Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
2
Replies

VPN to Internal Network Interface...

Venture101
Level 1
Level 1

‎01-30-2012 11:28 AM

Hi Folks,

This  evening I tried mocking up a design to create a VPN across our  Corporate Network from the Outside Interface of a Cisco ASA 5505 (Remote  Site) to the Inside Interface of an ASA 5510 (Local Site).

However  because I was trying to communicate with the Inside Interface of my  local Firewall and then have the traffic pass back OUT that interface  every single packet (Pings & the VPN traffic) was being denied due  to IP Spoofing Errors.

I checked and the Anti-Spoofing on all my Interfaces is currently turned off.

I  understand that setting up a VPN to the Inside Interface is rather  unorthodox but in this situation its necessary because although the  remote site is "Corporate" so to speak they are a different subsidiary  of our company and cant be allowed to view any of the information that I  want to send over the tunnel.

All  I can think of at present is that Im going to have to setup another  Sub.Interface alongside the Inside and then route the traffic back out  that somehow.

Any ideas would be appreciated and I can put up censored configs/drawings if required.

Thanks

Ewan

Labels:
0 Helpful
2 Replies 2

ajay chauhan
Level 7
Level 7

‎01-31-2012 12:09 AM

I dont think there should be any issue configuring inside interface for VPN. Please post your confguration also mention what you trying to access.

0 Helpful

Venture101
Level 1
Level 1
In response to ajay chauhan

‎01-31-2012 12:58 AM

Thanks for your response Ajay. Have been given the following solution (a post on an incorrect board) which Im going to trial on Saturday in the lab but please review in the meantime:

Create a new network segment  inside your network (such as extranet setup), then create policy base  static nat to inside interface on the ASA (local) with an ACL.

For  your remote VPN tunnel peer's interesting traffic identifier ACL will  include your local inside address as interesting traffice, when that  particular traffic hit your FW (local) it will static translate to your  new extranet subnet you created.

As far as your remote VPN peer is concern, that remote vpn peer sees only your inside(local) address on the vpn tunnel.

Thanks

Ewan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents