VPN to Internal Network Interface...

Venture101 · ‎01-30-2012

Hi Folks,

This evening I tried mocking up a design to create a VPN across our Corporate Network from the Outside Interface of a Cisco ASA 5505 (Remote Site) to the Inside Interface of an ASA 5510 (Local Site).

However because I was trying to communicate with the Inside Interface of my local Firewall and then have the traffic pass back OUT that interface every single packet (Pings & the VPN traffic) was being denied due to IP Spoofing Errors.

I checked and the Anti-Spoofing on all my Interfaces is currently turned off.

I understand that setting up a VPN to the Inside Interface is rather unorthodox but in this situation its necessary because although the remote site is "Corporate" so to speak they are a different subsidiary of our company and cant be allowed to view any of the information that I want to send over the tunnel.

All I can think of at present is that Im going to have to setup another Sub.Interface alongside the Inside and then route the traffic back out that somehow.

Any ideas would be appreciated and I can put up censored configs/drawings if required.

Thanks

Ewan

Stephen Rodriguez · ‎01-30-2012

Ewan,

You'll want to move this to the Security > VPN Forum. This particular sub-board is for Wireless

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

rizwanr74 · ‎01-30-2012

Create a new network segment inside your network (such as extranet setup), then create policy base static nat to inside interface on the ASA (local) with an ACL.

For your remote VPN tunnel peer's interesting traffic identifier ACL will include your local inside address as interesting traffice, when that particular traffic hit your FW (local) it will static translate to your new extranet subnet you created.

As far as your remote VPN peer is concern, that remote vpn peer sees only your inside(local) address on the vpn tunne.

Thanks

Rizwan Rafeek

Venture101 · ‎01-31-2012

Hi Rizwan,

Just to confirm I would create this Extranet on my Core (not the firewall) and add the Inside interface to the VPN ACL on the Local FW?

I would then create a static NAT on the Local FW from my Inside Local Address to the Extranetwhen the source address is the Remote FW?

If I've got that down will give this a try in the lab later this week.

Stephen - Apologies for this still being off topic!

Thanks!

Ewan

rizwanr74 · ‎01-31-2012

"Just to confirm I would create this Extranet on my Core (not the firewall) and add the Inside interface to the VPN ACL on the Local FW?" Extranet network segment required when you have an IP segment conflict or you do not want to adverties remote segment on your internal cloud.

"I would then create a static NAT on the Local FW from my Inside Local Address to the Extranet when the source address is the Remote FW?" no it should be a policy static NAT as shown below.

Static policy static NAT, on local FW as example below.

Destination Interesting traffic: 10.76.5.0 255.255.255.0

Source Interesting traffic: 10.200.0.0 255.255.0.0 (this source traffic could be your existing internal local network segments.)

Your inside FW's address is: 192.168.0.2

Migrated Configuration

object network obj-10.200.0.0

subnet 10.200.0.0 255.255.0.0
object network obj-192.168.0.2
host 192.168.0.2
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.0
nat (inside,outside) source static obj-10.200.0.0 obj-192.168.0.2 destination
static obj-10.76.5.0 obj-10.76.5.0

Old Configuration
access-list NET1 permit ip 10.200.0.0 255.255.0.0 10.76.5.0 255.255.255.0

static (inside,outside) 192.168.0.2 access-list NET1

Hope that helps.
Thanks

Venture101 · ‎02-01-2012

Great thanks will try this out over the weekend!

Thanks

Ewan