Solved

Site to site VPN with remote access to DMZ

Posted on 2009-05-20
10
629 Views
Last Modified: 2012-05-07
Hi all,

I have two sites, lets call them A and B.
Both sites have an ASA firewall and there is an existing IPSEC site-to-site VPN between them.
This works well and hosts on each sites inside interface can access each other.
Also, hosts on inside site A can access certain services on the DMZ at site A.
What I require is that hosts on site B can access the DMZ at site A, how would I do this?

Here is the relevant configuration for each site:


Site A:
inside: 192.168.254.0/24
outside: 81.105.AAA.AAA/28
dmz: 10.30.30.1/24

global (outside) 1 interface
global (dmz) 1 10.30.30.100-10.30.30.200
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.254.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 81.105.AAA.AAA 1

access-list outside_20_cryptomap extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

static (dmz,outside) 81.105.CCC.CCC 10.30.30.30 netmask 255.255.255.255
static (inside,dmz) 192.168.254.0 192.168.254.0 netmask 255.255.255.0

Site B:
inside: 192.168.1.0/24
outside: 82.45.BBB.BBB/28

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.45.BBB.BBB 1

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

crypto map outside_map 20 set peer 81.105.AAA.AA
crypto map outside_map interface outside

If anyone can help that would be awesome, if you need more information then just ask!

Thanks,

F.
0
Comment
Question by:fraserc
  • 6
  • 4
10 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24432318
You would need to add the Site A DMZ subnet range to the Nonat and Crypto statements so that the DMZ traffic is also captured and sent across the VPN tunnel.  

Site A would need:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B would need:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0


IF everything else is working, then this should be all you need to add to the existing config.

0
 
LVL 3

Author Comment

by:fraserc
ID: 24432586
Hi Mike,

Thanks for the feed back, I was pretty sure it was somthing like this but didn't want to break anything by playing with the current runnning config. I will try this out ASAP.

Thanks again.

Regards,

Fraser.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24432672
As a tip, remember you can always make changes to the running config without touching the startup config until the 'WRITE MEM' is issued....   FYI.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 3

Author Comment

by:fraserc
ID: 24432983
Hi,

Ok I applied the two examples like so:

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map interface outside

I then tried to ping a server in the Site A DMZ from a server at site B.
This produced the following error on the site A ASA.

A_server No translation group found for icmp src outside:B_server dst dmz:A_server (type 8, code 0)
Any thoughts? I presumed the translation group would be the same as the existing one!

Regards,

F.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24434298
Were those 2 sets applied to the same server?   Each server has its specific set... see my post above.   If this is what you used, then its incorrect.  

Please verify and post back.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439184
No I applied the configs to the correct devices...

Site A:
access-list outside_20_cryptomap extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.30.0 255.255.255.0 192.168.1.0 255.255.255.0

Site B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.30.30.0 255.255.255.0

Sorry for the confusion.

F
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439895
Hey Mike,

Ok I got it working, for some reason the line;

nat (dmz) 0 access-list dmz_nat0_outbound

Was missing from the Site A ASA.

I will award half marks for the help you gave, I hope you are ok with this?

Thanks again for all the help.

.
0
 
LVL 3

Author Closing Comment

by:fraserc
ID: 31583411
Thanks for the advice Mike. The information was correct.
0
 
LVL 3

Author Comment

by:fraserc
ID: 24439953
...Couldn't see how to do that so I gave the full 500 (My boss is happy as am I) Hope you have a great day!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24441438
Thanks - Glad I could help.

FYI,  The B rating is essentially half the points when assigned to the experts.    So you got the general idea across.  
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question