Solved

Cisco VPN (AnyConnect) and Site-to-Site

Posted on 2014-01-22
11
952 Views
Last Modified: 2014-04-22
First off - I thought this was solved, as you can read here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_28310395.html

Unfortunately, it was not because of an unknown error (it broke out site-to-site vpn).

Here is our setup:

Internal Network 192.168.1.x <--> (Inside: 192.168.1.1) Cisco ASA (Outside: 10.1.10.200) <--> Comcast SMB with external 70.91.xxx.xxx with 5 IP addresses.

We have a site-to-site which is working fine to building 'B'.

What we want to accomplish is setting up an AnyConnect VPN, which we had working when we did what is in the link above, but it broke out site-to-site VPN.

I thought I could just use a public IP address like 70.91.xxx.19 and use that as the VPN public IP, but it has to be the 'outside' on the Cisco ASA, so what I did was route traffic to 10.1.10.200 (the Cisco ASA from the Cable Modem side), but what that does it when it's going out, routes all the traffic as 70.91.xxx.19, so basically the site-to-site VPN said 'hey, this traffic is supposed to be coming from 70.91.xxx.22 and it broke it.

Any ideas??
0
Comment
Question by:Jesh1975
  • 6
  • 5
11 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800829
The site 2 site VPN is also configured on the external IP address of the ASA. The ASA does not allow termination of a site-2-site VPN on another IP address which is not the outside IP address.

What do you have configured as remote IP address on site B? You should use that IP address for Anyconnect.
0
 

Author Comment

by:Jesh1975
ID: 39800851
The site to site vpn terminated at 70.91.xxx.22 which is one of our public IP addresses.

If I log into ASA at building B, it is showing 70.91.xxx.22 as the VPN it's connected to remotely.  This is why I am so confused.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800875
when you go from the internet (not from site A) to https://70.91.xxx.22/ do you get the login page for anyconnect?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Jesh1975
ID: 39800889
No I do not.

Just a note - I think we can only initiate VPN tunnel from building A  (the one we want to have site-to-site AND anyconnect) when we need VPN to be rebuilt from A to B.
0
 

Author Comment

by:Jesh1975
ID: 39807498
Any additional thoughts on this?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39813478
I think your cable modem is doing some kind of NAT. Can you try to log in to your cable modem and see if you can forward ports?
0
 

Author Comment

by:Jesh1975
ID: 39814048
There's no NAT on the cable mode and no port forwarding on.

We host our email, web server, video server and some other stuff with NAT in the firewall and it works great.  I will Double check when I get into the office tomorrow.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39814222
OK, to recap what you told us:

Cisco ASA (Outside: 10.1.10.200)
When you go on the internet your external IP appears to be 70.91.xxx.22 (am I right?)

So this means NAT is performed by your cable modem. Can you ask your ISP if you can configure the external IP addresses directly on your firewall? I have seen instances where the cable modem does accept a local address as well as a public address configured.
0
 

Author Comment

by:Jesh1975
ID: 39815541
Yes,

ASA (Inside 192.168.1.x), Outside, 10.1.10.200

I try whatismyip.com and end up with 70.91.xxx.22.

Are you thinking I should ask them to put the cable modem into transparent bridge mode?
0
 

Author Comment

by:Jesh1975
ID: 39815550
BTW.  The NAT I am doing on my firewall works fine.  If I check our webserver IP from that computer, it will show 70.91.xxx.18.

In that case we have traffic from internal 192.168.1.20 NAT as 70.91.xxx.18...
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39820083
I think you should ask your ISP if you can use the 70.91.xxx.22 directly on your ASA instead of the internal IP.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question