Cisco ASA VPN using ASDM

Hi -

I'm using a Cisco ASA 5510 ASA version 9.1(4), ASDM version 7.1(5)100.  I currently have a remote access VPN setup for myself.  When I connect, I can reach anything at my primary site.

What settings do I need to make, via ASDM, to be able to reach all of my other sites?

I'm able to reach all other sites when I'm in the office.
emeka57Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
You need two things.

1) All remote sites need a route to the address space you're using for your VPN pool.

2) You need to edit the access list assigned to the VPN policy, so that the subnets of all of your remote sites are included.
0
emeka57Author Commented:
How do I accomplish this via ASDM?
0
asavenerCommented:
Configuration >
Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools to see the address pool, then check the router configs at the remote site to make sure there's a route back.


Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps.  Check for the remote access crypto map, check the properties for the access list.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

emeka57Author Commented:
For the 2nd portion, there is no crypto map for the remote access.
0
asavenerCommented:
I don't have an ASA right now that I can hop on and look at the config.

There should be a setting that is the split tunnel policy, which should be set to "tunnel network list below" and then a second setting called split tunnel network list, which should be set to an access list.  Edit that access list to include the addresses of the remote sites.

I think those settings are on the group policy for the remote access VPN.
0
Henk van AchterbergSr. Technical ConsultantCommented:
If you do not want to change the other side of the VPN tunnel(s) you can NAT your VPN pool to an, unused, IP on the inside so the traffic is tunneled over the VPN using the existing configuration.

To accomplish this you simply make a dynamic NAT rule from the outside to the outside with:

source network: VPN pool network
destination network: subnets on the other side of VPN tunnels

translated source network: unused inside IP
destination network: -- original --
0
emeka57Author Commented:
No, it's a remote access VPN.

My VPN subnet is 192.168.1.0/24.  I have access to my location network 10.100.0.0/22.  I'm trying to get access to the other networks that are connected via MPLS; 10.101.0.0, 10.102.0.0, 10.103.0.0, and 10.104.0.0 all /22.
0
Henk van AchterbergSr. Technical ConsultantCommented:
The easiest way is to make 192.168.1.0/24 known in the MPLS cloud so that the traffic will be flowing trough the ASA.

If that is not a viable solution then you can translate traffic going from 192.168.1.0 to the MPLS networks trough, for example, 10.100.0.1 (an unused IP in the 10.100.0.0/22 range).
0
asavenerCommented:
You add a static route on the 10.100.0.0/22 MPLS router, and redistribute it to your routing protocol (Likely to be BPG).

Can you provide the BGP config on your 10.100.0.0/22 MPLS router?
0
emeka57Author Commented:
The MPLS router is managed by my ISP and I have no access to its config.  I'm trying to accomplish this task via my ASA 5510 using ASDM.
0
asavenerCommented:
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

I think you can use a local DHCP server for remote access addresses, or just create a remote access pool on the ASA.

One consideration is that if the ASA hands out the addresses, then you should exclude those addresses in your LAN DHCP server.


You can't edit IP pools once they're created on the ASA.  You will have to create a new IP address pool, assign it to the remote access policy, then remove the original IP pool.
0
Henk van AchterbergSr. Technical ConsultantCommented:
Then you will have to create a remote access IP pool that uses some of the addresses in your main site's address space, instead of using 192.168.1.0/24.

You are not correct. You can use NAT as I suggested before to allow VPN traffic to go over the MPLS network. This is easy, simple and a clean solution.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asavenerCommented:
OK.  "Have to" overstates the case, but it's certainly simpler than creating NAT rules for your VPN.

My advice is always keep it simple, keep it supportable.  Outside-to-inside NAT where it isn't absolutely necessary violates that principle.

"easy, simple, clean"

I disagree on every point.
0
Henk van AchterbergSr. Technical ConsultantCommented:
Well, you are welcome to disagree, it is good to have your own opinion!

In my view I would like to have a separate subnet for my remote VPN users. This way I can make clean ACL's. Also using split vpn tunneling is easier with different subnets. When you place your remote vpn user in the same subnet then the ASA must perform some layer 2 functionality for you while when you are in a different subnet only layer 3 functionality is used.

Both of our suggestions are a solution for the problem of the topic starter. Based on our explanations he can choose the option which suits him best.

Thanks for your suggestions as they are a possible solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.