Accesso VPN Remote Access su subnet Outside ASA 5505

alessio82 · mar 10 ago , 2010 11:35 am

Qualcuno sa se tramite VPN remote access, oltre ad accedere alla parte INSIDE, si può accedere direttamente anche alla parte OUTSIDE.
Il disguido nasce ddall'esigenza di mettere l'interfaccia OUTSIDE dell'ASA 5505 sulla stessa subnet privata del router adsl.

Ovviamente una volta acceduto in vpn si può raggiugere la zona INSIDE ma la zona OUTSIDE, che comunque è una zona sicura (la vlan Z dell'allegato) non si riesce a raggiungere.

Sapete se si può fare?

pbratti · mer 11 ago , 2010 3:29 pm

Manda la configurazione ...

alessio82 · mer 11 ago , 2010 3:46 pm

ASA Version 8.2(1)
!
hostname AAAA
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 192.168.X.254 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.Y.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif Back-End
security-level 50
ip address 192.168.Z.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
access-list nonat extended permit ip 192.168.Y.0 255.255.255.0 192.168.A.0 255.255.255.0
access-list nonat extended permit ip 192.168.Z.0 255.255.255.0 192.168.A.0 255.255.255.0
access-list INSIDE extended permit ip any any
access-list OUTSIDE extended permit ip any any
access-list vpn_remote_split_tunnel standard permit 192.168.Y.0 255.255.255.0
access-list vpn_remote_split_tunnel standard permit 192.168.Z.0 255.255.255.0
access-list vpn_filter extended permit ip 192.168.A.0 255.255.255.0 192.168.Y.0 255.255.255.0
access-list vpn_filter extended permit ip 192.168.A.0 255.255.255.0 192.168.Z.0 255.255.255.0
access-list BACK-END extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu Back-End 1500
ip local pool vpn_pool 192.168.A.10-192.168.A.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any Back-End
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Back-End) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.Y.0 192.168.Y.0 netmask 255.255.255.0
static (Back-End,outside) 192.168.Z.254 192.168.Z.254 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
access-group BACK-END in interface Back-End
route outside 0.0.0.0 0.0.0.0 192.168.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vpn_remote_access 20 set transform-set myset
crypto dynamic-map vpn_remote_access 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic vpn_remote_access
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.X.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn_remote_gp internal
group-policy vpn_remote_gp attributes
vpn-filter value vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_remote_split_tunnel
tunnel-group vpn_remote_tg type remote-access
tunnel-group vpn_remote_tg general-attributes
address-pool vpn_pool
default-group-policy vpn_remote_gp
tunnel-group vpn_remote_tg ipsec-attributes
pre-shared-key spectrum
!
!
end

pbratti · mer 11 ago , 2010 4:08 pm

Ciao,
devi inserire queste righe sul firewall:

Codice: Seleziona tutto

access-list vpn_remote_split_tunnel standard permit host 192.168.X.1
access-list vpn_filter extended permit ip 192.168.A.0 255.255.255.0 host 192.168.X.1
same-security-traffic permit intra-interface

mentre sul router adsl devi inserire una routing del tipo:

Codice: Seleziona tutto

ip router 192.168.A.0 255.255.255.0 192.168.X.254

alessio82 · mer 11 ago , 2010 4:43 pm

GRANDE !!! FUNZIONA !!!

Non puoi capire cosa mi hai risolto...!!!

pbratti · mer 11 ago , 2010 5:08 pm

Bene,
se hai bisogno sono qua. (anche per il tuo business)
Ciao,

Accesso VPN Remote Access su subnet Outside ASA 5505

Login • Iscriviti