09-27-2009 02:43 PM - edited 03-11-2019 09:19 AM
Hi,
I'm still what I would consider a newbie to ASAs. They're the first HW firewall I've worked with and have been using them for a few months successfully. Since I know absolutely nothing about VPNs, I figured I'd give the GUI a try.
First question: Step1, it asks me on what intrface will the VPN tunnel be. I suppose this should be the outside interface...
Step 5: it's asking me to define the local and remote networks that will take part of this tunnel.. Is this supposed to be the un-translated IPs???
Thanks!
I'm currently at step 5 of 6 where it asks me to specify the local and remote networks which will be communicating. I do believe this is meant to be the internal IPs, not the external ones
09-28-2009 07:00 PM
Actually I guess I'll answer myself on this one..
I tried assigning an extra (external) IP to each device and creating the tunnel between the two IPs. This was actually successful. I used the packet-tracer as follow:
packet-tracer input inside 192.168.10.3 3945 AA.BB.CC.DD(EXTERNAL IP on remote device) 3389
The first time I did this of course, it was denied by the ACL. This seems to be usual behavior until the tunnel comes up.. the second time I did this, the traffic passed through... The only dis-advantage to this is, the new external IP won't be able to route internet traffic I believe.. not sure why this is a requirement, maybe for security reasons? Still to be done:
RA VPN and then to route RA VPN through the tunnel... So to complicate things, like mentioned before, the other side of the tunnel are not interested in adding any internal networks as "interesting traffic". they want everything to be external IPs. It seems like I'll have to map at least a cpl of IPs (one for the actual server, one for the remote access VPN) to map to this new external IP.
09-28-2009 08:59 PM
Erick good testing, interesting traffic means the hosts or subnets at your end that will be part of the tunnel policy.
As for NATing the internal IP with public yes you can NAT as seen in your test, simply create static one-to-one NAT private-public IP then in your crypto acl instead of using private you use the public IP. Host will no go through the tunnel for internet; it will use its public IP for regular internet traffic separated from l2l tunnel.
say public IP for 192.168.1.10 host is 20.20.20.20 GK side, and host from other end AC side will be 192.168.100.30 as part of tunnel policy.
static (inside,outside)20.20.20.20 192.168.1.10 netmask 255.255.255.255
access-list outside_2_cryptomap extended permit ip host 20.20.20.20 host 192.168.100.30
access-list inside_nat0_outbound extended permit ip host 20.20.20.20 host 192.168.100.30
When 192.168.100.30 access 20.20.20.20 asa will translate to local host.
For RA VPN is another topic.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide