Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.4 authentication over L2L VPN

Hi All

I am just posting a quick question (I hope), I am trying to get authentication working for VPN clients. The problem is the authentication server (RSA) is located on the outside interface over a L2L tunnel.

So here's the question: The crypto access-list and Nat statement would this be the exiting interface of the outside interface to the authentication server or the VPN pool?

So the configuration below, just for an example:

object-group VPN_pool = 192.168.1.0/24

object-group RSA_server = 10.10.10.1

object-group ASA_outside = 2.2.2.2

So would the configuration be:

access-list Outside_cryptomap extended permit ip object-group ASA_outside object-group RSA_server

nat (inside,outside) source static  ASA_outside ASA_outside destination static RSA_server RSA_server

Any help much appreciated

Regards Craig

  • VPN
6 REPLIES
Cisco Employee

ASA 8.4 authentication over L2L VPN

Craig,

There is no need to NAT traffic from the box. You just need to take care of routing (RSA_server route needs to poitn out through outside interface) and change crypto ACL (the was you have it should be just fine.

Please be aware of a caveat of setup like this, it is very likely that initial authentication requests might be dropped (while a separete IPsec SA is established from ASA to RSA server).... setting up a SLA to ping RSA server on the ASA will alleviate this( and you are already using "ip" in your traffic selectors. 

Marcin

New Member

ASA 8.4 authentication over L2L VPN

Hi Marcin

Thank you for the response, I have set this up but failing to connect..I have tried a pack tracer but this is failing on the VPN part of the trace.

Any ideas I have set the following statement.

access-list Outside_cryptomap extended permit ip object-group ASA_outside object-group RSA_server

And on the remote end:

access-list Outside_cryptomap extended permit ip ect-group RSA_server object-group ASA_outside

!

access-list No_NAT extended permit ip object-group RSA_server object-group ASA_outside

Regards Craig

Cisco Employee

ASA 8.4 authentication over L2L VPN

Craig,

Packet tracer is not the best (depending on version it tries to establish IPsec or not), I would check first if the SA is brought up properly ;-)

"show crypto ipsec sa peer IP_ADDRESS" should be a good place to starts.

If the SA is not up during testing ... well debug crypto isakmp 127 + debug crypto ipsec 127 :-)

M.

New Member

ASA 8.4 authentication over L2L VPN

Hi Marcin - Hope you're well!

I'm having a similar issue to this. The RSA server is located in a data centre which my ASA has a L2L VPN to. I have control of this end but not the other. There is other traffic using this VPN

I need to authenticate RemoteAccess VPN users to the RSA server in the data centre.

The ASA has a route to the RSA server which points over the VPN.

What will be the source address of the RSA request? I'm guessing it'll be the outside interface of the ASA. But I don't think I can encrypt traffic sourced from the endpoint of the VPN tunnel.

It's a shame there is no source-interface command as there is in IOS

Can you tell me how I can get this request to the data centre over the VPN?

Many Thanks, Dom

Cisco Employee

ASA 8.4 authentication over L2L VPN

Dom,

Sorry for late reply - I was OoO for quite some time.

Did you sort this one out?

ASA will consult the routing table to figure out which interface to use (i.e. interface closest to source), there is a bit of modification to this with "management-access" command.

There should be no problem to encrypt traffic from the box itself as far as VPN is concerned, I'm not aware of any limitationos on underlying layers.

M.

New Member

ASA 8.4 authentication over L2L VPN

Hi Marcin - Yeah I did resolve it.

When I you configure the RSA server using the GUI there is an option to select the interface - I thought this meant the interface you need to use to get to the RSA server, but I changed it to be the inside interface and it worked, so I'm guessing that it means use this interface as the source address for the request

Cheers, Dom

625
Views
0
Helpful
6
Replies