YMartin
asked on
ASA 5505 asdm 5.2 VPN spoke to spoke connection
I need to allow VPN traffic to flow through an ASA 5505 to another VPN target (spoke to spoke).
I have a remote VPN connection to an ASA 5505 using Cisco VPN Client. It is configured and I am able to connect to the ASA inside interface (LAN). I need to know how to allow traffic to go back out the outside interface across a site to site VPN connection (essentially using the ASA as a VPN Proxy). The local firewall at the other end of the site to site connection cannot accept VPN client connections directly so I am trying to use the ASA as a gateway leveraging the site to site VPN connection.
I had attempted to create an acl entry on the inside interface allowing traffic from the ASA's LAN subnet to the remote site LAN subnet. However this prevented normal internet traffic from going out the firewall and did not route traffic to the remote site as desired.
The same rule on the outside interface does nothing.
I am also unable to find where NAT exemptions are configured for the VPN in order to control which targets are permitted on the LAN for VPN Users. It appears in the wizard once where you can set allowed hosts however I cannot find it later in the Tunnel Group or Group Policy.
I have a remote VPN connection to an ASA 5505 using Cisco VPN Client. It is configured and I am able to connect to the ASA inside interface (LAN). I need to know how to allow traffic to go back out the outside interface across a site to site VPN connection (essentially using the ASA as a VPN Proxy). The local firewall at the other end of the site to site connection cannot accept VPN client connections directly so I am trying to use the ASA as a gateway leveraging the site to site VPN connection.
I had attempted to create an acl entry on the inside interface allowing traffic from the ASA's LAN subnet to the remote site LAN subnet. However this prevented normal internet traffic from going out the firewall and did not route traffic to the remote site as desired.
The same rule on the outside interface does nothing.
I am also unable to find where NAT exemptions are configured for the VPN in order to control which targets are permitted on the LAN for VPN Users. It appears in the wizard once where you can set allowed hosts however I cannot find it later in the Tunnel Group or Group Policy.
ASKER
Thanks for the reply. I issued the permit intra-interface but this by itself has not resolved the issue.
The problem is that we are using a remote VPN connection using the Cisco client. The local ip of the actual client will change depending on where they connect from. When you log in using the VPN client your local IP is Natted over to an address within the ASA's Lan subnet. There is already connectivity between the LAN subnet of the ASA and the remote LAN subnet at the other end of the site to site VPN.
Not really sure how to get to the access lists
in ASDM I see the IPSec Rules and the action is listed as "Protect" rather than "Permit". I could create a rule however I would need to know what to enter for the crypto map peer if any (I would think this would remain empty) and under "Traffic Selection" I would need to know what to enter as the source object/address in order to catch traffic coming in on the remote VPN.
The problem is that we are using a remote VPN connection using the Cisco client. The local ip of the actual client will change depending on where they connect from. When you log in using the VPN client your local IP is Natted over to an address within the ASA's Lan subnet. There is already connectivity between the LAN subnet of the ASA and the remote LAN subnet at the other end of the site to site VPN.
Not really sure how to get to the access lists
in ASDM I see the IPSec Rules and the action is listed as "Protect" rather than "Permit". I could create a rule however I would need to know what to enter for the crypto map peer if any (I would think this would remain empty) and under "Traffic Selection" I would need to know what to enter as the source object/address in order to catch traffic coming in on the remote VPN.
So it's a computer using the Anyconnect VPN client that needs access to the second LAN?
Are you configured for split VPN? If you are, then you have to add the second LAN to the list of subnets.
Are you configured for split VPN? If you are, then you have to add the second LAN to the list of subnets.
ASKER
Correct. Cisco VPN Client 5.0.07.0440 connecting to the ASA needs to access the second LAN on one of the ASA's Site2Site VPN partners.
The asa has 5 Site2Site connections 3 of them are configured in a full mesh configuration where those 3 are also connected to each other. Those site to site connections should not route traffic through the ASA destined for another VPN target. Only the VPN Client connection will need to be able to do this for the one LAN.
I am probably not configured for split VPN and may need to find out how this is setup on the ASA or how to verify if it is setup or not.
To which list would I add the 2nd LAN and where do I locate said list? I have searched everywhere for a list which would accept the subnet and enable functionality.
Thanks.
The asa has 5 Site2Site connections 3 of them are configured in a full mesh configuration where those 3 are also connected to each other. Those site to site connections should not route traffic through the ASA destined for another VPN target. Only the VPN Client connection will need to be able to do this for the one LAN.
I am probably not configured for split VPN and may need to find out how this is setup on the ASA or how to verify if it is setup or not.
To which list would I add the 2nd LAN and where do I locate said list? I have searched everywhere for a list which would accept the subnet and enable functionality.
Thanks.
If you are set up for split VPN, then there should be a standard access list assigned to the remote VPN profile.
ASKER
I have verified that the tunnel group of which the remote VPN connection is a member is set for split VPN.
This (attached) is the only thing which resembles an ACL which I have been able to find under VPN configuration. I have searched high an low. Is this the correct area?
Line 4 has the local lan subnet as the source and the remote VPN target as the destination. The remote VPN user is assigned an address within that local subet.
ASAVPNRules.png
This (attached) is the only thing which resembles an ACL which I have been able to find under VPN configuration. I have searched high an low. Is this the correct area?
Line 4 has the local lan subnet as the source and the remote VPN target as the destination. The remote VPN user is assigned an address within that local subet.
ASAVPNRules.png
The remote access VPN is the stuff at the bottom that says any/any. So you're not running a split tunnel for remote access users.
ASKER
The Split VPN is on the VPN client end so internet bound traffic does not get routed through the ASA. I will try to set a dynamic rule with a source of any and destination of the remote LAN and set the public IP of that network as the peer and see if that does anything. Is that how one would configure split VPN for this scenario?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great. It works.
Really appreciate your patience. I never thought to click on "Manage" under "Split Tunnel Network List" to find the ACL entries. Those instructions were just the thing.
Really appreciate your patience. I never thought to click on "Manage" under "Split Tunnel Network List" to find the ACL entries. Those instructions were just the thing.
Example:
Current:
Site A
VPN1
permit site A IPs to site B IPs
VPN2
permit site A IPs to site C ips
(Site B and Site C have converse rules)
New:
VPN1
permit site A IPs to site B IPs
permit site C ips to site B ips
VPN2
permit site A IPs to site C ips
permit site B IPs to site C ips
(Site B and site C access lists need to be updated to allow converse traffic)
Then add the following rule at main site:
same-security-traffic permit intra-interface
Result is that traffic Site B to Site C arrives at site A, is decrypted, then routed back out the outside interface, re-encrypted with the VPN to site C and sent on its way.