1. Home
  2. Cisco Systems
  3. ASA config

ASA config

I'm struggling with what I think should be a pretty simple firewall (asa) configuration. I've got a lot of L2 and L3 experience but throw me in front of this ASA and I can't seem to make it sing... What I'm trying to do is create a L2L VPN tunnel from one site (FW1) to another (FW2) and use that tunnel as the default route for everything behind FW2. I have both ASAs up and running with a very simple skeleton config in my lab and the vpn tunnel is up and working. I can pass traffic from one subnet to the other over the tunnel. What I can't figure out how to do is force all traffic over the VPN tunnel. Admittedly, it has been quite some time since I've done and VPN stuff so it's likely just a simple user error on my part. I'm using 7.0(7) on both 5510 devices.

Basic goal is to force all traffic from behind FW1 to have to traverse the VPN tunnel to hit any resources that aren't on their local segment.

Any constructive help appreciated.

nb

Reply to
Nick Buraglio
Loading thread data ...

Correction:

Basic goal is to force all traffic from behind FW2 to have to traverse the VPN tunnel to hit any resources that aren't on their local segment.

Reply to
Nick Buraglio

Hi Nick,

I know Cisco don't suggest you avoid 'permit ip any any' statements on crypto ACL's but you should be able to achieve this in the following way:

1) Have a crypto acl permitting all traffic from the LAN of FW2 to any in the crypto map and the reverse on FW1

e.g. 'permit ip LAN_Subnet+Mask any'

Then add the same in your no-nat statements. You will then have a defaut route pointing at your firewall and again on your firewall pointing at the net hop.

2) You can then use the tunnel default gateway command to tell Firewall 1 to route the unencrypted traffic to an internal router for onward transmission. NB You haven't described your topology inside FW1 so I am just assuming it is routed to the inside of FW1.

Second suggestion:

Assuming that the ASA 5510 allows it, google Easy VPN. I know the ASA

5505 supports Client mode. If the 5510 supports the same, you can create a client & server easy VPN setup in LAN extension mode.

Regards

Darren

Reply to
Darren Green

That should have read:

Reply to
Darren Green

ASA? If so put a route in the layer 3 device to direct a traffic for the remote subnet to the ASA. I have cut a sample config for you.

: Saved : ASA Version 7.2(2)

access-list {access list to identify ipsec traffic} extended permit proto to from access-list NoNat extended permit ip do the same for all host from above acl you created.

NoNat is an ACL I use to assign to Nat0. Nat0 tells the ASA to not attempt to translate the traffic.

crypto ipsec transform-set {put your name here} esp-3des esp-md5-hmac crypto map {Name of your cyptomap} 1 match address {access list to identify ipsec traffic} crypto map {Name of your cyptomap} 1 set peer {The remote Ip you are connecting} crypto map {Name of your cyptomap} 1 set transform-set {the name of your transform set} crypto map {Name of your cyptomap} interface outside crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 20 tunnel-group ip address of peer type ipsec-l2l tunnel-group ip address of peer ipsec-attributes pre-shared-key *

Post what your config if this does not get it going for you

Reply to
Newbie72

I got all of this working. The guide I used (along with some good advice) is here:

formatting link
nb

the ASA? If so put a route in the layer 3 device to direct a traffic for the remote subnet to the ASA. I have cut a sample config for you.

Reply to
Nick Buraglio

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.