*** 3002 hardware client to ASA5510 ***

Answered Question
Mar 1st, 2007

I am a self-taught yet reasonably experienced administrator of the software client-to-3005 concentrator VPN scenario. Some of the concepts, though, have me stuck when trying to apply things in the 3002-to-5510 environment: I have successfully configured the 5510 and a 3002 to connect to each other and establish a VPN tunnel. A software client would now have an overriding VPN tunnel private IP address assigned to the client machine it is running on, which will be used for all tunneled traffic. The 3002, however, actually has a private hardware interface that I thought I already need to configure with an applicable private IP address of the network it is residing on. Did the ASA now assign an additional private tunnel VPN address to this 3002? (It is configured like my old 3005 to use a local address pool for client DHCP assignments.) What good does this do for my client that sits (untunneled) on the private network behind the 3002? Do I have to add a static route to point traffic for the network behind the 5510 to the 3002? If so, to the physical private IP or to the assigned tunnel IP? What if that tunnel IP changes later due to DHCP? I'm sure this sounds funny to an expert but I am drawing a blank here as to how this is supposed to work. ;-) Enlighten me, please!

I have this problem too.
0 votes
Correct Answer by kaachary about 9 years 6 months ago

Hi,

Answering your questions one by one :

There are no internally routable subnets behind the 3002 allowed, which basically requires me to physically put the private interface of the 3002 onto the subnet with the system(s) that need access to the VPN tunnel. Correct?

Yes, that's correct.

Q:Furthermore, one of my remote sites has two servers behind the 3002 that I must be able to specifcially address from the main site's network, so PAT won't work at all since that would represent all systems behind the 3002 with the same (3002 private) IP address to the central site, correct?

This is also correct, you need to use NEM.

3: How do the systems behind the 3002 "initiate" a tunnel connection (i.e., know where to find the 5510, get a tunnel IP address from the 5510, update their routing table for tunneled traffic)?

If we are talking EzVPN , the systems do not get an ip from ASA. Also, the systems do not update their routing table. Everything's done by 3002.

HTH,

-Kanishka

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (6 ratings)
Loading.
kaachary Sat, 03/03/2007 - 05:10

Hi,

EzVPN works in two different modes

Client (PAT) mode and

NEM ( Network Extension Mode)

If you configure 3002 and 5510 to use NEM, the ASA would not assign any ip address to the 3002 client. Infact, all the computers sitting on the Private Itnf of 3002 will communicate with ASA's internal LAN using their real physical ip addresses.

This would be just like a S2S tunnel, the only difference would be that only 3002 is able to initiate the tunnel.

Some more information on NEM :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008009481c.shtml

Client mode is similar to Software VPN client. When the devices behind the VPN 3002 Hardware Client initiate connections to the network behind ASA, the ASA assigns IP addresses as the connections come up.

HTH,

-Kanishka

schm196 Sun, 03/04/2007 - 12:10

Thanks for your reply.

I can see how NEM functions and just needed positive confirmation that, in fact, it seems to be similar to site-to-site VPNs with continuous use of the original physical IP addresses of devices behind the 3002.

However, NEM is not the preferred method we're looking for (remote sites don't want to have their entire networks exposed but still need to grant us bi-directional access to a specific server), so I am back at the basics of my question: In PAT mode, how does a client workstation or server on the private network behind the 3002 "initiate" a connection and receive a virtual IP address for the tunnel connection from the 5510? That's the part that's confusing me. Also, only NEM requires the assignment of a physical IP address for the private interface of the 3002. Am I to assume that PAT mode allows only a single device directly connected to the 3002 (like through a second physical NIC) to communicate with the network behind the 5510?

Any ideas?

- Matthias.

kaachary Mon, 03/05/2007 - 02:56

Hi Matthias,

Internally Routable Subnets are not poosible with EzVPN. Only the directly connected subnet to 3002 would be able to acesss the remote n/w throug the tunnel. this applis to both NEM and PAT mode.

With PAT mode, the ASA will assign an ip address from the pool to the 3002, and all the hosts on 3002 directly connected subnet will now access the tunnel using that single ip address.

In other words, they will be "patted" against that ip address.

Since, they have a patted ip address now, only 3002 can initiate a connection to the ASA internal n/w. Once the connection is established, the traffic will flow bidirectionally.

Hope this answers your questions.

*Please rate if helped.

-Kanishka

schm196 Mon, 03/05/2007 - 08:51

Thanks again for your post. Okay, so let me digest the news for me here a bit more:

There are no internally routable subnets behind the 3002 allowed, which basically requires me to physically put the private interface of the 3002 onto the subnet with the system(s) that need access to the VPN tunnel. Correct?

Furthermore, one of my remote sites has two servers behind the 3002 that I must be able to specifcially address from the main site's network, so PAT won't work at all since that would represent all systems behind the 3002 with the same (3002 private) IP address to the central site, correct?

Hence, if using NEM, I must place the 3002's private interface onto the desired remote site subnet and configure the physical IP address accordingly. I suppose the final remaining question is this: How do the systems behind the 3002 "initiate" a tunnel connection (i.e., know where to find the 5510, get a tunnel IP address from the 5510, update their routing table for tunneled traffic)? This is stuff previously done by the VPN software client installed on the systems but now this software client doesn't exist anymore.

- Matthias.

schm196 Mon, 03/05/2007 - 08:55

One more thing: All remote sites require split-tunneling (access to their local LANs and their own Internet providers while passing traffic to the central site network through the VPN tunnel). Just mentioning this for routing issues, as I do not have control over these systems and cannot require them to change their default routing to, let's say, the private interface of the 3002.

kaachary Mon, 03/05/2007 - 09:20

Also, split tunneling works with NEM. All you have to do is Enable it on the ASA.

-Kanishka

Correct Answer
kaachary Mon, 03/05/2007 - 09:18

Hi,

Answering your questions one by one :

There are no internally routable subnets behind the 3002 allowed, which basically requires me to physically put the private interface of the 3002 onto the subnet with the system(s) that need access to the VPN tunnel. Correct?

Yes, that's correct.

Q:Furthermore, one of my remote sites has two servers behind the 3002 that I must be able to specifcially address from the main site's network, so PAT won't work at all since that would represent all systems behind the 3002 with the same (3002 private) IP address to the central site, correct?

This is also correct, you need to use NEM.

3: How do the systems behind the 3002 "initiate" a tunnel connection (i.e., know where to find the 5510, get a tunnel IP address from the 5510, update their routing table for tunneled traffic)?

If we are talking EzVPN , the systems do not get an ip from ASA. Also, the systems do not update their routing table. Everything's done by 3002.

HTH,

-Kanishka

schm196 Mon, 03/05/2007 - 13:53

Hi again -

So, now that the concept is clear to me (or at least that's what I thought) I am still not able to pass traffic. Could it be that it is more of a routing or ACL problem somewhere? Both the 5510 and the 3002 are pretty much "virgins" and have no additional security or routing (other than basic default routing) configured. Here's the setup:

test-server

10.12.2.1/16, dg 10.12.1.254

static route 1.5.0.1/32 to 10.12.1.1

--->

ASA5510 private

10.12.1.1/16

(VPN traffic allowed to bypass ACLs)

static route 10.0.0.0/8 to 10.12.1.254

ASA5510 public

68.121.156.8/25

default route to 68.121.156.1

--->

[Internet]

In this test setup the public interface of the 5510 and the 3002 are on the same Internet subnet.

--->

3002 public

68.121.156.9/25, dg 68.121.156.1

3002 private

1.1.1.1/8

--->

test-client

10.5.0.1/8, dg 10.1.1.254

static route 10.12.2.1/32 to 1.1.1.1

Both the 5510 and the 3002 are configured for NEM. The tunnel is established. When the client tries to ping the server, nothing happens at all. When the server tries to ping the client, I can see the following three entries in the ASA log for each ping:

SourceIP 10.12.2.1 DestinationIP 1.5.0.1

IDS:2004 ICMP echo request from 10.12.2.1 to 1.5.0.1 on interface private-e02

SourceIP 1.5.0.1 DestinationIP 10.12.2.1

Built ICMP connection for faddr 1.5.0.1/0 gaddr 68.121.156.8/1 laddr 10.12.2.1/512

SourceIP 1.5.0.1 DestinationIP 10.12.2.1

Teardown ICMP connection for faddr 1.5.0.1/0 gaddr 68.121.156.8/1 laddr 10.12.2.1/512

Any ideas? Thanks again for your help so far.

- Matthias.

schm196 Mon, 03/05/2007 - 13:55

typo: test-client is of course 1.5.0.1 instead of 10.5.0.1

kaachary Mon, 03/05/2007 - 14:04

Can you connect the test client(1.0.5.1) directly or through some L2 switch to 3002 private intf and put the default gateway as 1.1.1.1

Also, do you have NAT bypass rules defined on the ASA. You would need them.

Thanks,

-Kanishka

schm196 Mon, 03/05/2007 - 14:23

Actually, the test-client is directly connected to the private interface of the 3002; its configuration is just a replication of the later "real world" so we test with the actual scenario. I can certainly remove the static route and configure the 3002 as its default gateway.

I do not have NAT exempt rules configured at this time. Currently, there's just one dynamic NAT rule defined to allow the test-server and other machines behind the 5510 to access the internet if necessary. How would I configure the NAT exempt rule in this case? Can NAT be exempted for specific destinations only?

- Matthias.

kaachary Mon, 03/05/2007 - 15:33

Hi,

Yes, you should put the test client , directly connected or through a L2 device.

And, we also have to configure NAT exempt rule. Yes, you can configure specific hosts for NAT exemption.

Let's say the 3002 private subnet is 1.0.0.0/8 and the ASA inside subnet is 10.12.0.0/16. You only want NAT exempt for hosts 1.1.1.3 going to 10.12.0.2. The NAT exempt rule will look something like this :

access-list nonat permit ip host 10.12.0.2 host 1.1.1.3

nat (inside) 0 access-list nonat

The ASA configuration would be similar to :

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Hope this helps.

-Kanishka

schm196 Wed, 03/07/2007 - 13:23

Thanks for all the help. Cisco TAC figured out that the configuration was, in fact, correct all along. However, due to the sequence in which various configuration commands were applied while the tunnel was established the ASA apparently had some sort of synch problems. Once we re-initialized the ASA instead of the clients it all worked flawlessly!

Actions

This Discussion