?
Solved

Cisco ASA/PIX hub and spoke VPN routing

Posted on 2008-01-28
2
Medium Priority
?
3,293 Views
Last Modified: 2011-01-16
I am wondering if it is possible to route between tunnels in a hub and spoke environment. Can the Remote VPN User in the example below connect to the 5540 and then hit resources behind the 5505 or 5510? Is this as simple as adding the necessary route statement in the 5540 or does the VPN Group Policy get the routing info? Also, I have 12 - 15 point to point tunnels on this ASA 5540, is there a way to limit by group membership on the ASA what resources VPN Users can connect to besides using Windows/AD group membership? This does assume Active Directory DNS is being passed to the Remote VPN User.

Cisco ASA 5505---\
                              \ Existing VPN Tunnel
                               \----------------------------------------\
                                                                                  Cisco ASA 5540  <-----------> Remote VPN User                    
                               /----------------------------------------/  
                              / Existing VPN Tunnel
Cisco ASA 5510---/
0
Comment
Question by:RTPIT
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20764404
>>Can the Remote VPN User in the example below connect to the 5540 and then hit resources behind the 5505 or 5510?

Yes, you can.  It's called "hairpinning" and this is a new capability introduced in the 7.x code of the ASA.

>>Is this as simple as adding the necessary route statement in the 5540 or does the VPN Group Policy get the routing info?

There are a couple of other things involved, but not many.  Here is the documentation on how to do this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnsysop.html#wp1042114

>>is there a way to limit by group membership on the ASA what resources VPN Users can connect to besides using Windows/AD group membership?

Yes, there is.  The restriction of resource access is by IP address and port, since it is implemented via ACL's in the ASA and those can only use source/destination address and source/destination port to restrict access.

If you need more specific help or code examples, please post your existing configuration (sanitized, of course) and we can take a look...
0
 

Author Comment

by:RTPIT
ID: 20769592
Thanks. Looks like exactly what I want to do. I am in the process of replacing my PIX 525 with a 5540 and as soon as I get this implemented, I will re-post results.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question