ASA 5510 - VPN for DMZ with static rule?
I have a 5510 ASA with a number of virtual private networks to other sites, allowing the traffic to and from the Interior of the networks.
I need to establish a VPN rule to another site, but they have very little access to resources on my local network. Because I am not in control of the SAA on this end permanently, I need to control that access on my 5510.
(the following is not my real IP, but I use them for this example)
My network: 10.100.1.x
My DMZ: 192.168.1.x
Internal network of other sites: 172.16.1.x
I wanted to try to create a VPN between the site and the specific address of DMZ on my side and then allow access to internal addresses using static rules. I decided to use a static rule to enable http access to a specific server (for example):
static (inside, dmz) 192.168.1.200 tcp 80 10.100.1.200 80
I need allow traffic here:
access-list permits DMZ_IN tcp host 172.16.1.10 host 192.168.1.200 eq 80
Access-group interface dmz DMZ_IN
And of course, rules of access list which allow traffic that I can apply to the VPN:
toSite host 192.168.1.200 ip access list permit 172.16.1.10
And I don't want that traffic THAT NAT had between my DMZ and the other site:
nonatDMZ of the host 192.168.1.200 ip access list permit 172.16.1.10
NAT (dmz) 0-list of access nonatDMZ
NAT (dmz) 1 0.0.0.0 0.0.0.0
And, of course, the corresponding rules on their ASA must be in place, allowing traffic to 192.168.1.200, not NAT it.
Everything is in place, but 172.16.1.10 to 192.168.1.200 http traffic never reaches 10.100.1.200. I know the following:
1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.
2 packet trace shows me that traffic is allowed.
3. the works of static rule: to access the 192.168.1.200:80 of another host on the same interface, DMZ, which brings me to 10.100.1.200:80
4. in the process of running a sniffer package on 10.100.1.200 shows 172.16.1.10 traffic does not reach it.
So I'm banging my head against the wall here. I'm sure it's something simple I'm missing. Anything else I need to check? Should I go about this a different way?
Thank you.
What you are trying to reach is not supported. You cannot configure NATing between the inside and the demilitarized zone interfaces while your VPN connection is from the external interface. The static NAT (inside the dmz) that you have configured will only work if the connection is initiated from the inside towards the demilitarized zone and vice versa.
I think that what you are trying to reach is only allowing access on TCP/80 to10.100.1.200 for the VPN tunnel.
You must configure your option 1:
1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.
You can configure vpn-filter to limit the traffic to the only TCP/80, and he attributed to group policy that you have assigned to this particular tunnel group then.
Example:
web access list - allow permit tcp host 172.16.1.10 host 10.100.1.200 eq 80
internal group-policy-strategy web
attribute group web-strategy strategy
value of VPN-filter web - allows
global-tunnel-group attributes
Group Policy - by default-web-policy
Here is an example configuration for your reference:
Hope that helps.
Tags: Cisco Security
Similar Questions
-
ASA 5510 VPN for remote access clients are asked to authenticate on box
Don't know what's the matter, but my remote access users are invited to join the ASA before connecting to the tunnel. How can I disable this? Config is attached. Thank you all -
For remote access connections, you can turn off the prompt xauth (user/pass) with the following:
Tunnel ipsec-attributes group
ISAKMP ikev1-user authentication no
-heather
-
Cisco ASA 5510 VPN Site to Site with Sonicwall
I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA
Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you
Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall
NAT (inside) 0 access-list sheep
..
IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0
access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0
..
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set counterpart x.x.x.x
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
..
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
..
internal SiteToSitePolicy group strategy
attributes of Group Policy SiteToSitePolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
Split-tunnel-network-list no
..
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x General attributes
Group Policy - by default-SiteToSitePolicy
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
..
Added some excerpts from the configuration file
Hello Manjitriat,
Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.
Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.
Now the packet tracer must be something like this:
entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80
Please provide us with the result of the following instructions after you run the packet tracer.
See the crypto Isakamp SA
See the crypto Ipsec SA
Kind regards
Julio
-
ASA 5510 - tips for setting up - no internet
Hi all
I'll set up an ASA 5510 for the first time using the GUI.
I put 0/0 0/1 and outside as inside.
I set up outside with the static WAN address, and it is connected to my ISP.
But I can't do everything Internet works on the inner harbor. I've read elsewhere, I need to add a static route. Can someone please advise?
You must place a default route to carry traffic from inside to outside. Use the GUI to place a static route 0.0.0.0 0.0.0.0 for the ip address of your next hop ip of the connection to the ISP.
Sent by Cisco Support technique Android app
-
Hi all.
I search the internet to find a way or all first, whether it is possible to do what I want to do, but I can't find anything corresponding to what I'm looking for. Possible that I don't have the right keyword.
We change our old Pix 515e this weekend and for any new ASA 5510.
With this new facility, I want to implement Radius Authentication for the user remote vpn. Change the firewall of the company is an important factor and for the first phase, the user will keep authenticate locally but I need that in phase 2, they will be authenticated through a radius server.
Is there a way to configure both user authentication remote vpn?
For example.
All users will be authenticated locally unless the service member COMPUTER that is authenticated by the radius to the testing server.
I have remote vpn users anywhere in the world if I don't want these users are blocked by the radius authentication test. What I want is that users in Group1 will be authenticated locally on the SAA and users in group2 will be authenticated by the RADIUS. During the test will be done, all users will gradually transfer for radius authentication.
Is it possible
Thank you
Jonathan
Network administrator
Hi Jonathan,.
The best way to go about this would be that you set up another group strategy & corresponding tunnel group named Test and set up Radius Authentication for VPN group using the link below: -.
Ones you have done test and feel confident, you can change the type of authentication for the Production Group. The reverse could be implemented double authentication as RADIUS and if it does not use local but personally I'll put up a group of test and then those I am confident, that I'll change the strategy of Production Group to use the Radius Server to auth.
Manish
-
ASA 5510 vpn remote access - must now be added vpn site-to-site.
We currently have a configuration of remote access vpn and all this hard work.
I need to configure a vpn lan lan 2 now.
Can someone point me to the documentation on that? I used the command line to add a site to site and wrong on it and disconnected me when I applied the crypto map to the external interface. Do I need another card encryption or should I use my existing?
Shannon,
Please see the below URL for more configuration information. Even if that configuration is dynamic to static IPSEC, you can use the concept to build the Tunnel L2L with static IP.
Let me know if it helps.
Kind regards
Arul
* Please note all useful messages *.
-
How can I dedicate a single ip address to a client on asa 5510 vpn
Hi all
My question is...
How can I dedicate a unique to a single customer VPN VPN NAT ip? I don't want this ip address used by another vpn client...
I got an ASA 5510 with a
DHCP pool.
5.0 Cisco vpn client
Thank you
You are welcome. Please note the answers and mark your question answered to increase the value of the instance.
-
I have problem in LDAP ASA, I want to create LDAP authentication in remote access VPN before I try, I want to try local LDAP and the problem
debugging ldap 255
ldap authentication, aaa-server test
Name or IP address of the server: 10.40.5.2
Username: rian
Password: *.
[2] starting a session
[2] new query Session, context 0x41d1a04
starItedr
[2] create LDAP context with uri = ldap://10.40.5.2:389
NFO: Attempt to <10.40.5.2>IP address authentication test (timeout: 12 seconds)
[2] to connect to the LDAP server: ldap://10.40.5.2:389, status = success
[2] failed to bind as returned administrator code of invalid credentials (49)
[2] output fiber Tx = 37 bytes Rx = 109 bytes, status =-2
[2] end of session
ERROR: Authentication server fails: invalid password
What is the problem?
If I connect to the server with the username and password for ldap, I can connect. more information I have 2 domain first id.seapro.ad.crs.org second ID (ID of the domain user). I have the first field of use Plug and second not too.
Please help me, what is the problem?
Right answers. 'administrator' is not a valid dn connection in an ldap infrastructure. Follow what srue said and that will lead you in the right direction.
(6 points in this conversation).
-
Cisco ASA 5510 VPN with PIX 515
Hello
I have VPN between Cisco ASA and Cisco PIX.
I saw in my syslog server this error that appears once a day, more or less:
Received a package encrypted with any HIS correspondent, drop
I ve seen issue in another post, but in none of then the solution.
Here are my files from the firewall configuration:
Output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (1)
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
card crypto WAN_map2 2 set pfs
card crypto WAN_map2 2 peer 62.80.XX game. XX
map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
card crypto WAN_map2 2 defined security-association 2700 seconds life
card crypto WAN_map2 2 set nat-t-disable
card crypto WAN_map2 WAN interface
enable LAN crypto ISAKMP
ISAKMP crypto enable WAN
crypto ISAKMP policy 1
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
tunnel-group 62.80.XX. XX type ipsec-l2l
tunnel-group 62.80.XX. IPSec-attributes of XX
pre-shared-key *.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
8.0 (4) version PIX
!
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
card encryption VPN_map2 3 set pfs
card crypto VPN_map2 3 peer 194.30.XX game. XX
VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
card encryption VPN_map2 3 defined security-association life seconds 2700
card encryption VPN_map2 3 set security-association kilobytes of life 4608000
card VPN_map2 3 set nat-t-disable encryption
VPN crypto map VPN_map2 interface
crypto ISAKMP enable VPN
crypto ISAKMP allow inside
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
ISAKMP crypto am - disable
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec
tunnel-group 194.30.XX. XX type ipsec-l2l
tunnel-group 194.30.XX. IPSec-attributes of XX
pre-shared-key *.If you need more information dedailed ask me questions.
Thanks in advance for your help.
Javi
Hi Javi,
Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426
Thank you and best regards,
Assia
-
ASA 5510 VPN - using a public IP address for the local network
Hello, I have a problem which is probably very simple, but I can't seem to understand.
I set up a site IPsec connection to another with a company, something I've done many times before without a problem. I use ASDM to configure this, because it is quick and painless, usually.
We have one number of other site-to-site currently configured connections and works very well on this ASA, these are configured with the "Protected network - LAN" configured with the IP private of hosts within our network, we want to make available through the separate tunnels. This includes the configuration setting on our ASA for each connection to "guests aside ASA exempt from NAT.
With this new link, however, the company asked us to use a public IP address for the host that we want to achieve through the tunnel. I don't know why, but they demand it. So I added a NAT rule for inside the host and set up the connection with the public IP address under "Local network". During the test to try to reach a host to their side, the tunnel didn't even try to open.
What is the method here? I don't see where I'm wrong. I'm guessing that the 'host side ASA exempt from NAT' does not require for this, how if the ASA would know which internal host is the public IP address.
Any ideas?
Hi Leo,
The steps are:
1. Add the policy rule NAT for the specific host.
2 - define the IP NAT as your LOCAL NETWORK address in the encryption settings.
3 make sure that there is no rule NAT exempt for this host to the specific destination.
What happens if you run a package tracer?
Thank you.
-
ASA 5510 Auth for site-to-site VPN users
Hello
is there a way we can get the ASA to prompt users VPN site-to-site to authenticate on ASA/RADIUS before access resources head behind ASA such as Sharepoint etc allowed in via respective VPN ACL?
I never did, but you should be able to use authentication 'Cut Through'.
Basically, the user has little or no access, and the ASA intercepts a request, such as via HTTP and then authenticates the session. After that the user can access all that you allow them.
-
ASA 5510 VPN multiple tunnels through different interfaces
Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?
We have 2 public interfaces on our ASA connected to 2 different suppliers.
We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.
We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).
I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel. If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.
If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.
What Miss me?
Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)
permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0
NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice
card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map
card crypto PUBLIC_B_map 10 set counterpart x.x.x.x
card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1
PUBLIC_B_map PUBLIC_B crypto map interface
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1
If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.
What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP. There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.
Any ideas?
Hello
I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection
You could try adding add the following configuration
card crypto PUBLIC_B_map 10 the value reverse-road
This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.
If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.
The route to the remote VPN peer through the ISP B does not to my knowledge.
I would like to know if it works for you.
It may be useful
-Jouni
-
ASA 5510 VPN dedicated Internet connection
I have a 5510 ASA with a second internet connection on his way. I would like to have an internet connection dedicated to my VPN Site to Site traffic and the other left to manage the public internet traffic. I know that I can do this with a static route, but today, I noticed the "tunnel" option How exactly does the tunnel option work mode and it works better for my situation?
Rob,
(Simplification) "Tunnel" option tells what to do with traffic, once it has been for example inbound VPN decapsulted.
In your case, static routes for remote tunnel endpoint + RRI points will do.
M.
Edit: I would advise yo forget about the end of the dynamics of peers (dynamic IP L2L or ezvpn) solutions on any interface that does not have a default route on this subject.
-
site-to-site between ASA 5510 (8.4 (2)) w / static IP and Dlink DIR130 w / dynamic IP.
I'm trying to implement a VPN site link to site between the ASA5510 we use exclusively as a VPN endpoint on campus and a D-Link DIR130 router off campus, to a local company with a dynamically assigned IP address. We currently use the ASA to remote access users who use the Cisco VPN client on mobile devices, as well as a link to site-to-site unique in our telecommunications provider for the purposes of remote monitoring telecoms equipment.
We are looking for a way to deploy at a lower cost of VPN connections for local businesses to allow them to use the devices for sale which connect to systems on campus, so students can use their meal in local restaurants cards, similar to the way they use them in the cafeteria on campus.
I have experience setting up Cisco switches, routers and APs, but ASA appliance absolutely baffles me. I futzed with the AMPS 6.4 config autour gui and tried to match the configurations between the DIR130 and the ASA, but I can never get a VPN to come. Anyone who can point me to an example, or provide me with help on this would be appreciated. I have google searched and found very little, with my limited experience in setting up ASA, I ask to my script.
You must configure the static route on the 6509 for 192.168.5.0/24 to ASA inside the interface:
IP route 192.168.5.0 255.255.255.0 131.162.160.2
Assuming that 131.162.160.1 is your 6509
-
On ASA 5510 VPN works do not but the work stations
We have an ASA 8.2 (3) running and have two VPN site to site running on it. The second VPN we just establish the other day, and of the SAA itself, it seems to work. We are able to ping remote hosts from the ASA without problem. However, on this second VPN all hosts on our local network cannot reach the remote party... Trying to understand what could happen. Applicable config below (please forgive the mistakes and formatting):
interface Ethernet0/0
nameif outside
security-level 0
address IP WAN. IP. ADDR 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.21.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
nameif intf2
security-level 0
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
access extensive list ip 192.168.21.0 outside_cryptomap allow 255.255.255.0 10.50.50.0 255.255.255.0
Access-group acl_out in interface outside
Crypto ipsec transform-set esp-3des esp-sha-hmac ATLAS-TS
life crypto ipsec security association seconds 28800
card crypto mymap 2 match address outside_cryptomap
card crypto mymap 2 together peer PEER. WAN. IP. DEA
card crypto mymap 2 game of transformation-ATLAS-TS
map mymap 65535-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
ISAKMP crypto 10 nat-traversal
tunnel-group of PEERS. WAN. IP. ADDR type ipsec-l2l
tunnel-group of PEERS. WAN. IP. ADDR ipsec-attributes
pre-shared key *.
Hello
Seems to me that his dynamic State PAT shot meant for Internet traffic
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside) 1 0.0.0.0 0.0.0.0
is the intellectual property inside everything outside of any
dynamic translation of hen 1 (WAN. IP. ADDR.162 [Interface PAT])
translate_hits = 6186208, untranslate_hits = 145616
Additional information:
Translation dynamic 192.168.21.100/0 to WAN. IP. ADDR.162/12936 using subnet mask 255.255.255.255
So you might miss the NAT0 configuration for this connection
Do the following
Issue the command "Display running nat" and you should see a NAT0 configuration for the 'inside' interface. Something like that
NAT (inside) - 0 access list
Next, you will need to check the ACL configuration
See the list of access running
You can add local and remote network that need to communicate through that VPN L2L connection to this ACL
So for examples sake lets assume that your ASAs directly related "inside" subnet needs to access the remote network, and then you would add
ip 192.168.21.0 access list allow 255.255.255.0 10.50.50.0 255.255.255.0
So use the above configuration format with good source and network of destination, as well as the correct name of the ACL and add the required ACL lines and then try to host LAN connections.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
Maybe you are looking for
-
There is no tab under Favorites organize bookmarks. I want to import my favorites saved to a file. How can I do this?
-
my bluetooth does not work on my hp probook 4320 s
my bluetooth does not work on my hp probook 4320 s, no devices can be detected, files cannot be sent or received, even my mobile phone cannot detect the computer
-
Intereaction of Asic with Nand memory
Hi all I'm new to this forum. I will start my display by basic heading. Interation of ASIC with nand. I'm working e.mmc device Hi has a knowledge base on this subject. How can I get more information about it. How to create a topic in this form. Pleas
-
Explorer.exe crashes by clicking the context menu items
Hi guys,. I have XP Professional SP3 and when I right click on a file and select a voice as 'open' or 'open with' from the context menu, explorer.exe crashes... The description of the error event is (in Italian): "Application che ha provocato error e
-
Changing colors on right click context menu
original title: change highlight When I right click on the desktop in a drop-down list appears. Is there a way to change the highlighting when I move my mouse over there? Also the top of the window where it has File, Edit, etc when I move the mouse i