• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1342
  • Last Modified:

ASA Remote Access VPN to two inside interfaces

Hello I a VPN inquiry. Here are the details:

ASA 5520 v8.3
“inside” interface (network 1, 172.16.0.x/24)
“inside2” interface (network 2, 192.168.0.x/24)

REMOTE ACCESS VPN
I have an IPsec remote access vpn setup to access the first network on the “inside” interface, but I cannot access the second network on the “inside2” interface. I am not sure if I can make a static route on the ASA or other config.

Question: Will the ASA allow me to setup one remote access VPN to two inside interfaces or do I have to have one connection profile per interface?

I am not sure, but I am guessing there are a couple of solutions. Any suggestions that can get me headed in the right direction will help.

Just a note, there are two separate networks and Windows Domain. Each ASA physical inside interface is connected to a core switch to each respective network. I need to be able to remotely manage each network.
0
ItSecurePro
Asked:
ItSecurePro
  • 3
  • 3
1 Solution
 
Gareth GudgerCommented:
Hi ItSecurePro,

No, you would not need a route. The ASA is aware of every subnet directly connected to its interfaces.

Off the top of my head, you should only need to modify an ACL. You would have created an ACL for the VPN when you first set it up. If you need the name of the ACL associated with the VPN it is likely referenced as:

NAT (inside) 0 access-list <name of ACL>.

Look for NAT 0. Probably the first NAT statement.

Just add an extra line in that ACL that permits traffic from the INSIDE IP subnet to the INSIDE2 IP subnet.

ie. access-list <name of VPN ACL> extended permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0

That should do it.
0
 
ItSecureProAuthor Commented:
Thank you! I will give this a try and report back.
0
 
ItSecureProAuthor Commented:
Thank you for leading towards the right direction. I had to add the other network (on the other inside interface) and fix my NAT rule for the vpn.

I created a ACL for my VPN IP Pool, then added an ACE for both network (172.16.0.x/24, and 192.168.0.x/24.

Next I added a any, any static NAT for traffic on both inside interfaces:

nat (any,any) source static any any destination static VPN-Hosts-Object VPN-Hosts-Object
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
Gareth GudgerCommented:
Glad you got it resolved! I just noticed you were on 8.3 as well. I was giving you instructions for 8.2 and earlier - Sorry!
0
 
ItSecureProAuthor Commented:
No problem. It is taking me a little time to get used to the changes for 8.3 and higher. The NAT commands are completely different now, but I got it down. Thanks.
0
 
Gareth GudgerCommented:
Yes.... they are very different.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now