Solved

Cisco ASA Site to Site VPN Rules

Posted on 2012-03-29
12
546 Views
Last Modified: 2012-03-29
I have two ASAs that have a site to site VPN tunnel between them. The tunnel is up and running, and the secondary ASA has the same sub interfaces setup on it as the primary (for disaster recovery)

My question is there is a service (tcp/5000) that needs to access a VLAN on the secondary ASA. I am unsure where I go about creating the ACL to permit this traffic.

Would this be considered on the outside interface IN?
0
Comment
Question by:fluk3d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781604
So you already have ACLs in place to control the VPN traffic?
Could you elaborate a bit more on the setup, it's not quite clear to me yet.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37781623
Two ASAs Site to Site VPN

ASA (HQ)
192.168.1.0/24 ---> management interface
VLAN Servers (192.168.10.0/24)


ASA (Remote)
192.168.2.0/24  ---> management interface
VLAN Servers (192.168.20.0/24)

VLAN 192.168.10.0 needs to be able to communicate with VLAN Servers at Remote. However; There are VLANs on the primary unit that exist on the secondary identical in case this site failed over we would not have to re IP everything we could bring our servers over etc...

I am unsure where to create/place the ACL to allow the specified service to access the VLAN at the Remote Site.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781644
Ok. It depends on how things are set up at the moment. Could you post a (sanitized) config for us to have a look at? I think we should be able to point it out to you then.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 6

Author Comment

by:fluk3d
ID: 37781669
Unfortunately, I can't due to security requirements for the organization. If you could point me in the proper direction, or what area I should be looking at in the ASDM that would be great
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37782163
Clear, let's try it :)

Do you already have ACLs or ACEs that control what VPN traffic is allowed? Normally those should be on the outside interface.
Keep in mind that there also are ACLs to determine what is interesting traffic for the VPN (what matches goes in the tunnel) and what should be exempted from NAT. Normally a whole subnet should be in there and the specific traffic is defined in the ACL on the outside interface but it never hurts to check.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782297
Thank you,

So in the ASDM looking on the Outside Interface (HQ) I do not see any matching address objects for my remote subnet

Looking at the Outside interface (Remote) there are no rules defined however there should be an implicit deny.

Strange thing is some workstations on VLAN Servers (HQ) can access VLAN Servers (Remote) however; majority can't. This leads me to believe there is some ACL which I'm trying to locate either on the remote/HQ ASA that is filtering this traffic.

So my question is, the Outbound interface on both ASAs where any type of ACL would be applied to accomplish said goal, or is there another location I should be looking?
0
 
LVL 2

Expert Comment

by:gbblaster
ID: 37782702
The outside access list doesn´t normally filter what goes into the VPN tunnel because by the time the interface access-group checks the traffic it is already encrypted.

For outbound traffic every inbound access-group on the internal interfaces is checked first. So if you have very tight ACLs on your internal interfaces, and your problem is when traffic is going out, then the issue is that you have to allow that traffic to get into the firewall before it is encrypted.

If you need to permit traffic into the tunnel that is not part of the two original VLANs  you need to add it to the ACL applied to your tunnel:

According to what you explain above, you have a tunnel with traffic ACLs that should look like this:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0

In order to add one more subnet, it doesnt matter on wich interface it is, you need to add it to the traffic ACL:

access-list VPN-Site-HQ permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN-Site-HQ permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.10.0 255.255.255.0
access-list VPN-Site-Remote permit ip 192.168.20.0 255.255.255.0  192.168.30.0 255.255.255.0
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782751
I think I found the ACL

If I look through the crytp map here is the config


crypto map HIDDEN-Map 2 match address OUTSIDE_cryptomap_1
crypto map HIDDEN-Map 2 set peer <HIDDEN IP>
crypto map HIDDEN-Map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map InternalSystems-Map 10 ipsec-isakmp dynamic InternalSystems-Dynmap
crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS

if I look at the ACL manager I can see that there is a ACL rule only allowing a certain VLAN over to the remote site.

Can you confirm?
0
 
LVL 2

Accepted Solution

by:
gbblaster earned 500 total points
ID: 37782938
correct, the match address command associates your VPN to traffic defined by the ACL OUTSIDE_cryptomap_1. On the command line you only need to do a show access-list OUTSIDE_cryptomap_1 and it´ll show you what will be encrypted through the VPN, if you need to add another subnet, then you need to add a new ACE on each side with the new traffic as I explained before.
0
 
LVL 6

Author Comment

by:fluk3d
ID: 37782999
Perfect thank you very much for explaining that to me. One last question however; I will award the points as you answered my initial question what does the following do?


crypto map InternalSystems-Map interface OUTSIDE-IF
crypto map InternalSystems-Map interface WIRED-SERVERS
crypto map InternalSystems-Map interface WIRED-USERS
0
 
LVL 6

Author Closing Comment

by:fluk3d
ID: 37783000
Great help!
0
 
LVL 2

Expert Comment

by:gbblaster
ID: 37783044
Normally that command is applied to the interface that either accepts VPN connections or makes VPN connections, since it is the command that associates a VPN configuration to an interface.  

By accepts VPN connections I mean an interface that is configured to accept VPN client connections for example.

By makes VPN connections I mean an interface that is the endpoint of a peer to peer VPN tunnel, such as the one that you have between your HQ and your remote site.

If an interface is not supposed to do either of the above then the line that assings the VPN configuration to the interface should not exist..
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 and IPv4 Subnetting scheme 4 75
route-map permit with a number 1 53
ip igmp join-group 8 69
Can't access router with user and pass 10 75
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question