05-12-2009 07:39 AM
Hi,
I'd like to configure client-to-site ipsec vpn using asa as attachment. I've tested but it seemed that it didn't work. I'm not sure if it's possible or not. Could anyone advise me please?
Thanks in advance,
Nitass
Solved! Go to Solution.
05-14-2009 05:37 AM
Network diagram
Here's what you can do. On the ASA add a static host route for Server, but have it point to the inside interface of Firewall.
route inside 10.0.2.100 255.255.255.255 10.0.1.254
The Firewall knows to go out the e2 interface because it's directly connected.
On the Server you will need to a static route for the VPN Pool pointing to Firewall.
route add 10.0.3.0 mask 255.255.255.0 10.0.2.254
On the Firewall you will also need to add a route for the VPN Pool.
route inside 10.0.3.0 255.255.255.0 10.0.1.200
05-12-2009 09:43 AM
I've always had a hard time getting that scenario to work. You could also route the traffic back out the 'outside' interface or use split tunneling.
05-12-2009 09:55 AM
Hi,
Thanks for your reply. Anyway, I couldn't catch you. Would you mind explaining me a little bit more? I'd like to know if it's possible to route the traffic which is destined to network X thru the inside interface. How can I configure it? Please advise.
Thanks in advance,
Nitass
05-12-2009 10:01 AM
Let's try it from another angle:
Instead of going through Network Y, is it OK to go out the 'outside' interface on 'Cisco ASA' directly on Network X?
You can also configure routing to go through 'Firewall', but it will be more work. If that is a requirement, it can be done though.
05-12-2009 10:12 AM
Hi,
Thanks for your prompt reply. ;)
I see. Going out thru the outside interface seems to be simpler. However, this is a requirement from customer. Could you please suggest how to configure it to go out on the inside interface?
Many thanks,
Nitass
05-13-2009 01:16 PM
I am struggling with the same problem. We currently have a PIX for the firewall and a Cisco 3005 VPN concentrator for IPSec. With that scenario, the connection works as described in the diagram (substitue the VPN for the ASA). The tunneled default route always sends traffic to the server through the INSIDE interface of the VPN (ASA). I'm looking at buying an ASA to replace the VPN and have installed it along with the VPN for testing. However, I can't get the traffic to flow as in the diagram and instead it appears that the ASA sends traffic out it's X network interface. The server then responds to its default gateway, which is the firewall rather than the ASA. This happens even though I've got the tunneled default router on the ASA being a router on network Y. To try and figure this out, I see that when I have an IPSec connection with the Cisco client to my VPN concentrator, and I do a "tracert" to any internal IP, I see the VPN concentrator as the first hop. When I try the same thing with an IPSec connection to the ASA, I don't get the ASA as the first hop in a "tracert". I've tried changing static routes on the ASA to make this work, but with no success.
05-13-2009 01:21 PM
You will need to add a static route (and add it to your cryptos) for that public IP to route through your network and out 'Firewall'. Otherwise it will do exactly what you're seeing. The 'firewall' will not accept that packet in because it was not originated from it's inside and has no TCP connection for it.
05-13-2009 07:08 PM
Attached file is what I did in my lab. As I checked, I think the traffic i.e. PING traffic from VPN client to server was routed to outside interface rather than the inside one because if I enabled same-security-traffic permit intra-interface command at ASA and changed routing (at firewall) of network 10.0.3.0/24 to the inside interface of ASA instead, the VPN client could successfully ping the server.
Anyway, I prefer to route the traffic going out on the inside interface.
Please advise.
05-14-2009 05:37 AM
Network diagram
Here's what you can do. On the ASA add a static host route for Server, but have it point to the inside interface of Firewall.
route inside 10.0.2.100 255.255.255.255 10.0.1.254
The Firewall knows to go out the e2 interface because it's directly connected.
On the Server you will need to a static route for the VPN Pool pointing to Firewall.
route add 10.0.3.0 mask 255.255.255.0 10.0.2.254
On the Firewall you will also need to add a route for the VPN Pool.
route inside 10.0.3.0 255.255.255.0 10.0.1.200
05-14-2009 05:50 AM
Thanks for the response, I'll give that a try.
05-14-2009 06:36 AM
05-14-2009 06:41 AM
I see that you're using Netscreens. Do you know how to view QoS statistics in them?
05-14-2009 06:54 AM
Collin,
I have never seen any QoS statistic there. I think you may need to get it thru SNMP.
HTH,
Nitass
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: