ASA vpn routing question

[boymarty24]

Hi!

I have one ASA5510 connected to the internet. I have a routed network provided by my ISP to my remote offices behind the asa. That part works great with the permit intra traffic feature. I have one vpn tunnel to one office, a 871. The tunnel works fine but i want to configure the vpn so that the 871 can access my networks provided by my isp. As it is today the 871 only have access to the asa network ( main office )

Tried som different configurations but cant get the 871 to reach the remote offices. Anyone knows how to accomplish this?

I am attaching the worst layout ever =)

Martin

 

[Supergrrover]

The idea is similar to add the DMZ - adding the routes behind the ASA to the no_nat and encryption ACLs. Take a look at this.

http://www.cisco.com/en/US/products...s_configuration_example09186a00806a5cea.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[boymarty24]

Hi Brent,

I´ve tried a similiar document from cisco but havent got it to work. Perhaps i need to connect my ISP´s network to a dmz interface for this to work? As it is now both the ISP router 192.168.10.1 and my asa 192.168.10.2 is on the same network.

My scenario might not be possible?

Martin

 

[Supergrrover]

Really? That should work. I have set it up with a PIX to ASA before for a client and I just added the extra internal networks to the ACLs and made sure there was a route on the internal routers. What are you doing on the 870?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[boymarty24]

On the 871 i have added the subnets to the acl. Thats about it. But i mailed the ISP to check if the route exists.

on the 871 i have in short

IPsec acl 192.168.6.0/24 192.168.10.0/24
192.168.6.0/24 192.168.5.0/24

That should do it right? or am i all wrong here?

Marty

btw, thanx for the help Brent

 

[Supergrrover]

Don't forget to add them to the nat exemption.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[boymarty24]

Hi,

yeah i did that, accesslists and nat exemptions at the 871 for the subnets.

The tunnel goes up but gets unstable. The asa shows that no proposals are found from time to time. If i remove the extra added networks the tunnel gets stable

And i dont get connection to any of the remote offices.

Damn i dont like the 800 series. Thinking of sending up a 5505.

 

[brianinms]

Just remember that all crypto acl's have to match on both ends of the tunnel.

 

[boymarty24]

Thats whats bothering me. Since the asa has route inside statements to the isp router wouldnt the crypto acl´s conflict with the inside routes? Or do crypto acl´s have higher priority than route commands?

ISP router IP:192.168.10.2
ASA: 192.168.10.1

routes at asa:

route inside 192.168.5.0 255.255.255.0 192.168.10.2
etc...

All the remote offices use the asa as internet gateway.

 

[brianinms]

The crypto acl's merely specify what traffic to encrypt, they don't have any routing control.

 

[boymarty24]

hmm, not sure if i understand.

At my 871 i have the following crypto acl´s

192.168.6.0/24 192.168.10.0/24 asa lan
192.168.6.0/24 192.168.5.0/24 one of the remote offices lan

I have mirrored acl´s at the asa.

What if a user at the ASA lan makes a request to 192.168.5.5. Would not the asa both have the route inside statement mentioned above and the crypto ACL pointing at two different connections. The route statement points to the isp router att 192.168.10.1 and the crypto acl for the vpn tunnel.

I feel stupid at the moment =) I really cant see how to solve this.

 

[brianinms]

Post your configurations

 

[boymarty24]

Hi,

I reconfigured the configuration with some changes and now it works!

Marty

 

[Supergrrover]

What changes did you make? Were they to the 871 or the ASA?
Just curious.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[boymarty24]

Well it was abit strange. I reconfigured the asa but i used public stick configuration for remote access and after that it worked. So it was only reconfiguration of the asa

 

[Supergrrover]

Nice thinking!



Brent
Systems Engineer / Consultant
CCNP, CCSP