We help IT Professionals succeed at work.

Cisco ASA/PIX hub and spoke VPN routing

RTPIT
RTPIT asked
on
I am wondering if it is possible to route between tunnels in a hub and spoke environment. Can the Remote VPN User in the example below connect to the 5540 and then hit resources behind the 5505 or 5510? Is this as simple as adding the necessary route statement in the 5540 or does the VPN Group Policy get the routing info? Also, I have 12 - 15 point to point tunnels on this ASA 5540, is there a way to limit by group membership on the ASA what resources VPN Users can connect to besides using Windows/AD group membership? This does assume Active Directory DNS is being passed to the Remote VPN User.

Cisco ASA 5505---\
                              \ Existing VPN Tunnel
                               \----------------------------------------\
                                                                                  Cisco ASA 5540  <-----------> Remote VPN User                    
                               /----------------------------------------/  
                              / Existing VPN Tunnel
Cisco ASA 5510---/
Comment
Watch Question

>>Can the Remote VPN User in the example below connect to the 5540 and then hit resources behind the 5505 or 5510?

Yes, you can.  It's called "hairpinning" and this is a new capability introduced in the 7.x code of the ASA.

>>Is this as simple as adding the necessary route statement in the 5540 or does the VPN Group Policy get the routing info?

There are a couple of other things involved, but not many.  Here is the documentation on how to do this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnsysop.html#wp1042114

>>is there a way to limit by group membership on the ASA what resources VPN Users can connect to besides using Windows/AD group membership?

Yes, there is.  The restriction of resource access is by IP address and port, since it is implemented via ACL's in the ASA and those can only use source/destination address and source/destination port to restrict access.

If you need more specific help or code examples, please post your existing configuration (sanitized, of course) and we can take a look...

Author

Commented:
Thanks. Looks like exactly what I want to do. I am in the process of replacing my PIX 525 with a 5540 and as soon as I get this implemented, I will re-post results.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.