Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco VPN (AnyConnect) and Site-to-Site

Posted on 2014-01-22
11
Medium Priority
?
1,140 Views
Last Modified: 2014-04-22
First off - I thought this was solved, as you can read here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_28310395.html

Unfortunately, it was not because of an unknown error (it broke out site-to-site vpn).

Here is our setup:

Internal Network 192.168.1.x <--> (Inside: 192.168.1.1) Cisco ASA (Outside: 10.1.10.200) <--> Comcast SMB with external 70.91.xxx.xxx with 5 IP addresses.

We have a site-to-site which is working fine to building 'B'.

What we want to accomplish is setting up an AnyConnect VPN, which we had working when we did what is in the link above, but it broke out site-to-site VPN.

I thought I could just use a public IP address like 70.91.xxx.19 and use that as the VPN public IP, but it has to be the 'outside' on the Cisco ASA, so what I did was route traffic to 10.1.10.200 (the Cisco ASA from the Cable Modem side), but what that does it when it's going out, routes all the traffic as 70.91.xxx.19, so basically the site-to-site VPN said 'hey, this traffic is supposed to be coming from 70.91.xxx.22 and it broke it.

Any ideas??
0
Comment
Question by:Jesh1975
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800829
The site 2 site VPN is also configured on the external IP address of the ASA. The ASA does not allow termination of a site-2-site VPN on another IP address which is not the outside IP address.

What do you have configured as remote IP address on site B? You should use that IP address for Anyconnect.
0
 

Author Comment

by:Jesh1975
ID: 39800851
The site to site vpn terminated at 70.91.xxx.22 which is one of our public IP addresses.

If I log into ASA at building B, it is showing 70.91.xxx.22 as the VPN it's connected to remotely.  This is why I am so confused.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800875
when you go from the internet (not from site A) to https://70.91.xxx.22/ do you get the login page for anyconnect?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Jesh1975
ID: 39800889
No I do not.

Just a note - I think we can only initiate VPN tunnel from building A  (the one we want to have site-to-site AND anyconnect) when we need VPN to be rebuilt from A to B.
0
 

Author Comment

by:Jesh1975
ID: 39807498
Any additional thoughts on this?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39813478
I think your cable modem is doing some kind of NAT. Can you try to log in to your cable modem and see if you can forward ports?
0
 

Author Comment

by:Jesh1975
ID: 39814048
There's no NAT on the cable mode and no port forwarding on.

We host our email, web server, video server and some other stuff with NAT in the firewall and it works great.  I will Double check when I get into the office tomorrow.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39814222
OK, to recap what you told us:

Cisco ASA (Outside: 10.1.10.200)
When you go on the internet your external IP appears to be 70.91.xxx.22 (am I right?)

So this means NAT is performed by your cable modem. Can you ask your ISP if you can configure the external IP addresses directly on your firewall? I have seen instances where the cable modem does accept a local address as well as a public address configured.
0
 

Author Comment

by:Jesh1975
ID: 39815541
Yes,

ASA (Inside 192.168.1.x), Outside, 10.1.10.200

I try whatismyip.com and end up with 70.91.xxx.22.

Are you thinking I should ask them to put the cable modem into transparent bridge mode?
0
 

Author Comment

by:Jesh1975
ID: 39815550
BTW.  The NAT I am doing on my firewall works fine.  If I check our webserver IP from that computer, it will show 70.91.xxx.18.

In that case we have traffic from internal 192.168.1.20 NAT as 70.91.xxx.18...
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 2000 total points
ID: 39820083
I think you should ask your ISP if you can use the 70.91.xxx.22 directly on your ASA instead of the internal IP.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question