cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4069
Views
0
Helpful
9
Replies

ASA 5505: how do I define interesting traffic on an Easy VPN client?

fntowo2009
Level 1
Level 1

Hello,

I'm working on a vpn solution to address the following requirements:
- Vlan 10 (172.16.0.0/24) at the remote location should see VLAN 20 (172.22.0.0/24) located at the headquarters
- Vlan 10 is configured on a switch connected to a C2821 router, which is connected to an ASA 5505 firewall.
- The ASA 5505 firewall is connected to the internet. Its outside interface obtains its IP address dynamically from the ISP

I'm attaching the related diagram...

Since I don't have a static public IP address for a classic Site-to-Site VPN, I thought the Easy VPN solution is the way to go...

I've tested the solution in a test environment using 2 ASA 5505 as Easy VPN Client and Server. Below are some test details:
* I've set the client to Network Extension Mode
* Split Tunneling is enabled on the server
* The vpn tunnel is established
* Traffic orginating from the Easy VPN Client inside interface is sent trough the tunnel, i.e from the router I can ping a host belonging to VLAN 20 (172.22.0.0/24) behind the server

How can I make sure that traffic originating from VLAN 10 to VLAN 20 is also sent through the tunnel?

Thanks for you help.

Frank

9 Replies 9

Hi,

Since you have tested easy vpn server and client connection, there is no big deal to send the traffic via the tunnel.

From your C3560 Switch you need to write a static route or dynamic routing for vlan 20 towards the ASA Firewall.

In ASA firewall you need to write a ACL saying that source as vlan 10 and destination as vlan 20

Call this ACL into your vpn config.

for more information have a look into this URL

http://www.ciscosystems.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

regards

karuppu

Karuppu,

Thanks for your prompt answer.

The ASA 5505 is injecting a default route, which is propagated back to the switch. So, Vlan 10 can reach the ASA 5505 (VPN client). 

Where should I configure the ACL and call it into my vpn config (client or server)?

Thanks,

Frank

Hi,

You need to configure the ACL in vpn server(ASA).

When the traffic is initiating from vlan 10 towards vlan 20, then the traffic will reach to firewall by your IGP, Since we already configured vlan 20 as interesting traffic in ASA, the traffic will moved into the tunnel towards to the destination vlan 20.

regards

karuppu

Karappu,

Thanks again for your prompt answer.

Below is an excerpt of the server config.

access-list extended acl_NAT_EXEMPT permit ip  172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0   (VLAN 20 -->VLAN 10)

nat(inside) 0 access-list acl_NAT_EXEMPT

access-list acl_vpn extended permit ip 172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0  /* define the traffic that should pass through the tunnel

group-policy my_vpn internal
group-policy my_vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_vpn   /* Specify the interesting traffic
nem enable

Do I need to add the following command only?

access-list acl_vpn extended permit ip 172.16.0.0 255.255.255.0 172.22.0.0 255.255.255.0 (VLAN 10 - VLAN 20).

Thanks,

Frank

yes.thats correct...

regards

karuppu

karuppu,

Thanks a lot.

I'll update the config and test it as soon as I get to the lab...

Thanks,

Francois

karuppu,

I've tested the suggested solution but it's not working...

My test setting is as follows:

- The VPNClient (ASA5505) is directly connected to the server (ASA5505). The interface subnet is 10.10.10.0/30
- VLAN 10 (172.16.0.0/24) is implemented on the switch. The switch is connected to a router, which in turn is connected to the VPNclient inside interface, whose subnet is 10.20.20.112/30.
- The subnet 172.22.0.0/24 is behind the server.

I'm attaching the related diagram.

Problem:
The tunnel is established. I can ping 172.22.0/24 from the router. However, I can't ping 172.22.0/24 from VLAN 10 (172.16.0.0/24), which is actually what I want to achieve.

Could you pls review the config excerpts below and provide me with your feedback? Again VLAN 10 can reach the vpnclient...

Thanks,
Frank

SERVER

access-list acl_PAT_EXEMPT extended permit ip 172.22.0.0 255.255.255.0 10.20.20.112 255.255.255.252
access-list acl_PAT_EXEMPT extended permit ip 172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list ezvpn extended permit ip 172.22.0.0 255.255.255.0 10.20.20.112 255.255.255.252
access-list ezvpn extended permit ip 172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_PAT_EXEMPT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

group-policy MYpolicy internal
group-policy MYpolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn
nem enable
username admin password tHknb77l6rgOnIEC encrypted
tunnel-group MYvpn type remote-access
tunnel-group MYvpn general-attributes
default-group-policy MYpolicy
tunnel-group MYvpn ipsec-attributes
pre-shared-key *

CLIENT

nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
router ospf 1
network 10.20.20.112 255.255.255.252 area 0
default-information originate

vpnclient server 10.10.10.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup MYvpn password ********
vpnclient username admin password ********
vpnclient management clear
vpnclient enable

Here is the output of the sh vpnclient cmd

VPNClient(config)# sh vpnclient

LOCAL CONFIGURATION
vpnclient server 10.10.10.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup MYvpn password ********
vpnclient username admin password ********
vpnclient management clear
vpnclient enable

DOWNLOADED DYNAMIC POLICY
Current Server                     : 10.10.10.1
PFS Enabled                        : No
Secure Unit Authentication Enabled : No
User Authentication Enabled        : No
Split Tunnel Networks              : 172.22.0.0/255.255.255.0
Backup Servers                     : None

Hi,

Can you paste the "sh run " of your 3560 switch.Suspecting the routing config in that switch.

regards

karuppu

Karuppu,

Thanks for you feedback.

Pls find below the outputs of some sh cmds (run, ip route) and the ping result.

CoreSW1#sh ru
Building configuration...

Current configuration : 10191 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CoreSW1
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 secret 5 $1$5fgA$z2.b3suBZrirSXNH3tcx10
!
!
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 172.16.0.1
!

ip dhcp pool TEST
   network 172.16.0.0 255.255.255.0
   default-router 172.16.0.1
  
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
!
..
!
interface GigabitEthernet0/24
description to the router
no switchport
ip address 192.168.254.106 255.255.255.252
!

interface Vlan1
no ip address
no ip mroute-cache
shutdown
!
interface Vlan100
ip address 172.16.0.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
passive-interface Vlan100
network 172.16.0.0 0.0.0.255 area 0
network 192.168.254.104 0.0.0.3 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login local
line vty 0 4
logging synchronous
login local
line vty 5 15
logging synchronous
login local
!
end


CoreSW1#sh ip route

Gateway of last resort is 192.168.254.105 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, Vlan100
     10.0.0.0/30 is subnetted, 1 subnets
O       10.20.20.112
           [110/2] via 192.168.254.105, 00:00:06, GigabitEthernet0/24
     192.168.254.0/30 is subnetted, 1 subnets
C       192.168.254.104 is directly connected, GigabitEthernet0/24
O*E2 0.0.0.0/0 [110/1] via 192.168.254.105, 00:00:06, GigabitEthernet0/24


CoreSW1#ping 10.20.20.114 (VPNClient inside interface)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.114, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

Thanks,

Francois

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: