vpn site to site dmz access ASA 5510

pauliew1978 · ‎12-02-2009

Dear all,

I have recently set up a site to site connection from one site to another.

Site A = 10.10.0.0/24

Site B = 192.168.1.0/24

This works fine. At site A I have a DMZ with a couple of webservers in. I need client machines at Site B to be able to access the webservers at Site A down the vpn tunnel. Can anyone tell me how to do this. I am fairly new to setting up cisco devices so laymans terms may be needed!.

many thanks for any help

Paul

Jon Marshall · ‎12-02-2009

pauliew1978 wrote:

Dear all,

I have recently set up a site to site connection from one site to another.

Site A = 10.10.0.0/24

Site B = 192.168.1.0/24

This works fine. At site A I have a DMZ with a couple of webservers in. I need client machines at Site B to be able to access the webservers at Site A down the vpn tunnel. Can anyone tell me how to do this. I am fairly new to setting up cisco devices so laymans terms may be needed!.

many thanks for any help

Paul

If you have setup the original VPN then all you need to do is

1) add the web server host addresses/ or web server subnet to the crypto map acl that defines the interesting traffic between the 2 sites.

2) Optionally, if you are filtering IPSEC traffic on the outside interface of your firewall then add in rules to the acl to allow the traffic. Note that you may not need to do this.

Jon

pauliew1978 · ‎12-02-2009

Hi,

many thanks for the reply.

I can see what you mean but I don't know how to do it (doh!). I am using the adsm interface and all i can find in terms of ammending the cryptmap acl is the following....

There is no option to add another network in here. I tried to add another rule in using the adsm on the outside interface with the same peer and set the equivalent window above to source (192.168.252.0) dest 192.168.1.0 and it didnt work.

is there any way of doing this through the adsm interface or do I have to do it on the command line?

thanks,

paul

Jon Marshall · ‎12-02-2009

pauliew1978 wrote:

Hi,

many thanks for the reply.

I can see what you mean but I don't know how to do it (doh!). I am using the adsm interface and all i can find in terms of ammending the cryptmap acl is the following....

There is no option to add another network in here. I tried to add another rule in using the adsm on the outside interface with the same peer and set the equivalent window above to source (192.168.252.0) dest 192.168.1.0 and it didnt work.

is there any way of doing this through the adsm interface or do I have to do it on the command line?

thanks,

paul

Paul

Sorry but i have never really used ADSM to do this sort of thing so can't say whether it's possible.

Attached is a config example showing how to configure an ASA both from the CLI and ADSM, perhaps this may help -

ASA config - CLI and ADSM

Jon

Jon Marshall · ‎12-02-2009

Deleted - posted twice.

pauliew1978 · ‎12-02-2009

Hi,

many thanks for the reply.

I can see what you mean but I don't know how to do it (doh!). I am using the adsm interface and all i can find in terms of ammending the cryptmap acl is the following....

There is no option to add another network in here. I tried to add another rule in using the adsm on the outside interface with the same peer but it wouldnt let me as it said the peer is all ready in use. So I set one up on the DMZ interface and set the equivalent window above to source (192.168.252.0) dest 192.168.1.0 and it didnt work. I am sure this was the wrong thing to do anyway!

Paul

pauliew1978 · ‎12-03-2009

Hi Jon,

just a quick question. What I forgot to add is that I am unsure of the routing involved in here or if I need to add a static route at Site B.....

At site A the dmz is in the 192.168.252.0/24 network.

Site b as stated is on the 192.168.1.0/24 network

The crypto map acl seems to be there on the Site A cisco ASA appliance to allow outbound communication to 192.168.1.0/24 however I don't see how the router on the other side (at Site b which is a netgear) knows to route traffic for the 192.168.252.0 network down the vpn tunnel (as opposed to the internet).

I can't see any traffic passing down the vpn tunnel on the ASA appliance at site A when sending a ping from 192.168.1.0 to 192.168.252.0

my theory therefore is that I need to add a route on the router at site B (something like)

route add 192.168.252.0 mask 255.255.255.0 10.10.10.2 ????

many thanks,

Paul

Jon Marshall · ‎12-03-2009

pauliew1978 wrote:
Hi Jon,
just a quick question. What I forgot to add is that I am unsure of the routing involved in here or if I need to add a static route at Site B.....
At site A the dmz is in the 192.168.252.0/24 network.
Site b as stated is on the 192.168.1.0/24 network
The crypto map acl seems to be there on the Site A cisco ASA appliance to allow outbound communication to 192.168.1.0/24 however I don't see how the router on the other side (at Site b which is a netgear) knows to route traffic for the 192.168.252.0 network down the vpn tunnel (as opposed to the internet).
I can't see any traffic passing down the vpn tunnel on the ASA appliance at site A when sending a ping from 192.168.1.0 to 192.168.252.0
my theory therefore is that I need to add a route on the router at site B (something like)
route add 192.168.252.0 mask 255.255.255.0 10.10.10.2 ????
many thanks,
Paul

Paul

You don't need to add routes on Cisco devices for IPSEC traffic because the crypto access-list ie. the one defines interesting traffic is what tells the router where to send the VPN traffic.

However i don't now for sure how netgear devices handle this. I'm assuming you still don't need a route but i could be wrong.

Jon

pauliew1978 · ‎12-03-2009

Hi Jon,

thanks so much for helping me with this. I am still unsure about the netgear side of things. I am going to post my config (I have stripped out as much as I can). If anyone can have a quick scan to see if there is anything obvious please please let me know. I am really struggling with this.

same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 host DXP-PAULW log debugging
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.252.0 255.255.255.0 log debugging
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip EFS-STATIC-IP-SERVER-PC 255.255.255.0 192.168.252.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.252.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZ_nat_outbound extended permit ip host EX-WEB02 any
access-list DMZ_nat_outbound extended permit ip host EX-WEB01 any
access-list outside_1_cryptomap_1 extended permit ip 192.168.252.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 101 access-list DMZ_nat_outbound

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 81.17.78.177 1

no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 92.232.48.163
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint Local-TP
enrollment self
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20