?
Solved

Cisco ASA device

Posted on 2015-02-13
7
Medium Priority
?
100 Views
Last Modified: 2015-02-16
We have a site-to-site VPN between 2 ASA devices from site 1 to site 2 working fine.  Have defined a new client VPN tunnel that will allow clients to connect inbound on site 1 ASA which is on same device connecting Site 1 to site 2.  This also works great allowing inbound VPN traffic to site 1.  It is technically possible to route traffic for folks connecting inbound VPN to traverse tunnel from site 1 to site 2 on same ASA?  If this is not technically possible on same ASA device due to the nature of VPN or device limitation, I'm thinking about using another VPN device to allow inbound clients to site 1 although they will need to traverse 2nd VPN connecting site 1 to site 2.  Would that be technically possible? If so, I will try to figure out a way but need to know if I'm wasting my time where I cannot have clients come in on one VPN then traverse another VPN to site 2.  Any help will be appreciated.  Thank You!
0
Comment
Question by:Geo Cullen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 40609506
when you say "Have defined a new client VPN tunnel", can you clarify if this is a site-to-site VPN or via remote VPN client used on PC?

for now I'll assume you are pertaining to connecting 3 sites via site-to-site VPN.

28616768---Cisco-ASA-device.png
also, can you provide details on the following:
1. why can't new site have direct S-2-S VPN towards Site2? (We might be able to provide better solution, if we can understand the restrictions and targets)
 the following reason I know could be:
 a. new site needs to connect to both devices on site1 and site2
 b. new site cannot establish VPN towards site2 due to policy (different clients/administration) maybe.

So basically what you are asking from what I understand is that you wish to make site1 a hub, while new site and site2 as spoke. For new site and site 2 communication you would like it to traverse the hub (site1) using a single ASA. If that is an accurate description of your inquiry, simple answer would be yes, you would be able to configure a hub and spoke design site-to-site VPN between these three sites. But do note, that you would be having inefficiencies, traffic from new site to site2, will consume bandwidth twice on site1 which is acting as the hub. Hence I've inquired if you can lift restrictions on creating a meshed designed between 3 sites instead.
0
 
LVL 79

Expert Comment

by:arnold
ID: 40609515
Your remote VPn needs to include the IP range from site 2. The site to site VPN needs the REMOTE VPN IPs if different from site 1 IPs included in the nonat ACL.

You amy need to add syslog or permit VPN traffic on site 1ASA.

Is your site to site unrestricted, or you have ACLs defining what types of access is allowed?.
0
 

Author Comment

by:Geo Cullen
ID: 40609738
Thank you for the reply ffleisma, no, the new client VPN tunnel is a remote client tunnel. (from PC's)

Site 1 has most application services locally then a few remote applications from Site 2.  Recently new broadband internet link has been  installed allowing remote client inbound VPN to Site 1.  Problem, is once clients connect to inbound VPN they cannot traverse site-to-site tunnel to Site 2.  

I'm led to believe due to the nature of VPN, one cannot traverse 2 VPN tunnels and I believe if routes have been established properly it is possible especially since its contained on one ASA device.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Geo Cullen
ID: 40609745
Thank you arnold, it sounds like it is feasible to to traverse 2 VPN tunnels providing IP routing is setup properly.  No ACL's involved, traffic is unrestricted.
0
 
LVL 79

Expert Comment

by:arnold
ID: 40609774
Is the remote VPN uses secure all such that when the vpn is established all the traffic except local and the vpn server are sent throu the tunnel?  In this case the remote client should be able toget to site 2 provided the same-security-traffic peremit intra-interface/inter-interface
There is sysopt connection permit-VPN or ipsec.

Or you have the tunnel secure the following and the ACL includes only the site 1 lan.
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 2000 total points
ID: 40609788
Hi George,

If that is the case, here is a good example or doing hair-pinning for your requirement. I'm just not sure on your ASA version, but check it out, it might help you. The author already does a pretty good job discussing the configuration, credit goes to him.

http://www.petenetlive.com/KB/Article/0000040.htm
0
 

Author Comment

by:Geo Cullen
ID: 40612018
Thank you for the link ffleisma, this should work out well!  Thank you to both of you for answering my question.
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question