?
Solved

Cisco ASA device

Posted on 2015-02-13
7
Medium Priority
?
101 Views
Last Modified: 2015-02-16
We have a site-to-site VPN between 2 ASA devices from site 1 to site 2 working fine.  Have defined a new client VPN tunnel that will allow clients to connect inbound on site 1 ASA which is on same device connecting Site 1 to site 2.  This also works great allowing inbound VPN traffic to site 1.  It is technically possible to route traffic for folks connecting inbound VPN to traverse tunnel from site 1 to site 2 on same ASA?  If this is not technically possible on same ASA device due to the nature of VPN or device limitation, I'm thinking about using another VPN device to allow inbound clients to site 1 although they will need to traverse 2nd VPN connecting site 1 to site 2.  Would that be technically possible? If so, I will try to figure out a way but need to know if I'm wasting my time where I cannot have clients come in on one VPN then traverse another VPN to site 2.  Any help will be appreciated.  Thank You!
0
Comment
Question by:Geo Cullen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 40609506
when you say "Have defined a new client VPN tunnel", can you clarify if this is a site-to-site VPN or via remote VPN client used on PC?

for now I'll assume you are pertaining to connecting 3 sites via site-to-site VPN.

28616768---Cisco-ASA-device.png
also, can you provide details on the following:
1. why can't new site have direct S-2-S VPN towards Site2? (We might be able to provide better solution, if we can understand the restrictions and targets)
 the following reason I know could be:
 a. new site needs to connect to both devices on site1 and site2
 b. new site cannot establish VPN towards site2 due to policy (different clients/administration) maybe.

So basically what you are asking from what I understand is that you wish to make site1 a hub, while new site and site2 as spoke. For new site and site 2 communication you would like it to traverse the hub (site1) using a single ASA. If that is an accurate description of your inquiry, simple answer would be yes, you would be able to configure a hub and spoke design site-to-site VPN between these three sites. But do note, that you would be having inefficiencies, traffic from new site to site2, will consume bandwidth twice on site1 which is acting as the hub. Hence I've inquired if you can lift restrictions on creating a meshed designed between 3 sites instead.
0
 
LVL 80

Expert Comment

by:arnold
ID: 40609515
Your remote VPn needs to include the IP range from site 2. The site to site VPN needs the REMOTE VPN IPs if different from site 1 IPs included in the nonat ACL.

You amy need to add syslog or permit VPN traffic on site 1ASA.

Is your site to site unrestricted, or you have ACLs defining what types of access is allowed?.
0
 

Author Comment

by:Geo Cullen
ID: 40609738
Thank you for the reply ffleisma, no, the new client VPN tunnel is a remote client tunnel. (from PC's)

Site 1 has most application services locally then a few remote applications from Site 2.  Recently new broadband internet link has been  installed allowing remote client inbound VPN to Site 1.  Problem, is once clients connect to inbound VPN they cannot traverse site-to-site tunnel to Site 2.  

I'm led to believe due to the nature of VPN, one cannot traverse 2 VPN tunnels and I believe if routes have been established properly it is possible especially since its contained on one ASA device.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:Geo Cullen
ID: 40609745
Thank you arnold, it sounds like it is feasible to to traverse 2 VPN tunnels providing IP routing is setup properly.  No ACL's involved, traffic is unrestricted.
0
 
LVL 80

Expert Comment

by:arnold
ID: 40609774
Is the remote VPN uses secure all such that when the vpn is established all the traffic except local and the vpn server are sent throu the tunnel?  In this case the remote client should be able toget to site 2 provided the same-security-traffic peremit intra-interface/inter-interface
There is sysopt connection permit-VPN or ipsec.

Or you have the tunnel secure the following and the ACL includes only the site 1 lan.
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 2000 total points
ID: 40609788
Hi George,

If that is the case, here is a good example or doing hair-pinning for your requirement. I'm just not sure on your ASA version, but check it out, it might help you. The author already does a pretty good job discussing the configuration, credit goes to him.

http://www.petenetlive.com/KB/Article/0000040.htm
0
 

Author Comment

by:Geo Cullen
ID: 40612018
Thank you for the link ffleisma, this should work out well!  Thank you to both of you for answering my question.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question