Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN with Internet Access

Hi,

I am trying to get few of the sites connected to the main office via the VPN connection using asa 5505/5510. Also the servers on the individual sites need to have internet access of their own with their static ip. I am able to configure the site to site VPN without any issues. But as soon as i start to give assign static ip to those servers we start facing some issues. Following is the config that i have. Any help would be appreciated.

Attached are the config files

Thanks

Chets

6 REPLIES
Bronze

Site to Site VPN with Internet Access

Hi Chets,

I am not sure if I understand your problem.

So you have couple remote sites and you have s2s VPn established betweein this sites.

You need your server to access internet and also communitcate via VPN tunel with central site right?

I don't understand what you say about assiging static IP addresses to server you start facing some problems. So your servers has DHCP IP addresses assigned and after static configuration is stop communicate woth remote site?

Please describe it more detailed.

Thank you,

Jan

New Member

Site to Site VPN with Internet Access

We have 4 servers in remote site and only 2 need to have public static ip to go out to the internet. To achieve this i did add the following statements to remote site asa 5505.

static (inside,outside) 2.2.2.51 192.168.168.51 netmask 255.255.255.255

static (inside,outside) 2.2.2.52 192.168.168.52 netmask 255.255.255.255

access-list outside extended permit icmp any any

access-list outside extended permit ip any any

access-group outside in interface outside

access-group inside in interface inside

After these were added i was able to ping the 4.2.2.2 and any other IP address successfully but could not do the DNS resolution. The server's nic card are assigned static private address and the DNS server ip is the one provided by the ISP. Also, i checked with the ISP and they say that they are not seeing the asa 5505 arping for the DNS servers.  Also all the server at remote site start having intermittent connectivity to even the internal systems located on the central site. Can you please tell me what mistake am i doing.

Thanks

Chets

Super Bronze

Site to Site VPN with Internet Access

Hi,

There should be no problem having a L2L VPN between sites and also having Static NAT configured for hosts on the remote site.

You have NAT0 configuration for the remote LAN towards the other LAN networks and the main site. This NAT0 will naturally only apply to that traffic. The Static NAT should apply for any other destination network behind the "outside" interface of the ASA other than the main site LAN networks (as NAT0 applies before Static NAT)

I am not sure what your ISP is on about with regards to ARP. That doesnt make any sense at all. Your host will certainly not ARP the ISP DNS server or the ISP DNS server would have to be located on your network directly. So I am not sure what they are on about. I am wondering if they just mean that they can't see DNS requests from your servers since the above reason doesnt make any sense at all.

When the servers have Static NAT configured you can naturally use the ASA itself to test what happens to their DNS connections

packet-tracer input inside udp 192.168.168.51 12345 53

packet-tracer input inside udp 192.168.168.52 12345 53

This would tell where the traffic is forwarded, if its allowed and what NAT configuration is applied to it.

What DNS servers are now configured on those servers? Are they using some internal DNS as the primary DNS or the ISP one? If they for some reason dont require an internal DNS server then you could naturally try the IP 8.8.8.8 as the primary DNS.

I just dont see why your servers would be able to use the L2L VPN and the local Internet connection at the same time.

Your attached configuration for the remote site contains an INSIDE ACL that only allows ICMP. You state above that you attach that ACL to your "inside" interface? I presume you have allowed all traffic from the LAN in the actual ACL you use? Otherwise all connections from the remote LAN would get blocked (all but ICMP)

- Jouni

New Member

Site to Site VPN with Internet Access

The servers are configured with the IP address provided by the ISP for the Primary DNS. For some reason the DNS resolution does not work. I have even tried 8.8.8.8 as primary DNS on the servers and still no luck.

Also, I just noticed that following config is not there in the remote ASA. Could this be the reason?

-------------------------------------------------------------------

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 2000

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

  inspect ip-options

!

service-policy global_policy global

-----------------------------------------------------------------------

Thanks

Chetan

Super Bronze

Site to Site VPN with Internet Access

Hi,

Can't really be 100% sure without checking but DNS inspection is something that is enabled by default. I know it does check that only one DNS reply gets back to the host.

But I am also under the impression that without it you would possibly have to have a permitting statement on the ASA to allow the DNS replys back to the hosts from the external network.

Do you have any such rules permitting UDP/53 traffic from the external network with an ACL? I would imagine if this was the problem them other hosts should be suffering from DNS problems also. Unless ofcourse there is an ACL rule permitting the UDP/53 traffic to the PAT IP address shared by the internal hosts BUT NOT the public IP address configured for this Static NATed server.

I always keep the default Policy Map configuration on the ASA and modify it as needed.

- Jouni

New Member

Site to Site VPN with Internet Access

Hi Jouni,

Currently there is no ACL for permitting UDP/53 traffic. Also i had attached the complete config for the 2 firewalls at central and remote site when i started this discussion. So you can see that to get an idea. Also the other servers are not using DNS resolution as they are only connecting to the central site via VPN to a particular server and they are just using IP address to communicate. Nothing else.

Thanks for your help.

Chets

270
Views
0
Helpful
6
Replies
CreatePlease login to create content