Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN to Internal Network Interface...

Hi Folks,

This evening I tried mocking up a design to create a VPN across our Corporate Network from the Outside Interface of a Cisco ASA 5505 (Remote Site) to the Inside Interface of an ASA 5510 (Local Site).

However because I was trying to communicate with the Inside Interface of my local Firewall and then have the traffic pass back OUT that interface every single packet (Pings & the VPN traffic) was being denied due to IP Spoofing Errors.

I checked and the Anti-Spoofing on all my Interfaces is currently turned off.

I understand that setting up a VPN to the Inside Interface is rather unorthodox but in this situation its necessary because although the remote site is "Corporate" so to speak they are a different subsidiary of our company and cant be allowed to view any of the information that I want to send over the tunnel.

All I can think of at present is that Im going to have to setup another Sub.Interface alongside the Inside and then route the traffic back out that somehow.

Any ideas would be appreciated and I can put up censored configs/drawings if required.

Thanks

Ewan

5 REPLIES

VPN to Internal Network Interface...

Ewan,

     You'll want to move this to the Security > VPN Forum.  This particular sub-board is for Wireless

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

VPN to Internal Network Interface...

Create a new network segment inside your network (such as extranet setup), then create policy base static nat to inside interface on the ASA (local) with an ACL.

For your remote VPN tunnel peer's interesting traffic identifier ACL will include your local inside address as interesting traffice, when that particular traffic hit your FW (local) it will static translate to your new extranet subnet you created.

As far as your remote VPN peer is concern, that remote vpn peer sees only your inside(local) address on the vpn tunne.

Thanks

Rizwan Rafeek

New Member

VPN to Internal Network Interface...

Hi Rizwan,

Just to confirm I would create this Extranet on my Core (not the firewall) and add the Inside interface to the VPN ACL on the Local FW?

I would then create a static NAT on the Local FW from my Inside Local Address to the Extranetwhen the source address is the Remote FW?

If I've got that down will give this a try in the lab later this week.

Stephen - Apologies for this still being off topic!

Thanks!

Ewan

Re: VPN to Internal Network Interface...

"Just to confirm I would create this Extranet on my Core (not the firewall) and add the Inside interface to the VPN ACL on the Local FW?" Extranet network segment required when you have an IP segment conflict or you do not want to adverties remote segment on your internal cloud.

"I would then create a static NAT on the Local FW from my Inside Local Address to the Extranet when the source address is the Remote FW?" no it should be a policy static NAT as shown below.

Static policy static NAT, on local FW as example below.

Destination Interesting traffic: 10.76.5.0 255.255.255.0

Source Interesting traffic:  10.200.0.0 255.255.0.0 (this source traffic could be your existing internal local network segments.)

Your inside FW's address is: 192.168.0.2

Migrated Configuration

object network obj-10.200.0.0

subnet 10.200.0.0 255.255.0.0

object network obj-192.168.0.2

host 192.168.0.2

object network obj-10.76.5.0

subnet 10.76.5.0 255.255.255.0

nat (inside,outside) source static obj-10.200.0.0 obj-192.168.0.2 destination

static obj-10.76.5.0 obj-10.76.5.0

Old Configuration

access-list NET1 permit ip 10.200.0.0 255.255.0.0 10.76.5.0 255.255.255.0

static (inside,outside) 192.168.0.2 access-list NET1

Hope that helps.

Thanks

New Member

Re: VPN to Internal Network Interface...

Great thanks will try this out over the weekend!

Thanks

Ewan

346
Views
0
Helpful
5
Replies
CreatePlease login to create content