Solved

Multi Gateway config with Cisco ASA

Posted on 2014-03-26
9
486 Views
Last Modified: 2014-10-02
Dear expert

This is our network structure:
Internet -> Site A (192.168.1.0 with gateway 192.168.1.250) Cisco ASA 5505
Internet -> Site B (192.168.2.0 with gateway 192.168.2.250) Juniper Firewall

I can access the site A and B if I am switch  gateway ip, this means: if connecting to A i need to have gateway ip: 192.168.1.250, if B I need to have 192.168.2.250.

However I want this: the Cisco can access both A and B, this is not working, I tried add a route, and added the ACL and added access rules for it, but still not working.

I tried to ping site B when im on the gateway on Cisco I got error from log:
The adaptive security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically allowed.

I checked around and saw you need to add ACL rules in Cisco, but I did... I dont know what is the problem.

Any idea?
Thx
0
Comment
Question by:Handersson75
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 39957879
You need to establish a VPN connection, IPSec site to site where
Each firewall will have IP segment 192.168.2.0 is accessible via the VPN tunnel

The same is true on the other side.

Sitea
PublicIPA
Remote gateway: publicIPsiteB
Local segment 192.168.1.0/24
Remote segment: 192.168.2.9/24

Siteb
PublicIPsiteB
Remote gateway publicIPA
Local segment 192.168.2.0/24
Remote segment 192.168.1.0/24

When the tunnel is established.

Sitea system 192.168.1.4 trying to access 192.168.2.15 will have the packets routed to the ASA 192.168.1.250. The destination 192.168.2.15 and the source IP will match the VPN routing rule at which point these packets will be encrypted and sent through the VPN to the juniper.  Upon receipt of the packet. The destination and the source will be evaluated to make sure they meet the VPN policy on the receiving end at which point the packet with the source of 192.168.1.14 and destination 192.168.2.15 will be allowed into the LAN on the way to 192.168.2.15. The service will then process the request and send a reply with the source of 192.168.2.15 and destination of 192.168.1.4 it will of course include other required TCP data that deals with maintaing state.   The packet on its way back undergoes similar evaluation process.

Depending on the proximate of the two devices, you could establish a home run link (cross cable) using a /30 network I.e. 172.16.0.0/30
Cisco asa interface 3 172.16.0.1/30
Junioer interface 3 172.16.0.2/30

You can setup ACLs that will route approved ACL access to 192.168.2.0/24 via 172.16.0.1
And on the other device 192.168.1.0/24 172.16.0.2

You could also use dynamic OSPF/RIP to share which networks are accessible via this link.


You can have IP route 0.0.0.0 0.0.0.0 interface1 weight1
IP route 0.0.0.0 0.0.0.0 interface2 weight2

When the two are equal, it has a load balancing behavior as both are equal.
If one is lower than the other (failover setup), the lower is the one with the higher preference and through which all traffic will be sent while the other is the backup.
Using interfaces makes the routing table reliant on the referenced interface being UP.
When the interface drops, the routing entry goes away until the interface comes back up.
0
 
LVL 1

Author Comment

by:Handersson75
ID: 39958126
Thx for the answer, i dont think i need a vpn connection there because the site B gateway is on site A, in site B we already have a vpn tunnel setup... Ok i was unclear of this setting and i will re draw it:

Internet -> Site A (192.168.1.0 with gateway 192.168.1.250) Cisco ASA 5505
Internet -> Site A (192.168.3.0 with gateway 192.168.3.250) Juniper Firewall
VPN tunnel between here.
Internet -> Site B (192.168.2.0 with gateway 192.168.2.250) Juniper Firewall

There its more clear, the site A got two gateway, Site B got one gateway. Those Juniper Firewall got no problem at communicate with each other, from site B we could only communicate with the Site A if the gateway is: 192.168.3.250, not if gateway is 192.168.1.250.

What I want is to make the Communication works for site A in 192.168.1.250 to communicate with site B.

Thx
0
 
LVL 79

Expert Comment

by:arnold
ID: 39958273
Your VPN from siteb to each of the devices on sitea.

Could you draw a network diagram?

Your ACLs would need to reference siteb IP segments as trusted, or allowed for specific access.

The VPN if you only using one needs to include all IP segments for routing information.
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 1

Author Comment

by:Handersson75
ID: 39958309
Here is the drawing, I noticed I did a misstake of pre statement... Sorry about that, now its clear.
network.png
0
 
LVL 79

Expert Comment

by:arnold
ID: 39958917
Where are you looking to get access from?

Are you trying to access siteb from cisco ?

Your IP addressing does not seem to be right.

It looks like cisco LAN, juniper wan and juniper lan for siteA are using the same segment.

Or is your juniper router configured in a transparent mode.

In order for the asa to access site B, it either has to learn the network route (network convergence through advertisement, rip, ospf) or a static route 192.168.2.0/24 192.168.1.251
0
 
LVL 1

Author Comment

by:Handersson75
ID: 39958937
Im trying to access site B using Cisco gateway yes. Juniper WAN is linked with Cisco, I dont know how the ISP have configed the Juniper but I think its in transparent mode? I have a static route to site B in Cisco tho... Or Site B cant event connect to Cisco at all.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39959030
What do you mean?

On the cisco the route should be pointing to the juniper on sitea not siteb.

192.168.2.0/24 with 192.168.1.251
Not
192.168.2.0/24 with 192.168.2.250

The traffic from site A must enter the VPN tunnel between site a juniper and site B juniper.

From the sound of it you have no control/access to the junipers.
0
 
LVL 1

Author Comment

by:Handersson75
ID: 39959076
that is correct, I have no Control/access to the Junipers because I could login there and set the speed to 1Gbit/s ISP didnt want me to do it of course. But I Heard from them that the Juniper work perfect fine there is no Connection blocking or setting problem, I need to Believe that and check if any problem on the Cisco...

As far as i can see I added 2 static route:

192.168.2.0/24 with 192.168.1.251
192.168.2.0/24 with 192.168.2.250

Both if in there, I know that the 250 will not work but it was just for the test.
0
 
LVL 79

Accepted Solution

by:
arnold earned 500 total points
ID: 39959321
if both are in without a "weight" that means that one packet can be directed to 192.168.1.251 while the other to 192.168.2.250 which is what a load-balancing setup would look like.

the difficulty deals with the definition of the ports to which the connection between the ASA and Juniper is set at.

The juniper inter-connecting speed from 100MB to 1GB?


Are you trying to setup a VPN to the ASA such that your VPN'ed remote will be able to access both segments?  In this case your VPN remote setup must NAT the connection such that access from the VPN assigned IP 10.0.0.12 for example will appear to the juniper as originating from the 192.168.1.250 (the ASA router)
Otherwise, the VPN assigned IP 10.0.0.12 does not match the VPN between the Junipers which is 192.168.1.0/24 to 192.168.2.0/24
The VPN IP originating packet will get to the first Juniper and since it will fail to match the allowable VPN traffic pattern, it will be dropped on the first juniper.  Even if through a misconfiguration, it will enter the tunnel, it will be dropped on the other side.  Even if through a misconfiguration on both junipers, the packet actually reaches the destination system on the other end.  The response will end up in a drop state, or even if ............
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month10 days, 9 hours left to enroll

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question