Friday, April 18, 2008

CISCO ASA 5510, 5505 Creating A VPN Passthrough

Situation

You have installed the CISCO ASA in your organization, configured the NAT so that all of your own computers are protected behind the NAT and Firewall but now some users want to use a VPN to connect to some network outside. For example, a visiting or partner employee may want to connect back to their corporate office via an IPSEC VPN.

The VPN login seems to work, but nothing gets connected.

Why Does This Not Work On Out of The Box Usually?

Because of Network Address Translation, the VPN IP addresses gets translated through the firewall.

Possible Solution

The CISCO support web site has a very comprehensive information on this. The URL to the support article is this.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

This article also shows you how to configure this situation using the ASDM User Interface. But I know you don't want to read that so in summary here is what you would do:
  • Click Configuration on the Top Toolbar
  • On the side tool bar is "Security Policy"
  • Add the Following Access Rules (Access Rules Tab)
  • Add and/or Activate esp protocol in IP from the outside to the inside interface, Source is outside and destination is inside.
  • Add and/or Activate isakmp UDP protocol, source outside, destination the inside interface
  • Add and/or Activate UDP port 4500 traffic from source outside, destination the inside interface
Status

We've implemented this in April 08, it is June now and has been working very well in our environment. We've tried the "regular" CISCO VPN client connecting to the outside as well as CheckPoint ScruRemote VPN clients with it.

No comments: