03-01-2010 06:07 AM
Hello,
I'm working on a vpn solution to address the following requirements:
- Vlan 10 (172.16.0.0/24) at the remote location should see VLAN 20 (172.22.0.0/24) located at the headquarters
- Vlan 10 is configured on a switch connected to a C2821 router, which is connected to an ASA 5505 firewall.
- The ASA 5505 firewall is connected to the internet. Its outside interface obtains its IP address dynamically from the ISP
I'm attaching the related diagram...
Since I don't have a static public IP address for a classic Site-to-Site VPN, I thought the Easy VPN solution is the way to go...
I've tested the solution in a test environment using 2 ASA 5505 as Easy VPN Client and Server. Below are some test details:
* I've set the client to Network Extension Mode
* Split Tunneling is enabled on the server
* The vpn tunnel is established
* Traffic orginating from the Easy VPN Client inside interface is sent trough the tunnel, i.e from the router I can ping a host belonging to VLAN 20 (172.22.0.0/24) behind the server
How can I make sure that traffic originating from VLAN 10 to VLAN 20 is also sent through the tunnel?
Thanks for you help.
Frank
03-01-2010 06:17 AM
Hi,
Since you have tested easy vpn server and client connection, there is no big deal to send the traffic via the tunnel.
From your C3560 Switch you need to write a static route or dynamic routing for vlan 20 towards the ASA Firewall.
In ASA firewall you need to write a ACL saying that source as vlan 10 and destination as vlan 20
Call this ACL into your vpn config.
for more information have a look into this URL
regards
karuppu
03-01-2010 07:07 AM
Karuppu,
Thanks for your prompt answer.
The ASA 5505 is injecting a default route, which is propagated back to the switch. So, Vlan 10 can reach the ASA 5505 (VPN client).
Where should I configure the ACL and call it into my vpn config (client or server)?
Thanks,
Frank
03-01-2010 07:15 AM
Hi,
You need to configure the ACL in vpn server(ASA).
When the traffic is initiating from vlan 10 towards vlan 20, then the traffic will reach to firewall by your IGP, Since we already configured vlan 20 as interesting traffic in ASA, the traffic will moved into the tunnel towards to the destination vlan 20.
regards
karuppu
03-01-2010 07:49 AM
Karappu,
Thanks again for your prompt answer.
Below is an excerpt of the server config.
access-list extended acl_NAT_EXEMPT permit ip 172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0 (VLAN 20 -->VLAN 10)
nat(inside) 0 access-list acl_NAT_EXEMPT
access-list acl_vpn extended permit ip 172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0 /* define the traffic that should pass through the tunnel
group-policy my_vpn internal
group-policy my_vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_vpn /* Specify the interesting traffic
nem enable
Do I need to add the following command only?
access-list acl_vpn extended permit ip 172.16.0.0 255.255.255.0 172.22.0.0 255.255.255.0 (VLAN 10 - VLAN 20).
Thanks,
Frank
03-01-2010 07:50 AM
yes.thats correct...
regards
karuppu
03-01-2010 08:37 AM
karuppu,
Thanks a lot.
I'll update the config and test it as soon as I get to the lab...
Thanks,
Francois
03-03-2010 03:18 PM
karuppu,
I've tested the suggested solution but it's not working...
My test setting is as follows:
- The VPNClient (ASA5505) is directly connected to the server (ASA5505). The interface subnet is 10.10.10.0/30
- VLAN 10 (172.16.0.0/24) is implemented on the switch. The switch is connected to a router, which in turn is connected to the VPNclient inside interface, whose subnet is 10.20.20.112/30.
- The subnet 172.22.0.0/24 is behind the server.
I'm attaching the related diagram.
Problem:
The tunnel is established. I can ping 172.22.0/24 from the router. However, I can't ping 172.22.0/24 from VLAN 10 (172.16.0.0/24), which is actually what I want to achieve.
Could you pls review the config excerpts below and provide me with your feedback? Again VLAN 10 can reach the vpnclient...
Thanks,
Frank
SERVER
access-list acl_PAT_EXEMPT extended permit ip 172.22.0.0 255.255.255.0 10.20.20.112 255.255.255.252
access-list acl_PAT_EXEMPT extended permit ip 172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list ezvpn extended permit ip 172.22.0.0 255.255.255.0 10.20.20.112 255.255.255.252
access-list ezvpn extended permit ip 172.22.0.0 255.255.255.0 172.16.0.0 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_PAT_EXEMPT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
group-policy MYpolicy internal
group-policy MYpolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn
nem enable
username admin password tHknb77l6rgOnIEC encrypted
tunnel-group MYvpn type remote-access
tunnel-group MYvpn general-attributes
default-group-policy MYpolicy
tunnel-group MYvpn ipsec-attributes
pre-shared-key *
CLIENT
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
router ospf 1
network 10.20.20.112 255.255.255.252 area 0
default-information originate
vpnclient server 10.10.10.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup MYvpn password ********
vpnclient username admin password ********
vpnclient management clear
vpnclient enable
Here is the output of the sh vpnclient cmd
VPNClient(config)# sh vpnclient
LOCAL CONFIGURATION
vpnclient server 10.10.10.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup MYvpn password ********
vpnclient username admin password ********
vpnclient management clear
vpnclient enable
DOWNLOADED DYNAMIC POLICY
Current Server : 10.10.10.1
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Split Tunnel Networks : 172.22.0.0/255.255.255.0
Backup Servers : None
03-03-2010 05:58 PM
Hi,
Can you paste the "sh run " of your 3560 switch.Suspecting the routing config in that switch.
regards
karuppu
03-04-2010 06:28 AM
Karuppu,
Thanks for you feedback.
Pls find below the outputs of some sh cmds (run, ip route) and the ping result.
CoreSW1#sh ru
Building configuration...
Current configuration : 10191 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CoreSW1
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 secret 5 $1$5fgA$z2.b3suBZrirSXNH3tcx10
!
!
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 172.16.0.1
!
ip dhcp pool TEST
network 172.16.0.0 255.255.255.0
default-router 172.16.0.1
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
!
..
!
interface GigabitEthernet0/24
description to the router
no switchport
ip address 192.168.254.106 255.255.255.252
!
interface Vlan1
no ip address
no ip mroute-cache
shutdown
!
interface Vlan100
ip address 172.16.0.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
passive-interface Vlan100
network 172.16.0.0 0.0.0.255 area 0
network 192.168.254.104 0.0.0.3 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login local
line vty 0 4
logging synchronous
login local
line vty 5 15
logging synchronous
login local
!
end
CoreSW1#sh ip route
Gateway of last resort is 192.168.254.105 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Vlan100
10.0.0.0/30 is subnetted, 1 subnets
O 10.20.20.112
[110/2] via 192.168.254.105, 00:00:06, GigabitEthernet0/24
192.168.254.0/30 is subnetted, 1 subnets
C 192.168.254.104 is directly connected, GigabitEthernet0/24
O*E2 0.0.0.0/0 [110/1] via 192.168.254.105, 00:00:06, GigabitEthernet0/24
CoreSW1#ping 10.20.20.114 (VPNClient inside interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.114, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
Thanks,
Francois
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: