Restart a VPN tunnel on a Cisco ASA or PIX

To reset and restart VPN tunnels on a Cisco ASA or PIX firewall simply type:

clear crypto isakmp sa

Allow access to DMZ or other remote Vlan over VPN tunnel on Cisco ASA 8.4

I recently needed to provide internal access to a DMZ Vlan at one of my remote sites over a VPN tunnel. The VPN tunnel was provided by 2 Cisco ASA 5505 firewalls both running ASA software versions more recent than 8.4. The LAN subnets in this example can be defined as follows:

Main Office Subnet:     10.0.10.0/24

Remote Office Subnet:     10.0.20.0/24

Remote Office DMZ Subnet:     192.168.20.0/24

This article assumes that you already have the site to site VPN tunnel set up between the main office (10.0.10.0/24) subnet and the remote office (10.0.20.0/24) subnet, and that you have already created a network object for your main office subnet called main-office-lan, and for your remote office subnet called remote-office-lan on both ASAs. It also assumes that your DMZ interface on the remote ASA is called ‘dmz‘, and that you have an ACL defining interesting VPN traffic called main-remote-vpn on both ASAs.

Firstly create a network object for the remote office DMZ on both the main office and remote office ASAs. In configuration mode add the following two commands

object network remote-office-dmz

subnet 192.168.20.0 255.255.255.0

Next create a network object group for the 2 subnets at your remote site on both the main office and remote office ASAs

object-group network remote-office-networks
network-object object remote-office-lan
network-object object remote-office-dmz

Next, on the remote office ASA exempt traffic from the remote office DMZ subnet, to main office subnet from Network Address Translation (NAT) on the outside interface. i.e. traffic that will be travelling from the 192.168.20.0/24 to the 10.0.10.0/24 subnet over the VPN tunnel. In configuration mode add the following command:

nat (dmz,outside) source static remote-office-dmz remote-office-dmz destination static main-office-lan main-office-lan

Then on the remote office ASA change the ACL that defines interesting traffic for your site to site vpn tunnel (in this case called main-remote-vpn) to include the the dmz subnet, by using the network object group that you created earlier:

access-list main-remote-vpn extended permit ip object-group remote-office-networks object main-office-lan

Next you need to modify the configuration of the main office ASA to exempt traffic travelling over the VPN tunnel to the remote office DMZ from NAT, and also add the remote office subnet to the ACL that defines interesting traffic for your site to site VPN tunnel:

Modify the NAT rule on the main office ASA in config mode:

nat (inside,outside) source static main-office-lan main-office-lan destination static remote-office-networks remote-office-networks

Then modify the ACL that defines your site to site VPN traffic in config mode:

access-list main-remote-vpn extended permit ip object main-office-lan object-group remote-office-networks

Thats it, you should now be able to connect to hosts in the DMZ at you remote site over your site to site VPN connection. If you have multiple site to site VPNs from your main office network you may need to tweak this config , but the theory is the same.

PLEASE NOTE: This configuration will allow hosts in the DMZ at your remote site to connect to any hosts in your main office network! Clearly in most cases this will not be desirable, unless the additional remote Vlan is not a DMZ and performs some other function, which is not exposed directly to the Internet (which was the situation in my case). In any event you may wish to use VPN filters  to restrict traffic from the remote DMZ Vlan to your main office, or by disabling sysopt connection permit-vpn using the no sysopt connection permit-vpn command and applying ACLs to your outside interface. Excercise caution when applying either of these types of filtering to make sure you don’t restrict yourself from the site to site VPN tunnel.

Allow telnet, SSH, or HTTPS remote management on a Cisco 800 series using a Zone Based Firewall

I have recently installed some Cisco 877 routers at some of our branch offices, and wanted to allow remote management of these devices from the LAN at our central location over the VPN. With the Zone based firewall enabled there is no access allowed to the ‘Self’ zone from remote locations by default, as you would expect. This process is pretty straightforward when you are using Cisco PIX or ASA firewalls as you can use the management-access inside command, and then easily define which subnets you want to be able to access which remote management tools. There is no equivalent command when using an IOS router, so you need to configure the appropriate access list, class map, and policy map

In this example the site to site VPN is already configured as is the zone based firewall which was configured by SDM. The following subnets are defined for the LANs at each location:

192.168.1.0/24 – This is the head office LAN subnet which I want to allow access to the remote router over the VPN tunnel

192.168.2.0/24 – This is the branch office LAN subnet which is attached to the Cisco 877

The ip address of the 877 router at the branch office is:

192.168.2.254

Firstly, create an access list to define which services you want to allow access to, from the head office subnet:

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 22

This allows SSH access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq telnet

This allows telnet access from the 192.168.1.0/24 subnet to the router

router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 443

This allows HTTPS access from the 192.168.1.0/24 subnet to the router

Next, create the following class maps:

router(config)# class-map type inspect match-any remote-manage

router(config-cmap)# match access-group name remote-manage

router(config)# class-map type inspect match-any router-access

router(config-cmap)# match class-map remote-manage

Finally, add this policy map

router(config)# policy-map type inspect sdm-permit

router(config-pmap)#class type inspect router-access

router(config-pmap-c)# inspect

You should now be able to telnet, SSH and use SDM to access the router from the head office subnet. If you need to allow any other subnets or hosts to access the router remotely simply add them to the access-list you created earlier. It could be that you want to allow SSH access to the external Internet facing IP of the router which you could do by adding the following (where X.X.X.X is the external IP of the router):

router(config)# ip access-list extended remote-manage

router(config-ext-nacl)# permit tcp any host X.X.X.X eq 22

This would allow any Internet host to access the external IP of the router using SSH, although it would be preferable to lock this down to specific IP addresses or subnets that you already own.