Solved

Cisco ASA VPN using ASDM

Posted on 2014-02-20
14
1,868 Views
Last Modified: 2014-03-12
Hi -

I'm using a Cisco ASA 5510 ASA version 9.1(4), ASDM version 7.1(5)100.  I currently have a remote access VPN setup for myself.  When I connect, I can reach anything at my primary site.

What settings do I need to make, via ASDM, to be able to reach all of my other sites?

I'm able to reach all other sites when I'm in the office.
0
Comment
Question by:emeka57
  • 6
  • 4
  • 4
14 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39874512
You need two things.

1) All remote sites need a route to the address space you're using for your VPN pool.

2) You need to edit the access list assigned to the VPN policy, so that the subnets of all of your remote sites are included.
0
 

Author Comment

by:emeka57
ID: 39875661
How do I accomplish this via ASDM?
0
 
LVL 28

Expert Comment

by:asavener
ID: 39875714
Configuration >
Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools to see the address pool, then check the router configs at the remote site to make sure there's a route back.


Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps.  Check for the remote access crypto map, check the properties for the access list.
0
 

Author Comment

by:emeka57
ID: 39876649
For the 2nd portion, there is no crypto map for the remote access.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39876918
I don't have an ASA right now that I can hop on and look at the config.

There should be a setting that is the split tunnel policy, which should be set to "tunnel network list below" and then a second setting called split tunnel network list, which should be set to an access list.  Edit that access list to include the addresses of the remote sites.

I think those settings are on the group policy for the remote access VPN.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39883670
If you do not want to change the other side of the VPN tunnel(s) you can NAT your VPN pool to an, unused, IP on the inside so the traffic is tunneled over the VPN using the existing configuration.

To accomplish this you simply make a dynamic NAT rule from the outside to the outside with:

source network: VPN pool network
destination network: subnets on the other side of VPN tunnels

translated source network: unused inside IP
destination network: -- original --
0
 

Author Comment

by:emeka57
ID: 39883691
No, it's a remote access VPN.

My VPN subnet is 192.168.1.0/24.  I have access to my location network 10.100.0.0/22.  I'm trying to get access to the other networks that are connected via MPLS; 10.101.0.0, 10.102.0.0, 10.103.0.0, and 10.104.0.0 all /22.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39883707
The easiest way is to make 192.168.1.0/24 known in the MPLS cloud so that the traffic will be flowing trough the ASA.

If that is not a viable solution then you can translate traffic going from 192.168.1.0 to the MPLS networks trough, for example, 10.100.0.1 (an unused IP in the 10.100.0.0/22 range).
0
 
LVL 28

Expert Comment

by:asavener
ID: 39884030
You add a static route on the 10.100.0.0/22 MPLS router, and redistribute it to your routing protocol (Likely to be BPG).

Can you provide the BGP config on your 10.100.0.0/22 MPLS router?
0
 

Author Comment

by:emeka57
ID: 39886188
The MPLS router is managed by my ISP and I have no access to its config.  I'm trying to accomplish this task via my ASA 5510 using ASDM.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 166 total points
ID: 39886228
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

I think you can use a local DHCP server for remote access addresses, or just create a remote access pool on the ASA.

One consideration is that if the ASA hands out the addresses, then you should exclude those addresses in your LAN DHCP server.


You can't edit IP pools once they're created on the ASA.  You will have to create a new IP address pool, assign it to the remote access policy, then remove the original IP pool.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 334 total points
ID: 39886590
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

You are not correct. You can use NAT as I suggested before to allow VPN traffic to go over the MPLS network. This is easy, simple and a clean solution.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39886642
OK.  "Have to" overstates the case, but it's certainly simpler than creating NAT rules for your VPN.

My advice is always keep it simple, keep it supportable.  Outside-to-inside NAT where it isn't absolutely necessary violates that principle.

"easy, simple, clean"

I disagree on every point.
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 334 total points
ID: 39886694
Well, you are welcome to disagree, it is good to have your own opinion!

In my view I would like to have a separate subnet for my remote VPN users. This way I can make clean ACL's. Also using split vpn tunneling is easier with different subnets. When you place your remote vpn user in the same subnet then the ASA must perform some layer 2 functionality for you while when you are in a different subnet only layer 3 functionality is used.

Both of our suggestions are a solution for the problem of the topic starter. Based on our explanations he can choose the option which suits him best.

Thanks for your suggestions as they are a possible solution.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now