Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Route traffice destined for 2 addresses/ips through vpn tunnel

Reply
Thread Tools

Route traffice destined for 2 addresses/ips through vpn tunnel

 
 
GNY
Guest
Posts: n/a
 
      06-15-2007
Hello ..

I have an asa at 2 sites connected via a vpn. We have decided to add 2
servers to 1 side and 1 server to the other side to communicate over
the tunnel opposed to the internet as it is now.

Excuse my ignorance here. These are mail servers and are addressed
obviously by domain names. Can I just add statements to the ACL
applied to this tunnel? Do I use IPs as the source? or destination?

Am I thinking on the right path here?

Thanks

GNY

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      06-16-2007
In article <(E-Mail Removed) .com>,
GNY <(E-Mail Removed)> wrote:

>I have an asa at 2 sites connected via a vpn. We have decided to add 2
>servers to 1 side and 1 server to the other side to communicate over
>the tunnel opposed to the internet as it is now.


>Excuse my ignorance here. These are mail servers and are addressed
>obviously by domain names. Can I just add statements to the ACL
>applied to this tunnel? Do I use IPs as the source? or destination?


I believe that the ASA will not do dynamic DNS lookup. I gather
from my reading that it has static DNS lookup: that is, that at the
time it parses the ACL that it'll do a DNS resolution and lock that IP
in. But I'm not certain of that; the PIX that it is derived from had
no DNS resolution at all.

Yes, you would add statements to the ACL being applied as the crypto-map
match-address. The ACLs should use the addresses as they appear
*after* any translation takes place. The most common case is that
you have the traffic defined in a nat (inside) 0 access-list ACLNAME
which tells the PIX not to use translation for that flow; in that
case, the IPs you would use in the crypto ACLs would be the "internal"
IPs.

The source IP for the crypto map ACL should be the internal network;
the destination should be the remote network.

For example (sorry, the ACLs are in old format as that's what I know)

Assuming a new local server 192.168.1.17 and a new remote server
192.168.99.158 and that the local network is 192.168.1/24 and
that the remote network is 192.168.99/24

access-list NoNat permit host 192.168.1.17 192.168.99.0 255.255.255.0
access-list NoNat permit 192.168.1.0 255.255.255.0 host 192.168.99.158
nat (inside) 0 access-list NoNat

!then to the bottom of VPN2Albany add
access-list VPN2Albany permit ip host 192.168.1.17 192.168.99.0 255.255.255.0
access-list VPN2Albany permit ip 192.168.1.0 255.255.255.0 host 192.168.99.158

If you end up with the access-lists NoNat and VPN2Albany looking
identical except for the names, then do NOT try to use the same ACL
in both places; if the software doesn't outright block that, it will
lead to some subtle bugs.


If you need the case where it is not allowed to use the internal network
addresses over the VPN, then let me know and I'll post an example.

 
Reply With Quote
 
 
 
 
GNY
Guest
Posts: n/a
 
      06-16-2007
On Jun 16, 12:16 am, (E-Mail Removed) (Walter Roberson) wrote:
> In article <(E-Mail Removed) .com>,
>
> GNY <(E-Mail Removed)> wrote:
> >I have an asa at 2 sites connected via a vpn. We have decided to add 2
> >servers to 1 side and 1 server to the other side to communicate over
> >the tunnel opposed to the internet as it is now.
> >Excuse my ignorance here. These are mail servers and are addressed
> >obviously by domain names. Can I just add statements to the ACL
> >applied to this tunnel? Do I use IPs as the source? or destination?

>
> I believe that the ASA will not do dynamic DNS lookup. I gather
> from my reading that it has static DNS lookup: that is, that at the
> time it parses the ACL that it'll do a DNS resolution and lock that IP
> in. But I'm not certain of that; the PIX that it is derived from had
> no DNS resolution at all.
>
> Yes, you would add statements to the ACL being applied as the crypto-map
> match-address. The ACLs should use the addresses as they appear
> *after* any translation takes place. The most common case is that
> you have the traffic defined in a nat (inside) 0 access-list ACLNAME
> which tells the PIX not to use translation for that flow; in that
> case, the IPs you would use in the crypto ACLs would be the "internal"
> IPs.
>
> The source IP for the crypto map ACL should be the internal network;
> the destination should be the remote network.
>
> For example (sorry, the ACLs are in old format as that's what I know)
>
> Assuming a new local server 192.168.1.17 and a new remote server
> 192.168.99.158 and that the local network is 192.168.1/24 and
> that the remote network is 192.168.99/24
>
> access-list NoNat permit host 192.168.1.17 192.168.99.0 255.255.255.0
> access-list NoNat permit 192.168.1.0 255.255.255.0 host 192.168.99.158
> nat (inside) 0 access-list NoNat
>
> !then to the bottom of VPN2Albany add
> access-list VPN2Albany permit ip host 192.168.1.17 192.168.99.0 255.255.255.0
> access-list VPN2Albany permit ip 192.168.1.0 255.255.255.0 host 192.168.99.158
>
> If you end up with the access-lists NoNat and VPN2Albany looking
> identical except for the names, then do NOT try to use the same ACL
> in both places; if the software doesn't outright block that, it will
> lead to some subtle bugs.
>
> If you need the case where it is not allowed to use the internal network
> addresses over the VPN, then let me know and I'll post an example.


Walter thanks for the help so I understood all of what you mentioned
as well as now knowing about how the DNS "should" work out. So I
should the IP address of these servers and yes i understood and have
the NONAT ACL.

So I should not need the fqdn of this server at all because I dont
even look at their dns nor is it publicly published.

I think i'm ready to implement this.. Thanks for your help..

GNY

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the default precedence: local-route, static-route,OSPF-route? ilan.berco@gmail.com Cisco 9 08-07-2008 05:42 PM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
unable route traffice form one interface to other within same router ????? sushamghose@gmail.com Cisco 4 01-25-2006 05:27 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM



Advertisments