Announcement

Collapse
No announcement yet.

site to site vpn with internet connection in same time

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • site to site vpn with internet connection in same time

    i configured site to site VPN beetwen the asa 5505 (asa 8.4.2) and the asa 5510 (asa 8.4.4). how i can configure that the users from one side use internet and site to site vpn in same time? the outside interface of asa5505 have address 10.15.100.8, the gateway for this network(10.15.100.0/24) is 10.15.100.1. this address of asa is nat-ed on public ip address.before LAN (10.15.100.0/24) has had many computers and used internet over the gateway 10.15.100.1 and now all computers must be move on behind asa5505. i configured the site to site vpn but internet doesn't work.
    pls help me.
    thanks

    ps: this option is split tunneling? how it configure?

  • #2
    Re: site to site vpn with internet connection in same time

    Your Proxy ACL defines what traffic is encrypted and sent across the tunnel. It should be as specific as possible. If your internal hosts will be natted out to the internet then you need to use a nat exemption rule telling the nat process not to nat the traffic crossing the vpn. With 8.4 you do this with Twice Nat or Manual Nat however you want to call it. If you post a config I can take a look.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: site to site vpn with internet connection in same time

      i configured site to site vpn on asa5505 over the site to site wizard. I have not change the settings.no, outside interface of asa5505 will be natted out to internet.
      Last edited by gogi100; 12th July 2012, 21:35.

      Comment


      • #4
        Re: site to site vpn with internet connection in same time

        If you can't give a sanitized config, then there isn't much I can do as I dont know what the configuration looks like now.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: site to site vpn with internet connection in same time

          my config file is on asa 5505

          ASA Version 8.4(2)
          !
          hostname ciscoasa
          enable password csq7sfr0bQJqMGET encrypted
          passwd 2KFQnbNIdI.2KYOU encrypted
          names
          !
          interface Ethernet0/0
          switchport access vlan 2
          !
          interface Ethernet0/1
          !
          interface Ethernet0/2
          !
          interface Ethernet0/3
          !
          interface Ethernet0/4
          !
          interface Ethernet0/5
          !
          interface Ethernet0/6
          !
          interface Ethernet0/7
          !
          interface Vlan1
          nameif inside
          security-level 100
          ip address 192.168.2.1 255.255.255.0
          !
          interface Vlan2
          nameif outside
          security-level 0
          ip address 10.15.100.8 255.255.255.0
          !
          ftp mode passive
          object service ParagrafLex1
          service tcp source eq 6190
          description Odlazni
          object service paragraf
          service tcp destination eq 6190
          description dolazni
          object network server
          host 192.168.0.2
          object network NETWORK_OBJ_192.168.0.0_24
          subnet 192.168.0.0 255.255.255.0
          object network NETWORK_OBJ_192.168.2.0_24
          subnet 192.168.2.0 255.255.255.0
          object-group service DM_INLINE_SERVICE_1
          service-object ip
          service-object tcp
          service-object icmp echo-reply
          service-object tcp destination eq domain
          service-object tcp destination eq echo
          service-object tcp destination eq ldap
          object-group protocol DM_INLINE_PROTOCOL_2
          protocol-object udp
          protocol-object tcp
          object-group protocol TCPUDP
          protocol-object udp
          protocol-object tcp
          object-group service DM_INLINE_SERVICE_5
          service-object ip
          service-object icmp echo-reply
          access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
          access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
          pager lines 24
          logging asdm informational
          mtu inside 1500
          mtu outside 1500
          icmp unreachable rate-limit 1 burst-size 1
          no asdm history enable
          arp outside 10.13.74.1 000d.bd64.a8e2
          arp timeout 14400
          nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
          access-group outside_access_in in interface outside
          route outside 0.0.0.0 0.0.0.0 10.15.100.1 1
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
          timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
          timeout tcp-proxy-reassembly 0:01:00
          timeout floating-conn 0:00:00
          dynamic-access-policy-record DfltAccessPolicy
          user-identity default-domain LOCAL
          http server enable
          http 10.15.100.0 255.255.255.0 outside
          http 192.168.2.0 255.255.255.0 inside
          no snmp-server location
          no snmp-server contact
          snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
          crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
          crypto ipsec ikev2 ipsec-proposal AES256
          protocol esp encryption aes-256
          protocol esp integrity sha-1 md5
          crypto ipsec ikev2 ipsec-proposal AES192
          protocol esp encryption aes-192
          protocol esp integrity sha-1 md5
          crypto ipsec ikev2 ipsec-proposal AES
          protocol esp encryption aes
          protocol esp integrity sha-1 md5
          crypto ipsec ikev2 ipsec-proposal 3DES
          protocol esp encryption 3des
          protocol esp integrity sha-1 md5
          crypto ipsec ikev2 ipsec-proposal DES
          protocol esp encryption des
          protocol esp integrity sha-1 md5
          crypto map outside_map 1 match address outside_cryptomap
          crypto map outside_map 1 set peer 178.254.133.178
          crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
          crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
          crypto map outside_map interface outside
          crypto ikev2 policy 1
          encryption aes-256
          integrity sha
          group 5 2
          prf sha
          lifetime seconds 86400
          crypto ikev2 policy 10
          encryption aes-192
          integrity sha
          group 5 2
          prf sha
          lifetime seconds 86400
          crypto ikev2 policy 20
          encryption aes
          integrity sha
          group 5 2
          prf sha
          lifetime seconds 86400
          crypto ikev2 policy 30
          encryption 3des
          integrity sha
          group 5 2
          prf sha
          lifetime seconds 86400
          crypto ikev2 policy 40
          encryption des
          integrity sha
          group 5 2
          prf sha
          lifetime seconds 86400
          crypto ikev2 enable outside
          crypto ikev1 enable outside
          crypto ikev1 policy 10
          authentication crack
          encryption aes-256
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 20
          authentication rsa-sig
          encryption aes-256
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 30
          authentication pre-share
          encryption aes-256
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 40
          authentication crack
          encryption aes-192
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 50
          authentication rsa-sig
          encryption aes-192
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 60
          authentication pre-share
          encryption aes-192
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 70
          authentication crack
          encryption aes
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 80
          authentication rsa-sig
          encryption aes
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 90
          authentication pre-share
          encryption aes
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 100
          authentication crack
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 110
          authentication rsa-sig
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 120
          authentication pre-share
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 130
          authentication crack
          encryption des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 140
          authentication rsa-sig
          encryption des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 150
          authentication pre-share
          encryption des
          hash sha
          group 2
          lifetime 86400
          telnet timeout 5
          ssh timeout 5
          console timeout 0

          dhcpd auto_config outside
          !
          dhcpd address 192.168.2.2-192.168.2.128 inside
          dhcpd auto_config outside interface inside
          dhcpd enable inside
          !
          threat-detection basic-threat
          threat-detection statistics access-list
          no threat-detection statistics tcp-intercept
          webvpn
          group-policy GroupPolicy_x.x.x.x internal
          group-policy GroupPolicy_x.x.x.x attributes
          vpn-tunnel-protocol ikev1 ikev2
          tunnel-group x.x.x.x type ipsec-l2l
          tunnel-group x.x.x.x general-attributes
          default-group-policy GroupPolicy_x.x.x.x
          tunnel-group x.x.x.x ipsec-attributes
          ikev1 pre-shared-key *****
          ikev2 remote-authentication pre-shared-key *****
          ikev2 local-authentication pre-shared-key *****
          !
          class-map inspection_default
          match default-inspection-traffic
          !
          !
          policy-map type inspect dns preset_dns_map
          parameters
          message-length maximum client auto
          message-length maximum 512
          policy-map type inspect ftp paragraf
          parameters
          policy-map global_policy
          class inspection_default
          inspect dns
          inspect icmp
          inspect ip-options
          inspect netbios
          inspect tftp
          inspect h323 h225
          inspect h323 ras
          inspect ftp
          inspect rsh
          inspect rtsp
          inspect esmtp
          inspect sqlnet
          inspect skinny
          inspect sunrpc
          inspect xdmcp
          inspect sip
          !
          service-policy global_policy global
          prompt hostname context
          no call-home reporting anonymous
          Cryptochecksum:b6f6c923f233ac9974a733f82ad17fea
          : end
          Last edited by gogi100; 13th July 2012, 07:54.

          Comment


          • #6
            Re: site to site vpn with internet connection in same time

            Thanks for the config. Is there anything else in front of the ASA?
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: site to site vpn with internet connection in same time

              yes provider gateway, router i don't know on address 10.15.100.1. outside interface of asa5505 is natted in public ip

              Comment


              • #8
                Re: site to site vpn with internet connection in same time

                So the provider router is doing nat?
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: site to site vpn with internet connection in same time

                  yes, provider router is doing nat

                  Comment


                  • #10
                    Re: site to site vpn with internet connection in same time

                    Is the site to site vpn working? Since they are both cisco devices on both ends then they should negotiate NAT-Traversal as the 5505 is behind a Nat device. With the 5505 behind a nat device then you will only be able to initiate the tunnel from the 5505 and not from the 5510. I would move you public ip space onto the 5505 and run nat directly on the ASA. This will give you more control of what is natted and what is not. Then just add a static default route to the providers gateway.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: site to site vpn with internet connection in same time

                      i can't move my public ip space onto the 5505 because of my provider has such a policy. i need that my users behind asa5505 have access Lan behind asa5510. it does not matter who initiates the tunnel but the access to lan behind asa5510 and the access to internet of the users bihind the asa 5505
                      Last edited by gogi100; 13th July 2012, 13:55.

                      Comment


                      • #12
                        Re: site to site vpn with internet connection in same time

                        Try this:


                        group-policy GroupPolicy_x.x.x.x attributes
                        split-tunnel-policy tunnelspecified
                        split-tunnel-network-list value outside_cryptomap
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: site to site vpn with internet connection in same time

                          what do you think about this:

                          VPN Traffic
                          ========

                          VPN traffic will check the inside_to_outside acl and then it comes to crypto acl and it goes out.....

                          Internet traffic
                          ==========
                          all other traffic you mentioned other than vpn will get away as internet traffic...

                          access-list inside_to_outside extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 (VPN)
                          access-list inside_to_outside extended permit <tcp/udp/icmp/ip> internet filtered traffic permits
                          access-list inside_to_outside extended deny ip any any
                          !
                          access-group inside_to_outside in interface inside
                          !

                          Comment


                          • #14
                            Re: site to site vpn with internet connection in same time

                            That ACL only filters traffic coming in the inside interface. Thats great if you want filter what goes out but has nothing to do with the vpn traffic as that is filtered with the Proxy ACL specified in the split tunnel list.
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment


                            • #15
                              Re: site to site vpn with internet connection in same time

                              i think that split tunneling work in remote access vpn. i think that filtering vpn traffic work acces-list crypto. i have access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

                              Comment

                              Working...
                              X