Solved

Cisco ASA VPN using ASDM

Posted on 2014-02-20
14
1,890 Views
Last Modified: 2014-03-12
Hi -

I'm using a Cisco ASA 5510 ASA version 9.1(4), ASDM version 7.1(5)100.  I currently have a remote access VPN setup for myself.  When I connect, I can reach anything at my primary site.

What settings do I need to make, via ASDM, to be able to reach all of my other sites?

I'm able to reach all other sites when I'm in the office.
0
Comment
Question by:emeka57
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
14 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39874512
You need two things.

1) All remote sites need a route to the address space you're using for your VPN pool.

2) You need to edit the access list assigned to the VPN policy, so that the subnets of all of your remote sites are included.
0
 

Author Comment

by:emeka57
ID: 39875661
How do I accomplish this via ASDM?
0
 
LVL 28

Expert Comment

by:asavener
ID: 39875714
Configuration >
Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools to see the address pool, then check the router configs at the remote site to make sure there's a route back.


Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps.  Check for the remote access crypto map, check the properties for the access list.
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:emeka57
ID: 39876649
For the 2nd portion, there is no crypto map for the remote access.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39876918
I don't have an ASA right now that I can hop on and look at the config.

There should be a setting that is the split tunnel policy, which should be set to "tunnel network list below" and then a second setting called split tunnel network list, which should be set to an access list.  Edit that access list to include the addresses of the remote sites.

I think those settings are on the group policy for the remote access VPN.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39883670
If you do not want to change the other side of the VPN tunnel(s) you can NAT your VPN pool to an, unused, IP on the inside so the traffic is tunneled over the VPN using the existing configuration.

To accomplish this you simply make a dynamic NAT rule from the outside to the outside with:

source network: VPN pool network
destination network: subnets on the other side of VPN tunnels

translated source network: unused inside IP
destination network: -- original --
0
 

Author Comment

by:emeka57
ID: 39883691
No, it's a remote access VPN.

My VPN subnet is 192.168.1.0/24.  I have access to my location network 10.100.0.0/22.  I'm trying to get access to the other networks that are connected via MPLS; 10.101.0.0, 10.102.0.0, 10.103.0.0, and 10.104.0.0 all /22.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39883707
The easiest way is to make 192.168.1.0/24 known in the MPLS cloud so that the traffic will be flowing trough the ASA.

If that is not a viable solution then you can translate traffic going from 192.168.1.0 to the MPLS networks trough, for example, 10.100.0.1 (an unused IP in the 10.100.0.0/22 range).
0
 
LVL 28

Expert Comment

by:asavener
ID: 39884030
You add a static route on the 10.100.0.0/22 MPLS router, and redistribute it to your routing protocol (Likely to be BPG).

Can you provide the BGP config on your 10.100.0.0/22 MPLS router?
0
 

Author Comment

by:emeka57
ID: 39886188
The MPLS router is managed by my ISP and I have no access to its config.  I'm trying to accomplish this task via my ASA 5510 using ASDM.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 166 total points
ID: 39886228
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

I think you can use a local DHCP server for remote access addresses, or just create a remote access pool on the ASA.

One consideration is that if the ASA hands out the addresses, then you should exclude those addresses in your LAN DHCP server.


You can't edit IP pools once they're created on the ASA.  You will have to create a new IP address pool, assign it to the remote access policy, then remove the original IP pool.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 334 total points
ID: 39886590
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

You are not correct. You can use NAT as I suggested before to allow VPN traffic to go over the MPLS network. This is easy, simple and a clean solution.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39886642
OK.  "Have to" overstates the case, but it's certainly simpler than creating NAT rules for your VPN.

My advice is always keep it simple, keep it supportable.  Outside-to-inside NAT where it isn't absolutely necessary violates that principle.

"easy, simple, clean"

I disagree on every point.
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 334 total points
ID: 39886694
Well, you are welcome to disagree, it is good to have your own opinion!

In my view I would like to have a separate subnet for my remote VPN users. This way I can make clean ACL's. Also using split vpn tunneling is easier with different subnets. When you place your remote vpn user in the same subnet then the ASA must perform some layer 2 functionality for you while when you are in a different subnet only layer 3 functionality is used.

Both of our suggestions are a solution for the problem of the topic starter. Based on our explanations he can choose the option which suits him best.

Thanks for your suggestions as they are a possible solution.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question