ASA 5520 SSL VPN using public ip adrresses

[herico]

Hi, everyone

First of all i am totally new in configuring cisco asa, but nor commandline nor asdm is not an obstacle for me. So, please, don't judge me very much.
So am using asa 5520 device.
Requirement for the setup are:
1. The main result is ssl vpn.
2. in our company we are using public ip addresses. so basically 157.128.182.0 subnet is dedicated for servers, 157.128.201.0 is dedicated for vpn ip pool, and 157.128.202.0 subnet is dedicates another vpn pool for admins.
Default gateway will be 0 0 157.128.182.254. As I have already noticed there can be only one default route. So how other subnets should be connected to the internet while all the subnets are public addresses.
That i have already done, is interface setup.
Management0/0 "outside" no management only 157.128.182.250 security 0
GigabitEthernet0/0 "inside0" no management only 157.128.201.253 security 100
GigabitEthernet0/0 "inside1" no management only 157.128.202.252 security 100
same-security-traffic permit inter-interface is enabled.

So i need some further guidance how everything should be setup.
Do i need to use split tunneling? What acl's should i use?
What nat control should i use, if not when how inside* interfaces should access internet?
Thanks in advance.

Regards,
Thomas

 

[brianinms]

Are you in Melbourne,Australia as those ip addresses belong to a government entity?

 

[herico]

No, these addresses are just example of public addresses.
Regarding the thread, does such a setup even possible, that two inside networks with public addresses enter the outside using their real addresses. Because, every example i've found is using private address ranges.

 

[unclerico]

Sure it is possible. I was consulting for a company that had the exact kind of setup although they were using Checkpoint as opposed to ASA for firewalls (it really threw me for a loop too because you rarely see this kind of setup anymore). Do you want the clients on the inside and VPN to use their IP addresses or do you still want to NAT to just a few external IP's??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[intelwizrd]

Yes, you can do that. I did a setup with all of the public IP space behind the firewall. It was an ASA5520 if I recall correctly. It also had SSL VPN and IPSEC VPN set up. I know you can have the separate pools for different groups but I'm not sure how to set that up if those IP pools need to access the internet as themselves (I set it up to hairpin and use the outside interface IP, I suppose you could specify a pool instead).

Some commands to enable:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Also, check the box in the ASDM that says "Enable traffic through the firewall without address translation"

As long as the ISP or external router is routing all of the "public" networks to the ASA, the ASA will handle it. NAT is not required if you have the IP space for all of your hosts but is recommended for security reasons. Make sure you take the approach of permitting only what is necessary and denying everything else when setting up your ACLs.

 

[herico]

To clarify some things, i want the clients on the inside and VPN to use their real public IP addresses, no nat. Maybe unclerico or intelwizrd could provide a sample configuration of such a setup.
Now i am stuck with setting up acls and some "nat" (i noticed that if you don't use nat, the commant still begins with nat), And maybe there's something else your mind.
I pasting my running config with asa 5520

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name xxxx
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif public
security-level 0
ip address 157.128.182.250 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside0
security-level 100
ip address 157.128.201.253 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside1
security-level 100
ip address 157.128.202.252 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 10.200.200.250 255.255.255.0
management-only
!
ftp mode passive
clock timezone xxxx
dns domain-lookup public
dns domain-lookup inside0
dns domain-lookup inside1
dns domain-lookup management
dns server-group DefaultDNS
name-server 157.128.182.2
name-server 157.128.182.19
domain-name vgtu.lt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu public 1500
mtu inside0 1500
mtu inside1 1500
mtu management 1500
ip local pool vpn_inside1_pool 157.128.202.100-157.128.202.105 mask 255.255.255.0
ip local pool vpn_inside0_pool 157.128.201.1-157.128.201.252 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route public 0.0.0.0 0.0.0.0 157.128.182.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.200.200.0 255.255.255.0 management
http 157.128.182.0 255.255.255.0 public
http 157.128.202.0 255.255.255.0 public
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint VPN_TRUSTPOINT
keypair VPN_TRUSTPOINT
crl configure
---------------------
certificate part
---------------------
telnet timeout 5
ssh 157.128.182.0 255.255.255.0 public
ssh 157.128.202.0 255.255.255.0 public
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point VPN_TRUSTPOINT public
webvpn
enable public
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 1 regex "Linux"
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2 regex "Intel Mac OS X"
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 3 regex "Windows NT"
svc image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 4 regex "Windows CE"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 157.128.182.2 157.128.182.19
vpn-tunnel-protocol svc
address-pools value vpn_inside0_pool
---------------------------------
user 1
---------------------------------
user 2
---------------------------------
user 3
---------------------------------
tunnel-group default_vpn type remote-access
tunnel-group default_vpn general-attributes
address-pool vpn_inside0_pool
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
no asdm history enable

 

[PScottC]

By default the ASA wants to do NAT, because that's what most people use. You will have to set up NAT 0 policies to pass your traffic without translation. (Probably good to get practice now, because IPv6 won't need it)

The key to your VPN question is that the IP pool is not associated with a particular "interface". When a client connects by VPN, the firewall creates a virtual entity that represents the IP. That IP interacts with other systems because you have done 1 of 2 things: 1) set up reverse-route injection which passes the VPN IPs into your routing process (RIP, EIGRP, or OSPF) as /32 hosts, or 2) you have a static route on an interior router for the VPN network pointing to the ASA (in many cases the default route works).

Realistically, the ASA is your network edge device, which means routing of your misc 157.x.y.z networks will be handled by an interior device.

"same-security-traffic permit inter-interface" means that you have 2 or more physical interfaces with the same security level, and you want to pass traffic between them with no ACLs.

"same-security-traffic permit intra-interface" does something similar to the above command, but is typically used to allow VPN traffic to "hairpin" on an interface. By default the ASA requires a packet to leave on a different interface than the one it came in on. If your ASA is doing both Site-to-site VPN and Remote Access VPN and you want the RA clients to access resources over the S2S link, then you need this enabled. This is also used if you don't permit split tunnelling on your RA client and you want the client to have internet access while connected to VPN.

I'm looking back at your original post... Are you using this as a VPN terminator and nothing else?

PSC
[—] CCNP_{[blue]x3[/blue]} (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[herico]

Yep, we are using ASA 5520 only for VPN terminator, we have another machhine, which stands for firewall.
Regarding the routes, i've already added default route (route public 0.0.0.0 0.0.0.0 157.128.182.254 1) for public interface. As i understand i need to add routes, to inside* interfaces, but as i am trying to add for example static route for inside0 interface lets say route 157.128.201.0 255.255.255.0 157.128.201.254 1 it says that this route already exists. So i suppose that i have to use some kind of dynamic routing.
Thank you for help.