VPN doesnt work when additional firewall is placed

Unanswered Question
Aug 24th, 2010

I have attached a simple diagram of the setup.I want to setup IPSec VPN site-to-site setup between branch office and headoffice(LAN). Both sites are having ASA5520 and i was able to setup vpn tunnel between branch office and LAN but without linux firewall in place.

We put linux firewall for additional security layer.Linux Firewall is connected to ASA inside interface.how can I allow VPN traffic to inside LAN?


If servers on DMZ wants to access servers on LAN we have created a static nat rule as below
static (inside,dmz) 10.10.10.2 172.16.9.2 netmask 255.255.255.255
then create access-list followed by access-group and then on linux firewall we open the necessary ports.Do I have to apply this same procedure to VPN setup?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 08/24/2010 - 23:38

VPN connection is terminated on the outside interface of the ASA, so when the traffic reaches the linux firewall which is inside your network, it would be normal clear text traffic already.

You would just need to allow the traffic to pass through between your internal LAN subnet and the remote LAN subnet through the Linux firewall, and also making sure that route towards the remote LAN subnet points towards the ASA inside interface.

Hope that helps.

cisco.bml Wed, 08/25/2010 - 00:02

In configuring VPN setup on ASA we have to define Encrypted IP address, like as below

access-list inside_nat0_outbound extended permit ip 172.16.9.0 255.255.255.248 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 172.16.9.0 255.255.255.248 192.168.1.0 255.255.255.0

is this right according to the diagram?

cisco.bml Wed, 08/25/2010 - 00:06

I forgot to mention that LAN IP address is 192.168.100.0/24.

Jennifer Halim Wed, 08/25/2010 - 00:11

It depends on whether you are NATing your internal network on the linux server to 172.16.9.0 network. If you don't NAT the internal network, then the crypto ACL is incorrect. It should be as follows:

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

And you also need to change it accordingly on the remote ASA.

Alternatively, you can leave the existing ACL, and just add another line with the above. That would allow both the linux subnet and the internal subnet to be encrypted, at least for testing. If you think that you don't need the linux subnet, then you can remove it later. Please kindly make sure that you have the mirror image ACL on the remote ASA too.

Hope that helps.

Actions

This Discussion