Options

Vpn 3000 + asa 5510

fightclub34fightclub34 Member Posts: 41 ■■□□□□□□□□
in CCNP Security
Currently we have avp concentrator doing all of our remote vpns. The concentrator sits on the dmz. We tried to fire up a site to site vpn on the asa and that worked but took down all the vpns housed off of the 3000. Is there any way to get these to play nicely, or should i just migrate everything from 3000 to asa
· Share on FacebookShare on Twitter

Comments

  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    It depends on your IP scheme. If the VPN3K has it's own Public IP it should still work (so long as you allow IPSec through to it). If it shares the ASA's public IP then you will need to encapsulate one or the other in TCP - unless encapsulated this way (even with NAT-T) incoming phase-1 negotiations will use UDP 500, if you forward this to your VPN3K the ASA can't negotiate it's own Phase-1, if you don't then the VPN3K is out of luck. If you don't want to migrate fully to the ASA (And if your license allows for enough clients I advise you do, with 8.x code the ASA is significantly better as a concentrator) then I advise you to set your new tunnels on the ASA to use TCP and forward UDP 500 exclusively to the VPN3K DMZ IP (the only reason to do it this way is if you encapsulate the existing VPN3K VPNs you will have more work as you have to also encapsulate the other endpoints, if the ASA is new I presume you haven't setup any production tunnels on it yet).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    fightclub34fightclub34 Member Posts: 41 ■■□□□□□□□□
    Thanks for the suggestions. The concentrator sits on the dmz with a public ip assigned to it. We allow ipsec traffic to it from the outside interface. What would i have to do for the asa to allow vpn's on itself and the concentrator.
    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    As long as your Outside ACLs haven't been modified it should still work fine, allow UDP 500 (and 4500 if any clients use NAT-T) and ESP to your VPN3K IP (And check your DMZ ACLs to make sure these are permitted too (easy to overlook when you make changes)). Don't do any port forwarding on the ASA for this since the 3K has it's own IP.
    For the ASA you just enable and configure your VPNs as normal, there should be no conflict.

    Do you know at what stage your VPNs fail, Phase 1 or 2? What does the 3K tell you, is there any negotiation taking place at all?
    On the ASA Use permit statements with LOG in your ACLs and check the logs to see if you are getting hits, and also what reason it gives for the drops (ACL, NAT, Policies etc). If you're still not having luck run some quick captures on your ASA. Start with an access-list based capture for traffic in both directions and apply it as separate captures to your outside and DMZ interface, even without analyzing the packets you can tell from the packet/hitcounts if traffic is making it to the DMZ and if replies are being attempted. You can also do a capture for dropped traffic using 'type asp-drop' with a number of suboptions which can be very handy.
    e.g. capture CAPTURE type asp-drop acl-drop buffer 10000 - this will capture all packets on all interfaces that are dropped by your ACLs (kind've a more indepth version of ACL log checking and this way you just get the drops) , dig into the suboptions and there is come cool stuff you can filter on.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    fightclub34fightclub34 Member Posts: 41 ■■□□□□□□□□
    I was checking the log on the 3k and was not getting much at all for errors I think phase 1 i was getting stuck. I couldn't really trouble shoot since i had to get the remote vpns up and running fairly quick. I did notice that crytpo nat traversal was turned off on the asa. When you say make sure i should check the dmz acl's do you mean add the ports on the dmz acl the same way they are on the outside interface. Currently we allow 500 and 4500 on the outside interface and the concentrator works great.
    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Unless you have IPSec inspection enabled you also need ESP (protocol 50) permitted, with inspection it will be allowed automatically and if it was working before then you likely do have it applied.
    If you don't have any ACL on your DMZ then you won't need any entries for the VPN traffic as it (presumably) has a higher security level than outside and the state engine will take care of the rest. But if you have an ACL applied permit UDP 500 / 4500 and ESP on it for your concentrator (as source or destination of course depends on the direction of your ACLs)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    fightclub34fightclub34 Member Posts: 41 ■■□□□□□□□□
    ahriakin,

    Looks like we are going to put everything on the asa. One more question does the asa only allow one virtual subnet for vpns. I created a 10.0.1.x subnet and did a nonat on that. Then i tried to create a 10.0.2.x subnet added that to the nonat and it does not get translated only the 10.0.1.x subnet is getting translated.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.