client-to-site vpn with resource on outside interface

Answered Question
May 12th, 2009

Hi,

I'd like to configure client-to-site ipsec vpn using asa as attachment. I've tested but it seemed that it didn't work. I'm not sure if it's possible or not. Could anyone advise me please?

Thanks in advance,

Nitass

Attachment: 
I have this problem too.
0 votes
Correct Answer by Collin Clark about 7 years 6 months ago

Network diagram

Here's what you can do. On the ASA add a static host route for Server, but have it point to the inside interface of Firewall.

<font size="2">route inside 10.0.2.100 255.255.255.255 10.0.1.254</font>

The Firewall knows to go out the e2 interface because it's directly connected.

On the Server you will need to a static route for the VPN Pool pointing to Firewall.

<font size="2">route add 10.0.3.0 mask 255.255.255.0  10.0.2.254</font>

On the Firewall you will also need to add a route for the VPN Pool.

<font size="2">route inside 10.0.3.0 255.255.255.0 10.0.1.200</font>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Tue, 05/12/2009 - 09:43

I've always had a hard time getting that scenario to work. You could also route the traffic back out the 'outside' interface or use split tunneling.

nitass Tue, 05/12/2009 - 09:55

Hi,

Thanks for your reply. Anyway, I couldn't catch you. Would you mind explaining me a little bit more? I'd like to know if it's possible to route the traffic which is destined to network X thru the inside interface. How can I configure it? Please advise.

Thanks in advance,

Nitass

Collin Clark Tue, 05/12/2009 - 10:01

Let's try it from another angle:

Instead of going through Network Y, is it OK to go out the 'outside' interface on 'Cisco ASA' directly on Network X?

You can also configure routing to go through 'Firewall', but it will be more work. If that is a requirement, it can be done though.

nitass Tue, 05/12/2009 - 10:12

Hi,

Thanks for your prompt reply. ;)

I see. Going out thru the outside interface seems to be simpler. However, this is a requirement from customer. Could you please suggest how to configure it to go out on the inside interface?

Many thanks,

Nitass

I am struggling with the same problem. We currently have a PIX for the firewall and a Cisco 3005 VPN concentrator for IPSec. With that scenario, the connection works as described in the diagram (substitue the VPN for the ASA). The tunneled default route always sends traffic to the server through the INSIDE interface of the VPN (ASA). I'm looking at buying an ASA to replace the VPN and have installed it along with the VPN for testing. However, I can't get the traffic to flow as in the diagram and instead it appears that the ASA sends traffic out it's X network interface. The server then responds to its default gateway, which is the firewall rather than the ASA. This happens even though I've got the tunneled default router on the ASA being a router on network Y. To try and figure this out, I see that when I have an IPSec connection with the Cisco client to my VPN concentrator, and I do a "tracert" to any internal IP, I see the VPN concentrator as the first hop. When I try the same thing with an IPSec connection to the ASA, I don't get the ASA as the first hop in a "tracert". I've tried changing static routes on the ASA to make this work, but with no success.

Collin Clark Wed, 05/13/2009 - 13:21

You will need to add a static route (and add it to your cryptos) for that public IP to route through your network and out 'Firewall'. Otherwise it will do exactly what you're seeing. The 'firewall' will not accept that packet in because it was not originated from it's inside and has no TCP connection for it.

nitass Wed, 05/13/2009 - 19:08

Attached file is what I did in my lab. As I checked, I think the traffic i.e. PING traffic from VPN client to server was routed to outside interface rather than the inside one because if I enabled same-security-traffic permit intra-interface command at ASA and changed routing (at firewall) of network 10.0.3.0/24 to the inside interface of ASA instead, the VPN client could successfully ping the server.

Anyway, I prefer to route the traffic going out on the inside interface.

Please advise.

Attachment: 
Correct Answer
Collin Clark Thu, 05/14/2009 - 05:37

Network diagram

Here's what you can do. On the ASA add a static host route for Server, but have it point to the inside interface of Firewall.

<font size="2">route inside 10.0.2.100 255.255.255.255 10.0.1.254</font>

The Firewall knows to go out the e2 interface because it's directly connected.

On the Server you will need to a static route for the VPN Pool pointing to Firewall.

<font size="2">route add 10.0.3.0 mask 255.255.255.0  10.0.2.254</font>

On the Firewall you will also need to add a route for the VPN Pool.

<font size="2">route inside 10.0.3.0 255.255.255.0 10.0.1.200</font>

Collin Clark Thu, 05/14/2009 - 06:41

I see that you're using Netscreens. Do you know how to view QoS statistics in them?

nitass Thu, 05/14/2009 - 06:54

Collin,

I have never seen any QoS statistic there. I think you may need to get it thru SNMP.

HTH,

Nitass

Actions

This Discussion