Solved

Site to site VPN with remote access to DMZ

Posted on 2009-05-20
10
630 Views
Last Modified: 2012-05-07
Hi all,

I have two sites, lets call them A and B.
Both sites have an ASA firewall and there is an existing IPSEC site-to-site VPN between them.
This works well and hosts on each sites inside interface can access each other.
Also, hosts on inside site A can access certain services on the DMZ at site A.
What I require is that hosts on site B can access the DMZ at site A, how would I do this?

Here is the relevant configuration for each site:


Site A:
inside: 192.168.254.0/24
outside: 81.105.AAA.AAA/28
dmz: 10.30.30.1/24

global (outside) 1 interface
global (dmz) 1 10.30.30.100-10.30.30.200
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.254.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 81.105.AAA.AAA 1

access-list outside_20_cryptomap extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

static (dmz,outside) 81.105.CCC.CCC 10.30.30.30 netmask 255.255.255.255
static (inside,dmz) 192.168.254.0 192.168.254.0 netmask 255.255.255.0

Site B:
inside: 192.168.1.0/24
outside: 82.45.BBB.BBB/28

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.45.BBB.BBB 1

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

crypto map outside_map 20 set peer 81.105.AAA.AA
crypto map outside_map interface outside

If anyone can help that would be awesome, if you need more information then just ask!

Thanks,

F.
0
Comment
Question by:fraserc
  • 6
  • 4
10 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24432318
You would need to add the Site A DMZ subnet range to the Nonat and Crypto statements so that the DMZ traffic is also captured and sent across the VPN tunnel.  

Site A would need:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B would need:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0


IF everything else is working, then this should be all you need to add to the existing config.

0
 
LVL 3

Author Comment

by:fraserc
ID: 24432586
Hi Mike,

Thanks for the feed back, I was pretty sure it was somthing like this but didn't want to break anything by playing with the current runnning config. I will try this out ASAP.

Thanks again.

Regards,

Fraser.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24432672
As a tip, remember you can always make changes to the running config without touching the startup config until the 'WRITE MEM' is issued....   FYI.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 3

Author Comment

by:fraserc
ID: 24432983
Hi,

Ok I applied the two examples like so:

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

I then tried to ping a server in the Site A DMZ from a server at site B.
This produced the following error on the site A ASA.

A_server No translation group found for icmp src outside:B_server dst dmz:A_server (type 8, code 0)
Any thoughts? I presumed the translation group would be the same as the existing one!

Regards,

F.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24434298
Were those 2 sets applied to the same server?   Each server has its specific set... see my post above.   If this is what you used, then its incorrect.  

Please verify and post back.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439184
No I applied the configs to the correct devices...

Site A:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0

Sorry for the confusion.

F
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439895
Hey Mike,

Ok I got it working, for some reason the line;

nat (dmz) 0 access-list dmz_nat0_outbound

Was missing from the Site A ASA.

I will award half marks for the help you gave, I hope you are ok with this?

Thanks again for all the help.

.
0
 
LVL 3

Author Closing Comment

by:fraserc
ID: 31583411
Thanks for the advice Mike. The information was correct.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439953
...Couldn't see how to do that so I gave the full 500 (My boss is happy as am I) Hope you have a great day!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24441438
Thanks - Glad I could help.

FYI,  The B rating is essentially half the points when assigned to the experts.    So you got the general idea across.  
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question