Solved

Cisco VPN (AnyConnect) and Site-to-Site

Posted on 2014-01-22
11
916 Views
Last Modified: 2014-04-22
First off - I thought this was solved, as you can read here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_28310395.html

Unfortunately, it was not because of an unknown error (it broke out site-to-site vpn).

Here is our setup:

Internal Network 192.168.1.x <--> (Inside: 192.168.1.1) Cisco ASA (Outside: 10.1.10.200) <--> Comcast SMB with external 70.91.xxx.xxx with 5 IP addresses.

We have a site-to-site which is working fine to building 'B'.

What we want to accomplish is setting up an AnyConnect VPN, which we had working when we did what is in the link above, but it broke out site-to-site VPN.

I thought I could just use a public IP address like 70.91.xxx.19 and use that as the VPN public IP, but it has to be the 'outside' on the Cisco ASA, so what I did was route traffic to 10.1.10.200 (the Cisco ASA from the Cable Modem side), but what that does it when it's going out, routes all the traffic as 70.91.xxx.19, so basically the site-to-site VPN said 'hey, this traffic is supposed to be coming from 70.91.xxx.22 and it broke it.

Any ideas??
0
Comment
Question by:Jesh1975
  • 6
  • 5
11 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800829
The site 2 site VPN is also configured on the external IP address of the ASA. The ASA does not allow termination of a site-2-site VPN on another IP address which is not the outside IP address.

What do you have configured as remote IP address on site B? You should use that IP address for Anyconnect.
0
 

Author Comment

by:Jesh1975
ID: 39800851
The site to site vpn terminated at 70.91.xxx.22 which is one of our public IP addresses.

If I log into ASA at building B, it is showing 70.91.xxx.22 as the VPN it's connected to remotely.  This is why I am so confused.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800875
when you go from the internet (not from site A) to https://70.91.xxx.22/ do you get the login page for anyconnect?
0
 

Author Comment

by:Jesh1975
ID: 39800889
No I do not.

Just a note - I think we can only initiate VPN tunnel from building A  (the one we want to have site-to-site AND anyconnect) when we need VPN to be rebuilt from A to B.
0
 

Author Comment

by:Jesh1975
ID: 39807498
Any additional thoughts on this?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39813478
I think your cable modem is doing some kind of NAT. Can you try to log in to your cable modem and see if you can forward ports?
0
 

Author Comment

by:Jesh1975
ID: 39814048
There's no NAT on the cable mode and no port forwarding on.

We host our email, web server, video server and some other stuff with NAT in the firewall and it works great.  I will Double check when I get into the office tomorrow.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39814222
OK, to recap what you told us:

Cisco ASA (Outside: 10.1.10.200)
When you go on the internet your external IP appears to be 70.91.xxx.22 (am I right?)

So this means NAT is performed by your cable modem. Can you ask your ISP if you can configure the external IP addresses directly on your firewall? I have seen instances where the cable modem does accept a local address as well as a public address configured.
0
 

Author Comment

by:Jesh1975
ID: 39815541
Yes,

ASA (Inside 192.168.1.x), Outside, 10.1.10.200

I try whatismyip.com and end up with 70.91.xxx.22.

Are you thinking I should ask them to put the cable modem into transparent bridge mode?
0
 

Author Comment

by:Jesh1975
ID: 39815550
BTW.  The NAT I am doing on my firewall works fine.  If I check our webserver IP from that computer, it will show 70.91.xxx.18.

In that case we have traffic from internal 192.168.1.20 NAT as 70.91.xxx.18...
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39820083
I think you should ask your ISP if you can use the 70.91.xxx.22 directly on your ASA instead of the internal IP.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now