Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1945
  • Last Modified:

Cisco ASA VPN using ASDM

Hi -

I'm using a Cisco ASA 5510 ASA version 9.1(4), ASDM version 7.1(5)100.  I currently have a remote access VPN setup for myself.  When I connect, I can reach anything at my primary site.

What settings do I need to make, via ASDM, to be able to reach all of my other sites?

I'm able to reach all other sites when I'm in the office.
0
emeka57
Asked:
emeka57
  • 6
  • 4
  • 4
3 Solutions
 
asavenerCommented:
You need two things.

1) All remote sites need a route to the address space you're using for your VPN pool.

2) You need to edit the access list assigned to the VPN policy, so that the subnets of all of your remote sites are included.
0
 
emeka57Author Commented:
How do I accomplish this via ASDM?
0
 
asavenerCommented:
Configuration >
Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools to see the address pool, then check the router configs at the remote site to make sure there's a route back.


Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps.  Check for the remote access crypto map, check the properties for the access list.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
emeka57Author Commented:
For the 2nd portion, there is no crypto map for the remote access.
0
 
asavenerCommented:
I don't have an ASA right now that I can hop on and look at the config.

There should be a setting that is the split tunnel policy, which should be set to "tunnel network list below" and then a second setting called split tunnel network list, which should be set to an access list.  Edit that access list to include the addresses of the remote sites.

I think those settings are on the group policy for the remote access VPN.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
If you do not want to change the other side of the VPN tunnel(s) you can NAT your VPN pool to an, unused, IP on the inside so the traffic is tunneled over the VPN using the existing configuration.

To accomplish this you simply make a dynamic NAT rule from the outside to the outside with:

source network: VPN pool network
destination network: subnets on the other side of VPN tunnels

translated source network: unused inside IP
destination network: -- original --
0
 
emeka57Author Commented:
No, it's a remote access VPN.

My VPN subnet is 192.168.1.0/24.  I have access to my location network 10.100.0.0/22.  I'm trying to get access to the other networks that are connected via MPLS; 10.101.0.0, 10.102.0.0, 10.103.0.0, and 10.104.0.0 all /22.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
The easiest way is to make 192.168.1.0/24 known in the MPLS cloud so that the traffic will be flowing trough the ASA.

If that is not a viable solution then you can translate traffic going from 192.168.1.0 to the MPLS networks trough, for example, 10.100.0.1 (an unused IP in the 10.100.0.0/22 range).
0
 
asavenerCommented:
You add a static route on the 10.100.0.0/22 MPLS router, and redistribute it to your routing protocol (Likely to be BPG).

Can you provide the BGP config on your 10.100.0.0/22 MPLS router?
0
 
emeka57Author Commented:
The MPLS router is managed by my ISP and I have no access to its config.  I'm trying to accomplish this task via my ASA 5510 using ASDM.
0
 
asavenerCommented:
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

I think you can use a local DHCP server for remote access addresses, or just create a remote access pool on the ASA.

One consideration is that if the ASA hands out the addresses, then you should exclude those addresses in your LAN DHCP server.


You can't edit IP pools once they're created on the ASA.  You will have to create a new IP address pool, assign it to the remote access policy, then remove the original IP pool.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

You are not correct. You can use NAT as I suggested before to allow VPN traffic to go over the MPLS network. This is easy, simple and a clean solution.
0
 
asavenerCommented:
OK.  "Have to" overstates the case, but it's certainly simpler than creating NAT rules for your VPN.

My advice is always keep it simple, keep it supportable.  Outside-to-inside NAT where it isn't absolutely necessary violates that principle.

"easy, simple, clean"

I disagree on every point.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
Well, you are welcome to disagree, it is good to have your own opinion!

In my view I would like to have a separate subnet for my remote VPN users. This way I can make clean ACL's. Also using split vpn tunneling is easier with different subnets. When you place your remote vpn user in the same subnet then the ASA must perform some layer 2 functionality for you while when you are in a different subnet only layer 3 functionality is used.

Both of our suggestions are a solution for the problem of the topic starter. Based on our explanations he can choose the option which suits him best.

Thanks for your suggestions as they are a possible solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 6
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now