Hello Jouni,

Thanks for the fast response. You've hit the nail on the head! All the Wizard created objects were causing my eyes and brain to bleed!

As you have stated, we want the traffic to flow from DEV to MAIN, then to LONDON or VIRGINIA or CHICAGO for now. London, VA and CHI are hosting providers. We have VM's hosted at these locations. So we want to be able to manage them.

London, Virginia and Chicago are all connected to MAIN through L2L.

I've updated the attachments. They should contain the full configs now.

Hi,

I will be able to take a look at this a bit later (maybe in a few hours).

I'll get back to you then.

A couple of additional questions in the mean while

• Do you manage the other sites VPN devices also or just the MAIN and DEV?
• If you manage the other sites are those ASA firewalls also and what software level are they running?

- Jouni

Hello Jouni,

Thanks again. The answer to your question is. I only manage the DEV and MAIN. I do not have direct access to the other firewalls.  I have to submit a request to Verizon or Amazon, if I need to make changes to their FW.

Cheers,

Chuck

UPDATE: I've made a change to the MAIN FW. It looks like traffic is getting all the way from DEV to MAIN, but not beyond. When I look at the ASDM Monitoring. I see the DEV FW transmit 60bytes of ping traffic to 192.168.100.0/24 and the 60bytes being received on the MAIN FW.

This is what I am doing. From the DEV network (192.168.43.0/24), I ping 192.168.100.45/24. I receive the Request Timed Out.

Should I be adding routes?

Hi,

Ok, so lets see what we need to do.

There a basically 2 options on how you can enable traffic from the DEV site through the MAIN site to all 3 HOSTING sites.

1. Request the HOSTING site VPN device admins to all add the DEV network in the L2L VPN connections as a remote network and apply the NAT0 configuration for traffic to pass without NAT being applied to the traffic
2. Dont request any changes to the HOSTING site VPN settings but rather go around this limitation by doing Dynamic PAT / Dynamic Policy PAT for your DEV site traffic after the traffic has entered the MAIN site ASA and before it has entered the VPN connection to the HOSTING sites.

Naturally of the above options the second one enables you to do the changes without waiting around for all the HOSTING sites to make the required changes. If the current traffic from MAIN site works to all the HOSTING sites then you should have no problems getting the traffic from DEV to HOSTING work.

I will go through the second options needed configuration compared to the full configurations you attached earlier. Judging by your UPDATE they might have changed in some parts so take that into account. I will try to use different "access-list" , "object" and "object-group" configurations and naturally introduce net "nat" configurations. If something was to get broken for reason or another then you should be able to revert back to using the old "nat" and "access-list" configurations.

Lets start with the DEV site configurations

DEV SITE

My doubt regarding the DEV SITE is how do you manage the ASA? I can only see management enabled from behind the local networks? Do you perhaps use the VPN Client connection to jump to some internal device and use it to manage the ASA and DEV SITE? I was originally about to remove the NAT configuration for the VPN Client but I imagine that you are using the VPN to manage the ASA in the above mentioned way so we could not do that change without you loosing that connectivity so we would have to leave the current NAT in place UNLESS you enable SSH connectivity through public Internet first so you can have CLI access to the ASA at all times even though you wasnt able to use any VPN connection to DEV SITE. Let me know how you have handle making changes to DEV SITE before making any changes.

The below configurations contain the following steps

• The "object-group" , "object" and "access-list" configurations you see at the start are basically the basis for the configurations we are going to add. The contain the information that the ASA needs to both build the L2L VPN and perform the correct NAT
• After we have created these configurations we remove the current NAT configurations and the ACL from the L2L VPN configurations. This naturally means that there is an outage on the L2L VPN connection.
• At the very last step we use the earlier created "object-group" , "object" and "access-list" configurations to build the new configuration and hopefully also make the configuration easier to read in the process

object-group network REMOTE-SITES

description MAIN and HOSTING sites

network-object 192.168.42.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

network-object 192.168.200.0 255.255.255.0

network-object 10.1.0.0 255.255.0.0

object network DEV-SITE

subnet 192.168.43.0 255.255.255.0

access-list MAIN-SITE-L2LVPN remark Encryption Domain for MAIN site L2LVPN

access-list MAIN-SITE-L2LVPN permit ip object DEV-SITE object-group REMOTE-SITES

no nat (Inside,Outside) source static NETWORK_OBJ_192.168.43.0_24 NETWORK_OBJ_192.168.43.0_24 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

no crypto map Outside_map 1 match address Outside_cryptomap

nat (Inside,Outside) source static DEV-SITE DEV-SITE destination static REMOTE-SITES REMOTE-SITES

crypto map Outside_map 1 match address MAIN-SITE-L2LVPN

MAIN SITE

The MAIN SITE is a bit more configuration work simply because it holds 4 L2L VPN connections. With regards to the below changes I presume you are also on site to manage the ASA

The below configurations contain the following steps

• The "object-group" , "object" and "access-list" configurations you see at the start are basically the basis for the  configurations we are going to add. The contain the information that the  ASA needs to both build the L2L VPN and perform the correct NAT
• After we have created these configurations we remove the current NAT  configurations and the ACLs from the L2L VPN configurations. This  naturally means that there is an outage on the L2L VPN connections.
• At the very last step we use the earlier created "object-group" , "object" and "access-list" configurations to build the new configuration and hopefully also make the configuration easier to read in the process

object-group network HOSTING-SITES

description HOSTING sites

network-object 192.168.100.0 255.255.255.0

network-object 192.168.200.0 255.255.255.0

network-object 10.1.0.0 255.255.0.0

object network MAIN-SITE

subnet 192.168.42.0 255.255.255.0

object network DEV-SITE

subnet 192.168.43.0 255.255.255.0

object network HOSTING-VIRGINIA

subnet 10.1.0.0 255.255.0.0

object network HOSTING-CHICAGO

subnet 192.168.100.0 255.255.255.0

object network HOSTING-LONDON

subnet 192.168.200.0 255.255.255.0

object network DEV-PAT-ADDRESS

host 192.168.42.254

access-list DEV-SITE-L2LVPN remark Encryption Domain for DEV site L2LVPN

access-list DEV-SITE-L2LVPN permit ip object HOSTING-SITES object DEV-SITE

access-list DEV-SITE-L2LVPN permit ip object MAIN-SITE object DEV-SITE

access-list HOSTING-VIRGINIA-L2LVPN remark Encryption Domain for HOSTING VIRGINIA site L2LVPN

access-list HOSTING-VIRGINIA-L2LVPN permit ip object MAIN-SITE object HOSTING-VIRGINIA

access-list HOSTING-CHICAGO-L2LVPN remark Encryption Domain for HOSTING CHICAGO site L2LVPN

access-list HOSTING-CHICAGO-L2LVPN permit ip object MAIN-SITE object HOSTING-CHICAGO

access-list HOSTING-LONDON-L2LVPN remark Encryption Domain for HOSTING LONDON site L2LVPN

access-list HOSTING-LONDON-L2LVPN permit ip object MAIN-SITE object HOSTING-LONDON

no nat (Inside,Outside) source static NETWORK_OBJ_192.168.42.0_24 NETWORK_OBJ_192.168.42.0_24 destination static Filmtrack-Dev Filmtrack-Dev no-proxy-arp route-lookup

no nat (Inside,Outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static Rackspace-ORD Rackspace-ORD no-proxy-arp route-lookup

no nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static Filmtrack-Dev Filmtrack-Dev no-proxy-arp route-lookup

no nat (Inside,Outside) source static NETWORK_OBJ_192.168.42.0_24 NETWORK_OBJ_192.168.42.0_24 destination static Amazon-Virginia Amazon-Virginia no-proxy-arp route-lookup

no nat (Inside,Outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static Amazon-Virginia Amazon-Virginia no-proxy-arp route-lookup

no nat (Inside,Outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static Rackspace-LON Rackspace-LON no-proxy-arp route-lookup

no nat (Outside,Outside) source static Filmtrack-Dev Filmtrack-Dev destination static Rackspace-ORD Rackspace-ORD no-proxy-arp

no nat (Outside,Outside) source static Rackspace-ORD Rackspace-ORD destination static Filmtrack-Dev Filmtrack-Dev no-proxy-arp route-lookup

no crypto map Outside_map 1 match address Outside_cryptomap

no crypto map Outside_map 2 match address Outside_cryptomap_1

no crypto map Outside_map 3 match address Outside_cryptomap_2

no crypto map Outside_map 4 match address Outside_cryptomap_3

crypto map Outside_map 1 match address DEV-SITE-L2LVPN

crypto map Outside_map 2 match address HOSTING-CHICAGO-L2LVPN

crypto map Outside_map 3 match address HOSTING-VIRGINIA-L2LVPN

crypto map Outside_map 4 match address HOSTING-LONDON-L2LVPN

nat (Inside,Outside) 1 source static MAIN-SITE MAIN-SITE destination static DEV-SITE DEV-SITE

nat (Outside,Outside) 2 source dynamic DEV-SITE DEV-SITE-PAT destination static HOSTING-CHICAGO HOSTING-CHICAGO

nat (Outside,Outside) 3 source dynamic DEV-SITE DEV-SITE-PAT destination static HOSTING-VIRGINIA HOSTING-VIRGINIA

nat (Outside,Outside) 4 source dynamic DEV-SITE DEV-SITE-PAT destination static HOSTING-LONDON HOSTING-LONDON

The main diffence in the above configurations for MAIN SITE are how we do NAT and how we configure the new L2L VPN ACLs.

• The MAIN SITE to DEV SITE ACL and NAT is quite straight forward. As you can manage both sites you naturally have NAT0 configured and both networks can connect with eachother through the L2LVPN.
• All of the HOSTING SITES only have the MAIN SITE address space as source in the L2L VPN to avoid the need for changes on the HOSTING SITES VPN devices. The NAT configurations for the DEV to HOSTING SITES is done so that we NAT any source address from DEV SITE to the IP address under DEV-SITE-PAT. Since this IP address is part of the MAIN SITE subnet it matches also the current MAIN SITE to HOSTING SITES L2L VPN connections and therefore connectivity should be fine.
• Naturally the Dynamic PAT that we perform from DEV SITE to HOSTING SITES means that only DEV SITE can open connections to HOSTING SITES and not the other way around. To be able to connect from HOSTING SITES to DEV SITE would mean that we would configure Static NAT for the DEV SITE IP addresses to some MAIN SITE IP address towards the HOSTING SITE L2L VPN connections.

The above contains quite a bit of configurations and text. I hope you are able to make out what I aiming with my example configurations. My main worry (as mentioned before) is the fact that you should make sure that you have CLI access to both MAIN SITE and DEV SITE ASA so you are in no way reliant on any VPN connection to manage each ASA during these changes. So if you are at MAIN SITE LAN when doing changes then make sure that you can log onto the DEV SITE ASA using the external public IP of the DEV SITE ASA. You should allow the SSH connections from the MAIN SITE public IP address of the ASA. This way remote management of DEV SITE ASA should stay unchanged.

Since it seems you have not yet used SSH on the DEV SITE you would need these configurations possibly

ssh version 2

ssh timeout 30

ssh

ssh 255.255.255.255 Outside

crypto key generate rsa modulus 1024

With I mean a public IP address from where you can initiate management connections to manage the ASA.

You could also consider doing the same with the "http" commands you already have so you can atleast temporarily use ASDM from the external network also.

Hope I made any sense

Let me know what the situation is and if you can try the changes out

- Jouni

Hello Jouni,

WOW! Thanks for taking the time to compile this email. I really appreciate it. I'll go through it. From what I've read so far, it looks pretty and pretty straight forward. I'll see about getting it implemented.

Answering some of the question you asked...

I console directly into the DEV ASA. As for the MAIN ASA, I go through the current L2L VPN. I believe I can also connect through a different VPN at the main site and connect to the MAIN ASA that way. I don't have to connect through any other machine to connect to the MAIN ASA.

-Chuck

Hi,

If you are at the DEV SITE I would suggest configuring the MAIN SITE ASA so that you can use the Internet connection of the DEV SITE (and its public IP address) to connecto the MAIN SITE ASA with SSH. Since we are doing changes to the L2L VPN and NAT on both MAIN and DEV site there is a risk that your remote connection might be affected and that could cause problems.

If you have the ability to connect to the MAIN SITE ASA directly through the Internet then no VPN or NAT related changes at either of your sites will effect that SSH connection and you should not have risk of loosing the management connection.

Do let me know how it goes if you are going to attempt the changes.

Hope it all goes well.

Remember to save the current configurations if there is a need to roll back to the original setup.

- Jouni