Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA Site to Site VPN Rules

Posted on 2012-03-29
12
Medium Priority
?
557 Views
Last Modified: 2012-03-29
I have two ASAs that have a site to site VPN tunnel between them. The tunnel is up and running, and the secondary ASA has the same sub interfaces setup on it as the primary (for disaster recovery)

My question is there is a service (tcp/5000) that needs to access a VLAN on the secondary ASA. I am unsure where I go about creating the ACL to permit this traffic.

Would this be considered on the outside interface IN?
0
Comment
Question by:fluk3d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781604
So you already have ACLs in place to control the VPN traffic?
Could you elaborate a bit more on the setup, it's not quite clear to me yet.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37781623
Two ASAs Site to Site VPN

ASA (HQ)
192.168.1.0/24 ---> management interface
VLAN Servers (192.168.10.0/24)


ASA (Remote)
192.168.2.0/24  ---> management interface
VLAN Servers (192.168.20.0/24)

VLAN 192.168.10.0 needs to be able to communicate with VLAN Servers at Remote. However; There are VLANs on the primary unit that exist on the secondary identical in case this site failed over we would not have to re IP everything we could bring our servers over etc...

I am unsure where to create/place the ACL to allow the specified service to access the VLAN at the Remote Site.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781644
Ok. It depends on how things are set up at the moment. Could you post a (sanitized) config for us to have a look at? I think we should be able to point it out to you then.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 6

Author Comment

by:fluk3d
ID: 37781669
Unfortunately, I can't due to security requirements for the organization. If you could point me in the proper direction, or what area I should be looking at in the ASDM that would be great
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37782163
Clear, let's try it :)

Do you already have ACLs or ACEs that control what VPN traffic is allowed? Normally those should be on the outside interface.
Keep in mind that there also are ACLs to determine what is interesting traffic for the VPN (what matches goes in the tunnel) and what should be exempted from NAT. Normally a whole subnet should be in there and the specific traffic is defined in the ACL on the outside interface but it never hurts to check.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782297
Thank you,

So in the ASDM looking on the Outside Interface (HQ) I do not see any matching address objects for my remote subnet

Looking at the Outside interface (Remote) there are no rules defined however there should be an implicit deny.

Strange thing is some workstations on VLAN Servers (HQ) can access VLAN Servers (Remote) however; majority can't. This leads me to believe there is some ACL which I'm trying to locate either on the remote/HQ ASA that is filtering this traffic.

So my question is, the Outbound interface on both ASAs where any type of ACL would be applied to accomplish said goal, or is there another location I should be looking?
0
 
LVL 2

Expert Comment

by:gbblaster
ID: 37782702
The outside access list doesn´t normally filter what goes into the VPN tunnel because by the time the interface access-group checks the traffic it is already encrypted.

For outbound traffic every inbound access-group on the internal interfaces is checked first. So if you have very tight ACLs on your internal interfaces, and your problem is when traffic is going out, then the issue is that you have to allow that traffic to get into the firewall before it is encrypted.

If you need to permit traffic into the tunnel that is not part of the two original VLANs  you need to add it to the ACL applied to your tunnel:

According to what you explain above, you have a tunnel with traffic ACLs that should look like this:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0

In order to add one more subnet, it doesnt matter on wich interface it is, you need to add it to the traffic ACL:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN-Site-HQ permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0
access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.30.0 255.255.255.0
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782751
I think I found the ACL

If I look through the crytp map here is the config


crypto map HIDDEN-Map 2 match address OUTSIDE_cryptomap_1
crypto map HIDDEN-Map 2 set peer <HIDDEN IP>
crypto map HIDDEN-Map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map InternalSystems-Map 10 ipsec-isakmp dynamic InternalSystems-Dynmap
crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS

if I look at the ACL manager I can see that there is a ACL rule only allowing a certain VLAN over to the remote site.

Can you confirm?
0
 
LVL 2

Accepted Solution

by:
gbblaster earned 2000 total points
ID: 37782938
correct, the match address command associates your VPN to traffic defined by the ACL OUTSIDE_cryptomap_1. On the command line you only need to do a show access-list OUTSIDE_cryptomap_1 and it´ll show you what will be encrypted through the VPN, if you need to add another subnet, then you need to add a new ACE on each side with the new traffic as I explained before.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782999
Perfect thank you very much for explaining that to me. One last question however; I will award the points as you answered my initial question what does the following do?


crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS
0
 
LVL 6

Author Closing Comment

by:fluk3d
ID: 37783000
Great help!
0
 
LVL 2

Expert Comment

by:gbblaster
ID: 37783044
Normally that command is applied to the interface that either accepts VPN connections or makes VPN connections, since it is the command that associates a VPN configuration to an interface.  

By accepts VPN connections I mean an interface that is configured to accept VPN client connections for example.

By makes VPN connections I mean an interface that is the endpoint of a peer to peer VPN tunnel, such as the one that you have between your HQ and your remote site.

If an interface is not supposed to do either of the above then the line that assings the VPN configuration to the interface should not exist..
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question