples like so:

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

I then tried to ping a server in the Site A DMZ from a server at site B.
This produced the following error on the site A ASA.

A_server No translation group found for icmp src outside:B_server dst dmz:A_server (type 8, code 0)
Any thoughts? I presumed the translation group would be the same as the existing one!

Regards,

F.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24434298
Were those 2 sets applied to the same server?   Each server has its specific set... see my post above.   If this is what you used, then its incorrect.  

Please verify and post back.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 3

Author Comment

by:fraserc
ID: 24439184
No I applied the configs to the correct devices...

Site A:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0

Sorry for the confusion.

F
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439895
Hey Mike,

Ok I got it working, for some reason the line;

nat (dmz) 0 access-list dmz_nat0_outbound

Was missing from the Site A ASA.

I will award half marks for the help you gave, I hope you are ok with this?

Thanks again for all the help.

.
0
 
LVL 3

Author Closing Comment

by:fraserc
ID: 31583411
Thanks for the advice Mike. The information was correct.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439953
...Couldn't see how to do that so I gave the full 500 (My boss is happy as am I) Hope you have a great day!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24441438
Thanks - Glad I could help.

FYI,  The B rating is essentially half the points when assigned to the experts.    So you got the general idea across.  
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now