Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA VPN problems

Status
Not open for further replies.

dkluth

Technical User
Nov 10, 2005
85
US
Hi Guys,

Well, I am new to ASA. I have been usin Cisco routers for years and I have a Checkpoint firewall. Here's what I need to accomplish. I have an ASA5505. I have a vendor that has provided a VPN Peer address and a FTP server address.

Here's where it gets tricky. The ASA is inside my internal network. It has no DMZ zone. I only have the one inside interface connected.

I need to be able to have clients FTP to the inside interface IP (192.168.150.86) and have the ASA open a VPN tunnel. In my current configuration it drops it when it gets to the VPN with (acl-drop) Flow is denied by configured rule. I have it set up to allow traffic between to hosts on the same netork.

Can anyone here help me?

Thank You,

Doug Kluth
 
Ok, here's what I'm tring to do_On the remote end, (they told us what we need) they have a cisco vpn concentrator.

We purchased a cisco 5505. We need to be by corporate f/w, behind our main firewall. So on the inside we have a class c network. 192.168.0.0/16 . They have give me two ip's. Their Peer and their FTP server.

On the Asa I have the inside interface, 192.168.150.45 and the outside, 192.168.1.30 which leads to a DMZ zone.

HEre's what I need to accomplish. I need an inside user to be able to ftp to either the inside interface of the ASA or another class c address that I can route to the inside interface of the ASA. I need the ASA to forward that to the DMZ, natting it to the same IP (non matter who the original request came from) (probably nat to the interface IP) and then set up the VPN to their FTP server.

I am not going to post the config unless you really need it because I keep restoring it to factory config.

Please let me know and thank you for any advice/help you can provide.

Doug
 
If you are configuring a vpn then I would put the ASA parallel to your existing checkpoint firewall and configure its outside interface with a public IP.
 
Management wants it inside of the firewall. So I guess that's my cross to bear.
 
Well you can have the outside interface inside your existing network. You will have to port a static through the checkpoint and permit udp 500, protocol 50 and perhaps protocol 51 based on VPN configuration.

Once the tunnel is up , the end user will ftp to the ip address of the server on the other end of the vpn tunnel.

On a side note, why didn't you just configure the VPN on your checkpoint?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top