Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1245
  • Last Modified:

Cisco VPN (AnyConnect) and Site-to-Site

First off - I thought this was solved, as you can read here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_28310395.html

Unfortunately, it was not because of an unknown error (it broke out site-to-site vpn).

Here is our setup:

Internal Network 192.168.1.x <--> (Inside: 192.168.1.1) Cisco ASA (Outside: 10.1.10.200) <--> Comcast SMB with external 70.91.xxx.xxx with 5 IP addresses.

We have a site-to-site which is working fine to building 'B'.

What we want to accomplish is setting up an AnyConnect VPN, which we had working when we did what is in the link above, but it broke out site-to-site VPN.

I thought I could just use a public IP address like 70.91.xxx.19 and use that as the VPN public IP, but it has to be the 'outside' on the Cisco ASA, so what I did was route traffic to 10.1.10.200 (the Cisco ASA from the Cable Modem side), but what that does it when it's going out, routes all the traffic as 70.91.xxx.19, so basically the site-to-site VPN said 'hey, this traffic is supposed to be coming from 70.91.xxx.22 and it broke it.

Any ideas??
0
Jesh1975
Asked:
Jesh1975
  • 6
  • 5
1 Solution
 
Henk van AchterbergSr. Technical ConsultantCommented:
The site 2 site VPN is also configured on the external IP address of the ASA. The ASA does not allow termination of a site-2-site VPN on another IP address which is not the outside IP address.

What do you have configured as remote IP address on site B? You should use that IP address for Anyconnect.
0
 
Jesh1975Author Commented:
The site to site vpn terminated at 70.91.xxx.22 which is one of our public IP addresses.

If I log into ASA at building B, it is showing 70.91.xxx.22 as the VPN it's connected to remotely.  This is why I am so confused.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
when you go from the internet (not from site A) to https://70.91.xxx.22/ do you get the login page for anyconnect?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
Jesh1975Author Commented:
No I do not.

Just a note - I think we can only initiate VPN tunnel from building A  (the one we want to have site-to-site AND anyconnect) when we need VPN to be rebuilt from A to B.
0
 
Jesh1975Author Commented:
Any additional thoughts on this?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
I think your cable modem is doing some kind of NAT. Can you try to log in to your cable modem and see if you can forward ports?
0
 
Jesh1975Author Commented:
There's no NAT on the cable mode and no port forwarding on.

We host our email, web server, video server and some other stuff with NAT in the firewall and it works great.  I will Double check when I get into the office tomorrow.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
OK, to recap what you told us:

Cisco ASA (Outside: 10.1.10.200)
When you go on the internet your external IP appears to be 70.91.xxx.22 (am I right?)

So this means NAT is performed by your cable modem. Can you ask your ISP if you can configure the external IP addresses directly on your firewall? I have seen instances where the cable modem does accept a local address as well as a public address configured.
0
 
Jesh1975Author Commented:
Yes,

ASA (Inside 192.168.1.x), Outside, 10.1.10.200

I try whatismyip.com and end up with 70.91.xxx.22.

Are you thinking I should ask them to put the cable modem into transparent bridge mode?
0
 
Jesh1975Author Commented:
BTW.  The NAT I am doing on my firewall works fine.  If I check our webserver IP from that computer, it will show 70.91.xxx.18.

In that case we have traffic from internal 192.168.1.20 NAT as 70.91.xxx.18...
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
I think you should ask your ISP if you can use the 70.91.xxx.22 directly on your ASA instead of the internal IP.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now