?
Solved

Cisco VPN (AnyConnect) and Site-to-Site

Posted on 2014-01-22
11
Medium Priority
?
1,069 Views
Last Modified: 2014-04-22
First off - I thought this was solved, as you can read here: http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_28310395.html

Unfortunately, it was not because of an unknown error (it broke out site-to-site vpn).

Here is our setup:

Internal Network 192.168.1.x <--> (Inside: 192.168.1.1) Cisco ASA (Outside: 10.1.10.200) <--> Comcast SMB with external 70.91.xxx.xxx with 5 IP addresses.

We have a site-to-site which is working fine to building 'B'.

What we want to accomplish is setting up an AnyConnect VPN, which we had working when we did what is in the link above, but it broke out site-to-site VPN.

I thought I could just use a public IP address like 70.91.xxx.19 and use that as the VPN public IP, but it has to be the 'outside' on the Cisco ASA, so what I did was route traffic to 10.1.10.200 (the Cisco ASA from the Cable Modem side), but what that does it when it's going out, routes all the traffic as 70.91.xxx.19, so basically the site-to-site VPN said 'hey, this traffic is supposed to be coming from 70.91.xxx.22 and it broke it.

Any ideas??
0
Comment
Question by:Jesh1975
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800829
The site 2 site VPN is also configured on the external IP address of the ASA. The ASA does not allow termination of a site-2-site VPN on another IP address which is not the outside IP address.

What do you have configured as remote IP address on site B? You should use that IP address for Anyconnect.
0
 

Author Comment

by:Jesh1975
ID: 39800851
The site to site vpn terminated at 70.91.xxx.22 which is one of our public IP addresses.

If I log into ASA at building B, it is showing 70.91.xxx.22 as the VPN it's connected to remotely.  This is why I am so confused.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39800875
when you go from the internet (not from site A) to https://70.91.xxx.22/ do you get the login page for anyconnect?
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:Jesh1975
ID: 39800889
No I do not.

Just a note - I think we can only initiate VPN tunnel from building A  (the one we want to have site-to-site AND anyconnect) when we need VPN to be rebuilt from A to B.
0
 

Author Comment

by:Jesh1975
ID: 39807498
Any additional thoughts on this?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39813478
I think your cable modem is doing some kind of NAT. Can you try to log in to your cable modem and see if you can forward ports?
0
 

Author Comment

by:Jesh1975
ID: 39814048
There's no NAT on the cable mode and no port forwarding on.

We host our email, web server, video server and some other stuff with NAT in the firewall and it works great.  I will Double check when I get into the office tomorrow.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39814222
OK, to recap what you told us:

Cisco ASA (Outside: 10.1.10.200)
When you go on the internet your external IP appears to be 70.91.xxx.22 (am I right?)

So this means NAT is performed by your cable modem. Can you ask your ISP if you can configure the external IP addresses directly on your firewall? I have seen instances where the cable modem does accept a local address as well as a public address configured.
0
 

Author Comment

by:Jesh1975
ID: 39815541
Yes,

ASA (Inside 192.168.1.x), Outside, 10.1.10.200

I try whatismyip.com and end up with 70.91.xxx.22.

Are you thinking I should ask them to put the cable modem into transparent bridge mode?
0
 

Author Comment

by:Jesh1975
ID: 39815550
BTW.  The NAT I am doing on my firewall works fine.  If I check our webserver IP from that computer, it will show 70.91.xxx.18.

In that case we have traffic from internal 192.168.1.20 NAT as 70.91.xxx.18...
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 2000 total points
ID: 39820083
I think you should ask your ISP if you can use the 70.91.xxx.22 directly on your ASA instead of the internal IP.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 11 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question