Announcement

Collapse
No announcement yet.

ASA split-tunnel routing delima

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA split-tunnel routing delima

    Topology:

    Site A Local Office- 10.10.0.0/24 Internal Network - Cisco ASA 5515-x running 8.6

    Site B Remote Data Center - 4.4.4.0/24 Network - managed firewall services provided by Data Center. Our systems all have public ip addresses as part of a cloud solution.

    Site to Site VPN tunnel between Site A and B

    Remote Access VPN to Cisco ASA at Site A - 172.16.10.0/24

    VPN hairpinning is configured on the ASA and working for Remote Access Client traffic between 172.16.10.x and Site B (4.4.4.x)

    Load Balanced Website (Data Center Managed Load Balancer) External IP - 4.4.5.1


    Problem:

    We have a load balanced website at Site B that is only accessible from the internet via public ip 4.4.5.1 and has restricted access currently to the external IP of the ASA at Site A (3.3.3.3). I am told by the network engineer at the data center that my private ip range from Site A (10.10.0.0/24) wouldn't be able to reach the load balanced IP of 4.4.5.1 comming accross the Site-to-Site tunnel since those are private IPs which would be getting NATd behind a public IP to reach 4.4.5.1.


    Users at Site A can successfully access the load balanced site with no issues since internet traffic is dynamically NATd to the port IP of the Outside interface (3.3.3.3).


    We now have remote users that need to access this load balanced site, but we do not want to remove the access restriction currently limiting access to the ASA IP at Site A.


    My remote access VPN configuration uses split tunneling. How can I configure it to route traffic destined for the IP of the load balanced site over the Remote Access VPN tunnel to my ASA and then out the ASA Outside interface utilizing the dynamic port NAT address of 3.3.3.3?

  • #2
    Re: ASA split-tunnel routing delima

    Hard to say without seeing the config on the ASA. You should add the "load balance" ip address to your crypto acl for the remote clients. Then you need to check the existing nat rules on the ASA as you may have to do or modify your existing policy nat configuration.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: ASA split-tunnel routing delima

      Here are the relevant portions of my config:



      object network DataCenter-NET1
      subnet 4.4.4.0 255.255.255.0
      object network NETWORK_OBJ_172.16.10.0_25
      subnet 172.16.10.0 255.255.255.128
      object network NETWORK_OBJ_172.16.10.128_26
      subnet 172.16.10.128 255.255.255.192
      object network RemoteAccessVPN
      subnet 172.16.10.0 255.255.255.0
      object-group network DataCenter-NET
      network-object object DataCenter-NET1
      object-group network HQ-NET
      description Inside Networks at HQ
      network-object 10.10.0.0 255.255.255.0
      object network DataCenter-LB-NET
      subnet 4.4.5.0 255.255.255.0
      !
      access-list remotes_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0
      !
      ip local pool RemoteAccessVPN-Pool 172.16.10.10-172.16.10.90 mask 255.255.255.0
      !
      nat (INSIDE,OUTSIDE) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_172.16.10.0_25 NETWORK_OBJ_172.16.10.0_25 no-proxy-arp route-lookup
      nat (OUTSIDE,OUTSIDE) source static RemoteAccessVPN RemoteAccessVPN destination static DataCenter-NET DataCenter-NET no-proxy-arp route-lookup
      nat (INSIDE,OUTSIDE) source static HQ-NET HQ-NET destination static NETWORK_OBJ_172.16.10.128_26 NETWORK_OBJ_172.16.10.128_26 no-proxy-arp route-lookup
      !
      nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
      !
      group-policy remotes internal
      group-policy remotes attributes
      banner value This system is to be accessed only by specifically authorized personnel.
      banner value Any unauthorized use of the system is unlawful, and may be subject to civil and/or criminal penalties.
      banner value Any use of the system may be logged or monitored without further notice, and these resulting logs may be used as evidence in court.
      wins-server value 10.10.0.100
      dns-server value 10.10.0.100
      vpn-simultaneous-logins 3
      vpn-tunnel-protocol ikev1
      split-tunnel-policy tunnelspecified
      split-tunnel-network-list value remotes_splitTunnelAcl
      default-domain value domain.local
      !
      tunnel-group remotes type remote-access
      tunnel-group remotes general-attributes
      address-pool RemoteAccessVPN-Pool
      authentication-server-group WindowsIAS
      default-group-policy remotes
      dhcp-server subnet-selection 10.10.0.100
      tunnel-group remotes ipsec-attributes
      ikev1 pre-shared-key ********
      !


      So do just need to add the 4.4.5.x network (for host ip) to the split tunnel acl and a nat rule to nat traffic from 172.16.10.x destined for the load balancer ip 4.4.5.1 to the outside port ip?

      something like:

      nat (OUTSIDE,OUTSIDE) after-auto 2 source dynamic RemoteAccessVPN interface destination static DataCenter-LB-NET DataCenter-LB-NET

      and

      access-list remotes_splitTunnelAcl standard permit 4.4.5.0 255.255.255.0

      Comment


      • #4
        Re: ASA split-tunnel routing delima

        Yeah thats what I would try.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: ASA split-tunnel routing delima

          this worked perfectly. thanks.

          Comment


          • #6
            Re: ASA split-tunnel routing delima

            Excellent. Glad it worked.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment

            Working...
            X