• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1068
  • Last Modified:

Route Interesting traffic Cisco VPN

We have a Cisco ASA firewall and we use the Cisco VPN client for remote workers.  We have an Oracle VPN connection from our office that we are using to connect to ERP services.  When at the office (not through the VPN) we can access a URL that connects to Oracle.  The traffic goes through the hard wired VPN to oracle correctly.  This URL is not accessible from the outside world. When we are remote and we connect our Cisco VPN client from say a hotel and try to access the URL we are not able to resolve the IP.  I believe we have to setup our ASA to route the interesting traffic, but I don't know how to do that.  Example of IP's below:

Client computer on our network: 10.1.1.50  connects to 141.50.50.50 successfully
Client computer not on our network, but connected by client VPN: VPN IP 10.5.1.1 Wifi IP: 192.168.1.50 cannot connect to 141.50.50.50

Any advice on this would be apprecaited
0
purplecables
Asked:
purplecables
  • 12
  • 7
  • 2
  • +1
2 Solutions
 
danielswansonCommented:
When you are external and connect to your vpn, can your reach oracle using the ip address instead of the url name? If so, then you need to make sure that you set your vpn clients to use your internal dns server when they are connected to the vpn. I believe you can set the asa to hand the dns to the client upon connection.
0
 
qbakiesCommented:
To be clear, the Oracle VPN that you have in your office is what you use to connect to this restricted URL?  You state that it is hard wired, who controls this VPN tunnel?  If it is highly restricted it may not be set to accept traffic from your VPN subnet.  What is the subnet for your LAN (10.1.1.0/?)?  Does it encompass the IPs that assigned to VPN or is the VPN its own subnet (10.5.1.0/?)?
0
 
purplecablesAuthor Commented:
Daniels, no the IP does not work either.

qbakies:
Yes the Oracle VPN is what we use to connect to this URL.  Oracle controls the VPN tunnel, in other words, not me.  The subnet for  our LAN is 10.1.1.0/24.  I don't know if it is set to encompass our IP's assigned to the VPN.  We have a cisco vpn, I need to find the ip range assigned when using the cisco VPN client.  Yesterday I tested with a Windows VPN client and my vpn IP address assigned was a 10.1.1.0/24 address and I still could not connect this way.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
lrmooreCommented:
I like purple cables. I actually carry a bunch of purple CAT6 cables and try to drop at least one wherever I install any equipment....

Lots of moving parts in this scenario.

>connects to 141.50.50.50
You have to include this IP address in your split-tunnel acl
You have to make sure to allow same-security-traffic intra interface (u-turn)
You probably have to make sure that the VPN client gets an IP address on the local LAN or Oracle won't recognize it. Typically we use a different IP subnet for the VPN clients, but in this case you probably have to use a sub-set of the internal LAN subnet..
0
 
purplecablesAuthor Commented:
Thanks lrmoore.  Actually my boss gives me crap because he asked me what color cables we should put in our server room for DMZ connections.  I said purple, and we did.  Soon after that I opened this account and that name popped in my head.

Anyways, back to the issue:

Can you give me examples of what including this IP in my split-tunnel acl would look like and the u-turn thing you mention?
0
 
danielswansonCommented:
Make sure have communication between the following networks without involving the ipsec tunnel.  10.5.1.1 and 141.50.50.50 need to be able to route to one another. can you ping systems back and forth between these 2 networks?
0
 
qbakiesCommented:
Here is an example:

access-list SplitTunnelACL standard permit 141.50.50.50 255.255.255.255 <- split tunnel ACL entry.  It would be tied to your VPN group policy.  Entries tell the VPN what to see as interesting traffic to route down the tunnel instead of out the local GW.

same-security-traffic permit inter-interface <- This is a global command that you enter.

I would think that your Oracle VPN is probably very, very security oriented.  I know the S2S VPN tunnels I have with our customers are extremely specific down to only allowing exact IP access.  You need to contact whoever controls that Oracle VPN and have them send you the list of IPs that are allowed to pass traffic down the tunnel (ping is probably disabled so will not be helpful in troubleshooting).  Your issue sounds very much like your VPN range simply isn't authorized to send traffic down the Oracle VPN.  Did you setup this S2S VPN with them?

This is going to be very tough to troubleshoot without engaging Oracle since you don't know what is and isn't allowed.
0
 
purplecablesAuthor Commented:
This is what we have now:
access-list WebVPN_splitTunnelAcl_1 standard permit 10.0.0.0 255.0.0.0
access-list WebVPN_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.0.0

I added
access-list WebVPN_splitTunnelAcl_1 standard permit  141.50.0.0 255.255.0.0

I then connected with a Cisco VPN client and realized the IP I get is:
10.1.254.x

I still cannot hit the Oracle URL.  I emailed our Oracle support guy about allowing the 10.1.254.x IP and his response was this:
We are not routing any of our customers RFC 1918 addresses. You will have to translate the source of this traffic before handing it off to our VPN device.
0
 
purplecablesAuthor Commented:
Any thoughts on how to make this work?
0
 
qbakiesCommented:
Did he give you the IP range that they are allowing traffic from?  Is it an entire subnet or just a specific range?  Once you find this out we can figure out the way you want to proceed to get it working.
0
 
purplecablesAuthor Commented:
I'm not sure, but his response was this when I asked that question:
We are not routing any of our customers RFC 1918 addresses. You will have to translate the source of this traffic before handing it off to our VPN device.
0
 
qbakiesCommented:
Well that's not terribly helpful...are all of the machines in your LAN subnet able to send traffic successfully down the Oracle tunnel?
0
 
purplecablesAuthor Commented:
We aren't fully using Oracle yet so hard to say.  I know the 10.1.1.0/24 subnet can
0
 
qbakiesCommented:
Ok then you are going to have to assign some of your VPN users IPs on the LAN subnet.  This is not an ideal (or best practices scenario) but it may be necessary in this case.  We need to answer some questions here:

How many IPs do you actually use out of the 254?  
Do all of your LAN users need to send traffic don the Oracle tunnel?  
Do all of your VPN users need to send traffic down the Oracle tunnel?
0
 
purplecablesAuthor Commented:
We can't assign them local LAN IP's right now.  We are running short on those and have to do some VLAN'ing before that is possible.

Not all LAN or VPN users send traffic down the Oracle tunnel.
0
 
qbakiesCommented:
You haven't posted your config so I'm sorry to keep asking questions.  Is the S2S VPN to Oracle terminating on your ASA's outside interface?
0
 
purplecablesAuthor Commented:
Yes it is terminating on the outside interface
0
 
qbakiesCommented:
Then we may be able to get away with just using one of your LAN IPs (i.e. 10.1.1.254/24) and NATting the VPN traffic.  You will have to do this:

Enable hairpinning:

ASA# conf t
ASA (config)# same-security-traffic permit intra-interface

Enable NAT:

ASA (config)# global (outside) 1 10.1.1.254 255.255.255.255
ASA (config)# nat (outside) 1 10.1.254.0 255.255.255.0
ASA# clear xlate

Since your VPN clients also connect to your outside interface this will ,theoretically, that will take any traffic from 10.1.254.0/24 bound for 141.50.50.50 and translate it to 10.1.1.254/24 which is allowed down the Oracle tunnel.  I've never tried this before but it seems like it should be possible.  You can also read about hairpinning here: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114
0
 
purplecablesAuthor Commented:
This is what it took:

access-list VPN_splitTunnelAcl_1 standard permit host 141.50.50.50
nat (outside) 1 10.1.254.0 255.255.255.0
0
 
purplecablesAuthor Commented:
I meant to accept an answer here, not close with no points...sorry
0
 
purplecablesAuthor Commented:
So, I'm trying to accept an answer here, but I see no option to let me do that.  It says, "Is yoru question solved?"  I click Yes, and assign points, but then it wants a reason I'm closing the question and says 0 points assigned.
0
 
purplecablesAuthor Commented:
Would you make sure qbakies gets the 500 points please?
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 12
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now