HI Marcin,

Thanks for your reply,

I have attached a basic topology as the network stands at the moment.  We are waiting for the internet connections to be provisioned and so have very little information on what IP ranges will be supplied.  However it is our understanding we will have a range of public IP addresses which we can associate with each VLAN on the local network allowing us to NAT any protocol (SMTP, HTTPS, FTP etc..) to a particular VLAN interface.

In addition we would terminate VPN's inbound from these public IP addresses onto the firewall.  From here the packets would be tagged for a VLAN on the local network depending on which public IP they are coming in from. 

Thanks in advance for your help.

Kind Regards

Steve

Steve,

Gotcha.

A few comments.

Regarding terminating VPN, you can use only one IP address per interface to terminate VPN and it is always the IP address assigned to a given interface.

Also if you want to terminate VPN it's best that you make a decission where the actual traffic should be put on, based on group-name you specify in PCF file - which matches usually tunnel-group name.

As far as haviing insde users access internet, there's a few options for NAT - dynamic PAT being THE most used :-)

The actual configuration will depend also on version of ASA software - recent 8.3 version contains new NAT commands.

If you have questions - shoot. I might have misunderstood something ;-)

Marcin

Hi Marcin,

Right ok , that raised a few other questions for me then if you don't mind..

First off is the function of the router, if the firewall (5500) only has one IP address per interface (Currently is has two - one inside and one outside) where would I setup these range of IP addresses which I need to NAT across to different VLAN's on the local network.

As an example of this lets say we have a tenant within the building with their own mailserver and they have an email address of john@lenovo.co.uk , the MX records for their domain would delivery down to mail.lenovo.co.uk which resolves to one of these public IP addresses. We would then need to NAT port 25 from this public IP to the mailserver sitting on the tenants VLAN.

I'm guessing all this would then be on the router then with rules which route the traffic over to the firewall but I don't see how I can distinguish between tenant A and tenant B for Natting across the firewall.

Thanks again for your help and patience.

Kind Regards

Steve

Steve,

Well first of all we'd need to know if the NAT is to be done on ASA or the router.

Both can do it, but if I may say so ASA is the device to do NAT on.

How this usually would work is that you'd have your router in front and a subnet of public IP addresses assigned to the ASA-facing interfaces.(Do you need that router there in the first place, apart from routing and access technologies ASA can do almost same features as the router).

Anyway, you assign public IP range to the outside interface of ASA and private addressing/routing on the inside interface.

You then do (note this is ASA pre-8.3 config)

static (inside,outside) tcp EXTERNAL_IP_1 25 INTERNAL_IP 25 
nat (inside) 100 INTERNAL_SUBNET INTERNAL_MASK
global (outside) 100 EXTERNAL_IP_2

That's one of the possibilioties.

You do static command for all needed services that tenants want to have available on outside.

And then you applu nat and global commands for access for all other users.

Hope that makes sense.

Note that firewall can have only one IP address on interface, but can respond to ARP for multiple IP addresses (via static or global). So it's not like you're limited the ASA only showing up as one IP address on "outside".

I think I got more confused with my explanation... if it doesn't make sense let me know

Marcin

Hi Marcin,

Hope you can help again,  I've not got the router/Firewall all setup and running and the local network can browse the internet from the different VLAN's on the network!! 

However I'm now trying to get some NAT rules up and running so I can access webservers for example from outside the network, also the VPN isn’t working although I've used the ADSM wizard to setup IPSec VPN using the CISCO VPN Client.

The network is now has the following topology

CISCO 3900 router with an outside interface of 93.186.145.81 and an inside interface of 93.186.146.126, a default route is also set to route 0.0.0.0/0 to 93.186.145.82 (The ISP's gateway)

CISCO ASA 5520 config below, as I understand it as the ISP has allocated us the useable range of 93.186.146.1 - 126 I should be able to use any of these IP addresses to NAT traffic across to the local network.  However I've tried adding one of the IP's to the firewall's ARP table with a Mac address but I'm still unable to ping it.

Any help with getting this working would be gratefully received!

Kind Regards

Steve

Here's a copy of the config

Result of the command: "show running-config"

: Saved

:

ASA Version 8.3(1)

!

hostname ciscoasa

enable password WOfRr0q2y4OlubXL encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 93.186.146.125 255.255.255.252 !

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif Inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/3.8

vlan 8

nameif CEC_Data8

security-level 100

ip address 192.168.8.252 255.255.255.0 !

interface GigabitEthernet0/3.100

vlan 100

nameif CEC_VOIP

security-level 100

ip address 172.16.0.253 255.255.0.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.0.1 255.255.255.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

name-server 141.1.1.1

name-server 66.28.0.45

same-security-traffic permit inter-interface object network NETWORK_OBJ_192.168.1.48_29  subnet 192.168.1.48 255.255.255.248 object network NETWORK_OBJ_192.168.1.56_29  subnet 192.168.1.56 255.255.255.248 object network Test  host 93.186.146.125 object network MainSwitch  host 192.168.1.254  description Core Switch Access access-list Inside_access_in extended permit ip any any access-list Outside_access_in extended permit ip any any pager lines 24 logging asdm informational mtu management 1500 mtu Inside 1500 mtu Outside 1500 mtu CEC_VOIP 1500 mtu CEC_Data8 1500 ip local pool VPN_Pool 192.168.1.50-192.168.1.55 mask 255.255.255.0 ip local pool vpn_pool2 192.168.1.56-192.168.1.60 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp Outside 93.186.146.124 9a7b.653e.8b3c alias arp timeout 14400 nat (Inside,Outside) source dynamic any interface nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.56_29 NETWORK_OBJ_192.168.1.56_29 nat (Inside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.48_29 NETWORK_OBJ_192.168.1.48_29 !

object network Test

nat (Outside,Inside) dynamic 192.168.1.254 object network MainSwitch  nat (Inside,Outside) static 93.186.146.124 service tcp www www access-group Inside_access_in in interface Inside access-group Outside_access_in in interface Outside route Outside 0.0.0.0 0.0.0.0 93.186.146.126 1 route Inside 172.16.0.0 255.255.255.0 192.168.1.254 1 route Inside 172.16.1.0 255.255.255.0 192.168.1.254 1 route Inside 192.168.0.0 255.255.0.0 192.168.1.254 1 route Inside 192.168.100.0 255.255.255.0 192.168.1.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.0.0 255.255.255.0 management http 192.168.1.0 255.255.255.0 Inside http 0.0.0.0 0.0.0.0 Outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Inside_map interface Inside crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_map interface Outside crypto isakmp enable Inside crypto isakmp enable Outside crypto isakmp policy 10  authentication pre-share  encryption 3des  hash sha  group 2  lifetime 86400 crypto isakmp policy 30  authentication pre-share  encryption 3des  hash md5  group 2  lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.0.2-192.168.0.254 management dhcpd enable management !

dhcpd address 192.168.1.100-192.168.1.200 Inside dhcpd dns 66.28.0.45 interface Inside dhcpd option 3 ip 192.168.1.254 interface Inside dhcpd enable Inside !

dhcpd address 192.168.8.10-192.168.8.50 CEC_Data8 dhcpd dns 158.43.240.3 interface CEC_Data8 dhcpd option 3 ip 192.168.8.254 interface CEC_Data8 !

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept webvpn group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes  dns-server value 141.1.1.1  vpn-tunnel-protocol l2tp-ipsec username steverooney password IX47al9fxz4DeRcSdolGHg== nt-encrypted privilege 0 username steverooney attributes  vpn-group-policy DefaultRAGroup tunnel-group DefaultRAGroup general-attributes  address-pool VPN_Pool tunnel-group DefaultRAGroup ipsec-attributes  pre-shared-key ***** tunnel-group Test type remote-access tunnel-group Test general-attributes  address-pool VPN_Pool tunnel-group Test ipsec-attributes  pre-shared-key ***** !

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map  parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:569c769909ad7d29317ef4325335dd14

: end

Hi Steve,

The configuration is displayed incorrectly - can you maybe attach it in a file?

What is not working in VPN, can't you connect or are you having problems passing traffic while connected?

By the looks of it NAT config would require a bit of changes, but maybe you can highlight what you would like to do :-)

There is no reason to do any MAC address tweaks - everything should work without it.

Marcin

Hi marcin,

Here you go, txt file attached which hopefully will come through OK.

With regards to the VPN the software just doesn't connect, just sits there connecting and then fails.

Cisco Systems VPN Client Version 5.0.02.0090

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7600

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 16:00:03.849 12/10/10 Sev=Warning/3 IKE/0xE3000057

The received HASH payload cannot be verified

2 16:00:03.849 12/10/10 Sev=Warning/2 IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

3 16:00:03.849 12/10/10 Sev=Warning/2 IKE/0xE300009B

Failed to authenticate peer (Navigator:904)

4 16:00:03.850 12/10/10 Sev=Warning/2 IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)

Looks like it’s a VPN group issue, I've got some more work to do on this so hopefully I can figure this one out but any help on the other stuff would be great!

Thanks again..

Steve

Steve,

nat (Inside,Outside) source dynamic any interface

and

object network Test
 nat (Outside,Inside) dynamic 192.168.1.254

I think you should consider doing it a bit differently.

(this was not checked in the lab)

object network MY_INSIDE
 subnet 192.168.1.0 255.255.255.0
 nat (inside, outside) dynamic interface

I understnad that you are connecting on interface outside IP with group name "Test" and pass word you have put in there.

Can you doublecheck the password on both sides? Use something easy in the beginning ... like "cisco".

Hope this helps,

Marcin