Route traffic on vpn to another interface on an ASA 5510

cisco-asacisco-vpnroutingvpn

I have a ASA 5510 that has about 60-70 vpn tunnels. I have four interfaces on the device: 1)External, 2)192.168.1.0, 3)192.168.2.0, 4) 192.168.3.0

A VPN tunnel is configured from the remote site (192.168.200.0) to the 192.168.2.0 subnet on the ASA.

I have remote applications I would like the users at the remote site to be able to access which are hosted on the 192.168.3.0 subnet.

I can route traffic between the subnets that are located on the ASA. Any way I can route traffic from the remote site to the 192.168.3.0?

Best Answer

The best way to do this is to expand your encryption domain to include 192.168.3.0/24 (or just 192.168.3.X/32 for all necessary X).

For example, on your ASA 5510, you probably have an access-list like this:

access-list to-remote extended line 1 permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

Assuming your application lives on 192.168.3.5 and you want to give all of 192.168.200.0/24 access, for example, you'll want to add something like the following:

access-list to-remote extended line 2 permit ip host 192.168.3.5 192.168.200.0 255.255.255.0

Remember that you have to modify the encryption domain on the other side as well.

Related Solutions

Cisco ASA 5505 site to site IPSEC VPN won’t route from multiple LANs

The crypto map access-list (outside_1_cryptomap) is only going to match direct subnet traffic. You probably need to add more entries to this access-list to match the other subnets that should traverse the tunnel. If you want to support any network on one side to any network on the other side, you might find it easier to declare some network object-groups and then make your access-list read something like:

object-group site1_nets
  network-object 192.168.144.0 255.255.255.252
  network-object 10.1.0.0 255.255.255.0
object-group site2_nets
  network-object 192.168.145.0 255.255.255.252
  network-object 10.2.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group site1_nets object-group site2_nets

The nat 0 access-list (inside_nat0_outbound) is also not matching traffic from the other subnets, so the ASA will want to translate the IP address to your outside WAN address.

access-list inside_nat0_outbound extended permit ip object-group site1_nets object-group site2_nets

I'm not 100% positive this second change is necesssary; try the first and test to see if you need it.

Cisco ASA – routing traffic between multiple site-to-site tunnels

Something along these lines - 192.168.168.0/24 seems a bit smallish; if you need to, then make an object-group for them too.

same-security-traffic permit intra-interface

object-group network Client_Networks
 ! Load up client network assignments here, so the ACLs don't get huge:
 network-object 192.0.2.0 255.255.255.0
 network-object 198.51.100.0 255.255.255.0

! ACL for tunnel to an example client - this one's on the 192.0.2.0 range.
! The entry covers traffic between the local net and the client
access-list outside_cryptomap_client_1 extended permit ip 172.16.89.0 255.255.255.0 192.0.2.0 255.255.255.0
! And this is needed for the traffic between the employee nets and the client
access-list outside_cryptomap_client_1 extended permit ip 192.168.168.0 255.255.255.0 192.0.2.0 255.255.255.0

! ACL for the tunnel to an employee - we'll stick them on 192.168.168.32/30;
! For the purposes of the tunnel, the client networks are local networks.
! The entry's going to create a ton of IPSec SAs -- makes a mess, but not a lot of choice.
access-list outside_cryptomap_employee_1 extended permit ip object-group Client_Networks 192.168.168.32 255.255.255.252
! And, the local whatnot.
access-list outside_cryptomap_employee_1 extended permit ip 172.16.89.0 255.255.255.0 192.168.168.32 255.255.255.252

! all the other config for the site-to-site tunnels..
crypto map outside_map 1 match address outside_cryptomap_client_1
! ...
crypto map outside_map 501 match address outside_cryptomap_employee_1

And if you have any NAT whatsoever going on, which you probably do since you're using RFC1918 ranges, you need NAT exemptions all around, matching all the traffic in your crypto ACLs.

! add to an existing NAT exemption ACL, if you have one.  Otherwise, make one..
! local to clients
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 object-group Client_Networks
! local to employees
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 192.168.168.0 255.255.255.0
! employees to clients
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 object-group Client_Networks
nat (Public) 0 access-list outside_nat0_outbound

Of course, you'll need to configure the remote VPN endpoint at the employee's location to have the client networks as a remote network, matching the crypto ACL for the site-to-site connection to them.

Best Answer

Related Solutions

Cisco ASA 5505 site to site IPSEC VPN won’t route from multiple LANs

Cisco ASA – routing traffic between multiple site-to-site tunnels

Related Topic