Solved

Route Interesting traffic Cisco VPN

Posted on 2010-08-27
24
1,003 Views
Last Modified: 2012-05-10
We have a Cisco ASA firewall and we use the Cisco VPN client for remote workers.  We have an Oracle VPN connection from our office that we are using to connect to ERP services.  When at the office (not through the VPN) we can access a URL that connects to Oracle.  The traffic goes through the hard wired VPN to oracle correctly.  This URL is not accessible from the outside world. When we are remote and we connect our Cisco VPN client from say a hotel and try to access the URL we are not able to resolve the IP.  I believe we have to setup our ASA to route the interesting traffic, but I don't know how to do that.  Example of IP's below:

Client computer on our network: 10.1.1.50  connects to 141.50.50.50 successfully
Client computer not on our network, but connected by client VPN: VPN IP 10.5.1.1 Wifi IP: 192.168.1.50 cannot connect to 141.50.50.50

Any advice on this would be apprecaited
0
Comment
Question by:purplecables
  • 12
  • 7
  • 2
  • +1
24 Comments
 
LVL 3

Expert Comment

by:danielswanson
ID: 33545738
When you are external and connect to your vpn, can your reach oracle using the ip address instead of the url name? If so, then you need to make sure that you set your vpn clients to use your internal dns server when they are connected to the vpn. I believe you can set the asa to hand the dns to the client upon connection.
0
 
LVL 10

Expert Comment

by:qbakies
ID: 33545741
To be clear, the Oracle VPN that you have in your office is what you use to connect to this restricted URL?  You state that it is hard wired, who controls this VPN tunnel?  If it is highly restricted it may not be set to accept traffic from your VPN subnet.  What is the subnet for your LAN (10.1.1.0/?)?  Does it encompass the IPs that assigned to VPN or is the VPN its own subnet (10.5.1.0/?)?
0
 

Author Comment

by:purplecables
ID: 33546873
Daniels, no the IP does not work either.

qbakies:
Yes the Oracle VPN is what we use to connect to this URL.  Oracle controls the VPN tunnel, in other words, not me.  The subnet for  our LAN is 10.1.1.0/24.  I don't know if it is set to encompass our IP's assigned to the VPN.  We have a cisco vpn, I need to find the ip range assigned when using the cisco VPN client.  Yesterday I tested with a Windows VPN client and my vpn IP address assigned was a 10.1.1.0/24 address and I still could not connect this way.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33547024
I like purple cables. I actually carry a bunch of purple CAT6 cables and try to drop at least one wherever I install any equipment....

Lots of moving parts in this scenario.

>connects to 141.50.50.50
You have to include this IP address in your split-tunnel acl
You have to make sure to allow same-security-traffic intra interface (u-turn)
You probably have to make sure that the VPN client gets an IP address on the local LAN or Oracle won't recognize it. Typically we use a different IP subnet for the VPN clients, but in this case you probably have to use a sub-set of the internal LAN subnet..
0
 

Author Comment

by:purplecables
ID: 33558808
Thanks lrmoore.  Actually my boss gives me crap because he asked me what color cables we should put in our server room for DMZ connections.  I said purple, and we did.  Soon after that I opened this account and that name popped in my head.

Anyways, back to the issue:

Can you give me examples of what including this IP in my split-tunnel acl would look like and the u-turn thing you mention?
0
 
LVL 3

Expert Comment

by:danielswanson
ID: 33558969
Make sure have communication between the following networks without involving the ipsec tunnel.  10.5.1.1 and 141.50.50.50 need to be able to route to one another. can you ping systems back and forth between these 2 networks?
0
 
LVL 10

Expert Comment

by:qbakies
ID: 33561010
Here is an example:

access-list SplitTunnelACL standard permit 141.50.50.50 255.255.255.255 <- split tunnel ACL entry.  It would be tied to your VPN group policy.  Entries tell the VPN what to see as interesting traffic to route down the tunnel instead of out the local GW.

same-security-traffic permit inter-interface <- This is a global command that you enter.

I would think that your Oracle VPN is probably very, very security oriented.  I know the S2S VPN tunnels I have with our customers are extremely specific down to only allowing exact IP access.  You need to contact whoever controls that Oracle VPN and have them send you the list of IPs that are allowed to pass traffic down the tunnel (ping is probably disabled so will not be helpful in troubleshooting).  Your issue sounds very much like your VPN range simply isn't authorized to send traffic down the Oracle VPN.  Did you setup this S2S VPN with them?

This is going to be very tough to troubleshoot without engaging Oracle since you don't know what is and isn't allowed.
0
 

Author Comment

by:purplecables
ID: 33568324
This is what we have now:
access-list WebVPN_splitTunnelAcl_1 standard permit 10.0.0.0 255.0.0.0
access-list WebVPN_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.0.0

I added
access-list WebVPN_splitTunnelAcl_1 standard permit  141.50.0.0 255.255.0.0

I then connected with a Cisco VPN client and realized the IP I get is:
10.1.254.x

I still cannot hit the Oracle URL.  I emailed our Oracle support guy about allowing the 10.1.254.x IP and his response was this:
We are not routing any of our customers RFC 1918 addresses. You will have to translate the source of this traffic before handing it off to our VPN device.
0
 

Author Comment

by:purplecables
ID: 33572341
Any thoughts on how to make this work?
0
 
LVL 10

Expert Comment

by:qbakies
ID: 33575859
Did he give you the IP range that they are allowing traffic from?  Is it an entire subnet or just a specific range?  Once you find this out we can figure out the way you want to proceed to get it working.
0
 

Author Comment

by:purplecables
ID: 33577129
I'm not sure, but his response was this when I asked that question:
We are not routing any of our customers RFC 1918 addresses. You will have to translate the source of this traffic before handing it off to our VPN device.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 10

Expert Comment

by:qbakies
ID: 33577142
Well that's not terribly helpful...are all of the machines in your LAN subnet able to send traffic successfully down the Oracle tunnel?
0
 

Author Comment

by:purplecables
ID: 33577155
We aren't fully using Oracle yet so hard to say.  I know the 10.1.1.0/24 subnet can
0
 
LVL 10

Expert Comment

by:qbakies
ID: 33577198
Ok then you are going to have to assign some of your VPN users IPs on the LAN subnet.  This is not an ideal (or best practices scenario) but it may be necessary in this case.  We need to answer some questions here:

How many IPs do you actually use out of the 254?  
Do all of your LAN users need to send traffic don the Oracle tunnel?  
Do all of your VPN users need to send traffic down the Oracle tunnel?
0
 

Author Comment

by:purplecables
ID: 33577213
We can't assign them local LAN IP's right now.  We are running short on those and have to do some VLAN'ing before that is possible.

Not all LAN or VPN users send traffic down the Oracle tunnel.
0
 
LVL 10

Expert Comment

by:qbakies
ID: 33577282
You haven't posted your config so I'm sorry to keep asking questions.  Is the S2S VPN to Oracle terminating on your ASA's outside interface?
0
 

Author Comment

by:purplecables
ID: 33577824
Yes it is terminating on the outside interface
0
 
LVL 10

Assisted Solution

by:qbakies
qbakies earned 500 total points
ID: 33577964
Then we may be able to get away with just using one of your LAN IPs (i.e. 10.1.1.254/24) and NATting the VPN traffic.  You will have to do this:

Enable hairpinning:

ASA# conf t
ASA (config)# same-security-traffic permit intra-interface

Enable NAT:

ASA (config)# global (outside) 1 10.1.1.254 255.255.255.255
ASA (config)# nat (outside) 1 10.1.254.0 255.255.255.0
ASA# clear xlate

Since your VPN clients also connect to your outside interface this will ,theoretically, that will take any traffic from 10.1.254.0/24 bound for 141.50.50.50 and translate it to 10.1.1.254/24 which is allowed down the Oracle tunnel.  I've never tried this before but it seems like it should be possible.  You can also read about hairpinning here: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114
0
 

Accepted Solution

by:
purplecables earned 0 total points
ID: 33618126
This is what it took:

access-list VPN_splitTunnelAcl_1 standard permit host 141.50.50.50
nat (outside) 1 10.1.254.0 255.255.255.0
0
 

Author Comment

by:purplecables
ID: 33618157
I meant to accept an answer here, not close with no points...sorry
0
 

Author Comment

by:purplecables
ID: 33618197
So, I'm trying to accept an answer here, but I see no option to let me do that.  It says, "Is yoru question solved?"  I click Yes, and assign points, but then it wants a reason I'm closing the question and says 0 points assigned.
0
 

Author Comment

by:purplecables
ID: 33618321
Would you make sure qbakies gets the 500 points please?
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now