[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

ASA Remote Access VPN to two inside interfaces

Posted on 2014-01-10
6
Medium Priority
?
1,321 Views
Last Modified: 2014-01-28
Hello I a VPN inquiry. Here are the details:

ASA 5520 v8.3
“inside” interface (network 1, 172.16.0.x/24)
“inside2” interface (network 2, 192.168.0.x/24)

REMOTE ACCESS VPN
I have an IPsec remote access vpn setup to access the first network on the “inside” interface, but I cannot access the second network on the “inside2” interface. I am not sure if I can make a static route on the ASA or other config.

Question: Will the ASA allow me to setup one remote access VPN to two inside interfaces or do I have to have one connection profile per interface?

I am not sure, but I am guessing there are a couple of solutions. Any suggestions that can get me headed in the right direction will help.

Just a note, there are two separate networks and Windows Domain. Each ASA physical inside interface is connected to a core switch to each respective network. I need to be able to remotely manage each network.
0
Comment
Question by:ItSecurePro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 1200 total points
ID: 39772329
Hi ItSecurePro,

No, you would not need a route. The ASA is aware of every subnet directly connected to its interfaces.

Off the top of my head, you should only need to modify an ACL. You would have created an ACL for the VPN when you first set it up. If you need the name of the ACL associated with the VPN it is likely referenced as:

NAT (inside) 0 access-list <name of ACL>.

Look for NAT 0. Probably the first NAT statement.

Just add an extra line in that ACL that permits traffic from the INSIDE IP subnet to the INSIDE2 IP subnet.

ie. access-list <name of VPN ACL> extended permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0

That should do it.
0
 

Author Comment

by:ItSecurePro
ID: 39772515
Thank you! I will give this a try and report back.
0
 

Author Closing Comment

by:ItSecurePro
ID: 39777869
Thank you for leading towards the right direction. I had to add the other network (on the other inside interface) and fix my NAT rule for the vpn.

I created a ACL for my VPN IP Pool, then added an ACE for both network (172.16.0.x/24, and 192.168.0.x/24.

Next I added a any, any static NAT for traffic on both inside interfaces:

nat (any,any) source static any any destination static VPN-Hosts-Object VPN-Hosts-Object
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39778216
Glad you got it resolved! I just noticed you were on 8.3 as well. I was giving you instructions for 8.2 and earlier - Sorry!
0
 

Author Comment

by:ItSecurePro
ID: 39815431
No problem. It is taking me a little time to get used to the changes for 8.3 and higher. The NAT commands are completely different now, but I got it down. Thanks.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39815644
Yes.... they are very different.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question