Route traffice destined for 2 addresses/ips through vpn tunnel

Discussion in 'Cisco' started by GNY, Jun 15, 2007.

  1. GNY

    GNY Guest

    Hello ..

    I have an asa at 2 sites connected via a vpn. We have decided to add 2
    servers to 1 side and 1 server to the other side to communicate over
    the tunnel opposed to the internet as it is now.

    Excuse my ignorance here. These are mail servers and are addressed
    obviously by domain names. Can I just add statements to the ACL
    applied to this tunnel? Do I use IPs as the source? or destination?

    Am I thinking on the right path here?

    Thanks

    GNY
    GNY, Jun 15, 2007
    #1
    1. Advertising

  2. In article <>,
    GNY <> wrote:

    >I have an asa at 2 sites connected via a vpn. We have decided to add 2
    >servers to 1 side and 1 server to the other side to communicate over
    >the tunnel opposed to the internet as it is now.


    >Excuse my ignorance here. These are mail servers and are addressed
    >obviously by domain names. Can I just add statements to the ACL
    >applied to this tunnel? Do I use IPs as the source? or destination?


    I believe that the ASA will not do dynamic DNS lookup. I gather
    from my reading that it has static DNS lookup: that is, that at the
    time it parses the ACL that it'll do a DNS resolution and lock that IP
    in. But I'm not certain of that; the PIX that it is derived from had
    no DNS resolution at all.

    Yes, you would add statements to the ACL being applied as the crypto-map
    match-address. The ACLs should use the addresses as they appear
    *after* any translation takes place. The most common case is that
    you have the traffic defined in a nat (inside) 0 access-list ACLNAME
    which tells the PIX not to use translation for that flow; in that
    case, the IPs you would use in the crypto ACLs would be the "internal"
    IPs.

    The source IP for the crypto map ACL should be the internal network;
    the destination should be the remote network.

    For example (sorry, the ACLs are in old format as that's what I know)

    Assuming a new local server 192.168.1.17 and a new remote server
    192.168.99.158 and that the local network is 192.168.1/24 and
    that the remote network is 192.168.99/24

    access-list NoNat permit host 192.168.1.17 192.168.99.0 255.255.255.0
    access-list NoNat permit 192.168.1.0 255.255.255.0 host 192.168.99.158
    nat (inside) 0 access-list NoNat

    !then to the bottom of VPN2Albany add
    access-list VPN2Albany permit ip host 192.168.1.17 192.168.99.0 255.255.255.0
    access-list VPN2Albany permit ip 192.168.1.0 255.255.255.0 host 192.168.99.158

    If you end up with the access-lists NoNat and VPN2Albany looking
    identical except for the names, then do NOT try to use the same ACL
    in both places; if the software doesn't outright block that, it will
    lead to some subtle bugs.


    If you need the case where it is not allowed to use the internal network
    addresses over the VPN, then let me know and I'll post an example.
    Walter Roberson, Jun 16, 2007
    #2
    1. Advertising

  3. GNY

    GNY Guest

    On Jun 16, 12:16 am, (Walter Roberson) wrote:
    > In article <>,
    >
    > GNY <> wrote:
    > >I have an asa at 2 sites connected via a vpn. We have decided to add 2
    > >servers to 1 side and 1 server to the other side to communicate over
    > >the tunnel opposed to the internet as it is now.
    > >Excuse my ignorance here. These are mail servers and are addressed
    > >obviously by domain names. Can I just add statements to the ACL
    > >applied to this tunnel? Do I use IPs as the source? or destination?

    >
    > I believe that the ASA will not do dynamic DNS lookup. I gather
    > from my reading that it has static DNS lookup: that is, that at the
    > time it parses the ACL that it'll do a DNS resolution and lock that IP
    > in. But I'm not certain of that; the PIX that it is derived from had
    > no DNS resolution at all.
    >
    > Yes, you would add statements to the ACL being applied as the crypto-map
    > match-address. The ACLs should use the addresses as they appear
    > *after* any translation takes place. The most common case is that
    > you have the traffic defined in a nat (inside) 0 access-list ACLNAME
    > which tells the PIX not to use translation for that flow; in that
    > case, the IPs you would use in the crypto ACLs would be the "internal"
    > IPs.
    >
    > The source IP for the crypto map ACL should be the internal network;
    > the destination should be the remote network.
    >
    > For example (sorry, the ACLs are in old format as that's what I know)
    >
    > Assuming a new local server 192.168.1.17 and a new remote server
    > 192.168.99.158 and that the local network is 192.168.1/24 and
    > that the remote network is 192.168.99/24
    >
    > access-list NoNat permit host 192.168.1.17 192.168.99.0 255.255.255.0
    > access-list NoNat permit 192.168.1.0 255.255.255.0 host 192.168.99.158
    > nat (inside) 0 access-list NoNat
    >
    > !then to the bottom of VPN2Albany add
    > access-list VPN2Albany permit ip host 192.168.1.17 192.168.99.0 255.255.255.0
    > access-list VPN2Albany permit ip 192.168.1.0 255.255.255.0 host 192.168.99.158
    >
    > If you end up with the access-lists NoNat and VPN2Albany looking
    > identical except for the names, then do NOT try to use the same ACL
    > in both places; if the software doesn't outright block that, it will
    > lead to some subtle bugs.
    >
    > If you need the case where it is not allowed to use the internal network
    > addresses over the VPN, then let me know and I'll post an example.


    Walter thanks for the help so I understood all of what you mentioned
    as well as now knowing about how the DNS "should" work out. So I
    should the IP address of these servers and yes i understood and have
    the NONAT ACL.

    So I should not need the fqdn of this server at all because I dont
    even look at their dns nor is it publicly published.

    I think i'm ready to implement this.. Thanks for your help..

    GNY
    GNY, Jun 16, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,094
  2. Replies:
    4
    Views:
    2,511
    Bob Goddard
    Jan 25, 2006
  3. Replies:
    9
    Views:
    5,020
    Scott Perry
    Aug 7, 2008
  4. Giuen
    Replies:
    0
    Views:
    864
    Giuen
    Sep 12, 2008
  5. Lawrence D'Oliveiro

    Is Android Destined To Be The Windows Of Smartphones?

    Lawrence D'Oliveiro, May 25, 2010, in forum: NZ Computing
    Replies:
    14
    Views:
    480
Loading...

Share This Page