Solved

Cisco ASA VPN using ASDM

Posted on 2014-02-20
14
1,883 Views
Last Modified: 2014-03-12
Hi -

I'm using a Cisco ASA 5510 ASA version 9.1(4), ASDM version 7.1(5)100.  I currently have a remote access VPN setup for myself.  When I connect, I can reach anything at my primary site.

What settings do I need to make, via ASDM, to be able to reach all of my other sites?

I'm able to reach all other sites when I'm in the office.
0
Comment
Question by:emeka57
  • 6
  • 4
  • 4
14 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39874512
You need two things.

1) All remote sites need a route to the address space you're using for your VPN pool.

2) You need to edit the access list assigned to the VPN policy, so that the subnets of all of your remote sites are included.
0
 

Author Comment

by:emeka57
ID: 39875661
How do I accomplish this via ASDM?
0
 
LVL 28

Expert Comment

by:asavener
ID: 39875714
Configuration >
Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools to see the address pool, then check the router configs at the remote site to make sure there's a route back.


Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps.  Check for the remote access crypto map, check the properties for the access list.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:emeka57
ID: 39876649
For the 2nd portion, there is no crypto map for the remote access.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39876918
I don't have an ASA right now that I can hop on and look at the config.

There should be a setting that is the split tunnel policy, which should be set to "tunnel network list below" and then a second setting called split tunnel network list, which should be set to an access list.  Edit that access list to include the addresses of the remote sites.

I think those settings are on the group policy for the remote access VPN.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39883670
If you do not want to change the other side of the VPN tunnel(s) you can NAT your VPN pool to an, unused, IP on the inside so the traffic is tunneled over the VPN using the existing configuration.

To accomplish this you simply make a dynamic NAT rule from the outside to the outside with:

source network: VPN pool network
destination network: subnets on the other side of VPN tunnels

translated source network: unused inside IP
destination network: -- original --
0
 

Author Comment

by:emeka57
ID: 39883691
No, it's a remote access VPN.

My VPN subnet is 192.168.1.0/24.  I have access to my location network 10.100.0.0/22.  I'm trying to get access to the other networks that are connected via MPLS; 10.101.0.0, 10.102.0.0, 10.103.0.0, and 10.104.0.0 all /22.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39883707
The easiest way is to make 192.168.1.0/24 known in the MPLS cloud so that the traffic will be flowing trough the ASA.

If that is not a viable solution then you can translate traffic going from 192.168.1.0 to the MPLS networks trough, for example, 10.100.0.1 (an unused IP in the 10.100.0.0/22 range).
0
 
LVL 28

Expert Comment

by:asavener
ID: 39884030
You add a static route on the 10.100.0.0/22 MPLS router, and redistribute it to your routing protocol (Likely to be BPG).

Can you provide the BGP config on your 10.100.0.0/22 MPLS router?
0
 

Author Comment

by:emeka57
ID: 39886188
The MPLS router is managed by my ISP and I have no access to its config.  I'm trying to accomplish this task via my ASA 5510 using ASDM.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 166 total points
ID: 39886228
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

I think you can use a local DHCP server for remote access addresses, or just create a remote access pool on the ASA.

One consideration is that if the ASA hands out the addresses, then you should exclude those addresses in your LAN DHCP server.


You can't edit IP pools once they're created on the ASA.  You will have to create a new IP address pool, assign it to the remote access policy, then remove the original IP pool.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 334 total points
ID: 39886590
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

You are not correct. You can use NAT as I suggested before to allow VPN traffic to go over the MPLS network. This is easy, simple and a clean solution.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39886642
OK.  "Have to" overstates the case, but it's certainly simpler than creating NAT rules for your VPN.

My advice is always keep it simple, keep it supportable.  Outside-to-inside NAT where it isn't absolutely necessary violates that principle.

"easy, simple, clean"

I disagree on every point.
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 334 total points
ID: 39886694
Well, you are welcome to disagree, it is good to have your own opinion!

In my view I would like to have a separate subnet for my remote VPN users. This way I can make clean ACL's. Also using split vpn tunneling is easier with different subnets. When you place your remote vpn user in the same subnet then the ASA must perform some layer 2 functionality for you while when you are in a different subnet only layer 3 functionality is used.

Both of our suggestions are a solution for the problem of the topic starter. Based on our explanations he can choose the option which suits him best.

Thanks for your suggestions as they are a possible solution.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA DHCP setup 5 38
Cisco RTMT extremely tiny using Microsoft Surface 4 19
IPSec Site to Site VPN Topology 6 42
decoding the error message TEI_ASSIGNED 8 34
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question