ASA VPN Question

sonitadmin · ‎05-18-2007

Recently installed an ASA 5509 to protect an iSeries webserver on the internal network. Ended up having to change the default gateway of the iSeries to the inside address of the ASA in order for the outside world to access the website.

Since we did that, I have a remote office that had a vpn tunnel and could access the iSeries that is now not able to. My question is, do I now need to set up a site to site vpn tunnel between the linksys router in the remote office and the ASA box in order to make this work, and if so how do I do it?

Thanks!

acomiskey · ‎05-18-2007

A few questions so this is more clear. I guess the ASA replaced another piece of equipment? The remote office had a vpn tunnel to this other piece of equipment? What access does the remote site need to the iSeries, I guess they need more than www?

sonitadmin · ‎05-18-2007

Sorry, I should have provided more info. The ASA didn't take the place of anything, it was put in place in addtion to a Linksys VPN router. The remote office had a vpn tunnel to the linksys vpn router. THe iseries gateway was set to this router. The remote office needs access to the iseries for payroll.

acomiskey · ‎05-18-2007

Do you want to create a new tunnel to the ASA or do you want to fix the routing problem so the ISeries knows how to route to the remote network through the original tunnel?

sonitadmin · ‎05-18-2007

I'm assuming I will have to create a new tunnel. The iSeries is at 172.20.5.7 and it used to have a gateway of 172.20.5.2 (linksys router). It now has 172.20.5.75 (ASA) as the gateway. Had to set it like this to get the outside world to be able to see the website on the iSeries.

Before I did this, there was a remote office 172.20.6.0 network that has a linksys router 172.20.6.2 that had a site to site vpn tunnel that allowed 172.20.6.0 network to access the iSeries. Since I changed that default gateway, this doesn't work anymore.

So my thought is that tunnel needs to be recreated between the 172.20.6.2 router and the 172.20.5.75 ASA. Correct?

emad.silicon · ‎05-18-2007

yes you have , so go ahead friend

acomiskey · ‎05-18-2007

No, all you have to do is add a route on the server that routes 172.20.6.0 towards 172.20.5.2.

Is this windows or linux? I'm not familiar with iSeries.

Something like...

route add 172.20.6.0 MASK 255.255.255.0 172.20.5.2

Another option is to allow same-security-traffic intra-interface on the ASA. This would allow traffic to bounce off inside interface of ASA towards original tunnel. All you would have to do is add an inside route on the ASA. You do not have to create a new tunnel in this situation if you don't want to.

emad.silicon · ‎05-18-2007

Yes friend you have to set a site-to-site tunnel with a linksys router bec you have change or remove the first firewall and sure you change the ip address so you need to define the new peer in both sites , or if you have just one computer or less than 3 you can configure your ASA for easy vpn server and install the cisco vpn client sofware on that computers instead of configuring site-to-site betw linksys router and asa , how to do that it is a long configuration frined and you have to now about both asa and linksys router and make sure that your linksys router can configured with the ipsec functionality