Solved

Cisco ASA device

Posted on 2015-02-13
7
92 Views
Last Modified: 2015-02-16
We have a site-to-site VPN between 2 ASA devices from site 1 to site 2 working fine.  Have defined a new client VPN tunnel that will allow clients to connect inbound on site 1 ASA which is on same device connecting Site 1 to site 2.  This also works great allowing inbound VPN traffic to site 1.  It is technically possible to route traffic for folks connecting inbound VPN to traverse tunnel from site 1 to site 2 on same ASA?  If this is not technically possible on same ASA device due to the nature of VPN or device limitation, I'm thinking about using another VPN device to allow inbound clients to site 1 although they will need to traverse 2nd VPN connecting site 1 to site 2.  Would that be technically possible? If so, I will try to figure out a way but need to know if I'm wasting my time where I cannot have clients come in on one VPN then traverse another VPN to site 2.  Any help will be appreciated.  Thank You!
0
Comment
Question by:Geo Cullen
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 40609506
when you say "Have defined a new client VPN tunnel", can you clarify if this is a site-to-site VPN or via remote VPN client used on PC?

for now I'll assume you are pertaining to connecting 3 sites via site-to-site VPN.

28616768---Cisco-ASA-device.png
also, can you provide details on the following:
1. why can't new site have direct S-2-S VPN towards Site2? (We might be able to provide better solution, if we can understand the restrictions and targets)
 the following reason I know could be:
 a. new site needs to connect to both devices on site1 and site2
 b. new site cannot establish VPN towards site2 due to policy (different clients/administration) maybe.

So basically what you are asking from what I understand is that you wish to make site1 a hub, while new site and site2 as spoke. For new site and site 2 communication you would like it to traverse the hub (site1) using a single ASA. If that is an accurate description of your inquiry, simple answer would be yes, you would be able to configure a hub and spoke design site-to-site VPN between these three sites. But do note, that you would be having inefficiencies, traffic from new site to site2, will consume bandwidth twice on site1 which is acting as the hub. Hence I've inquired if you can lift restrictions on creating a meshed designed between 3 sites instead.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40609515
Your remote VPn needs to include the IP range from site 2. The site to site VPN needs the REMOTE VPN IPs if different from site 1 IPs included in the nonat ACL.

You amy need to add syslog or permit VPN traffic on site 1ASA.

Is your site to site unrestricted, or you have ACLs defining what types of access is allowed?.
0
 

Author Comment

by:Geo Cullen
ID: 40609738
Thank you for the reply ffleisma, no, the new client VPN tunnel is a remote client tunnel. (from PC's)

Site 1 has most application services locally then a few remote applications from Site 2.  Recently new broadband internet link has been  installed allowing remote client inbound VPN to Site 1.  Problem, is once clients connect to inbound VPN they cannot traverse site-to-site tunnel to Site 2.  

I'm led to believe due to the nature of VPN, one cannot traverse 2 VPN tunnels and I believe if routes have been established properly it is possible especially since its contained on one ASA device.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:Geo Cullen
ID: 40609745
Thank you arnold, it sounds like it is feasible to to traverse 2 VPN tunnels providing IP routing is setup properly.  No ACL's involved, traffic is unrestricted.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40609774
Is the remote VPN uses secure all such that when the vpn is established all the traffic except local and the vpn server are sent throu the tunnel?  In this case the remote client should be able toget to site 2 provided the same-security-traffic peremit intra-interface/inter-interface
There is sysopt connection permit-VPN or ipsec.

Or you have the tunnel secure the following and the ACL includes only the site 1 lan.
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 40609788
Hi George,

If that is the case, here is a good example or doing hair-pinning for your requirement. I'm just not sure on your ASA version, but check it out, it might help you. The author already does a pretty good job discussing the configuration, credit goes to him.

http://www.petenetlive.com/KB/Article/0000040.htm
0
 

Author Comment

by:Geo Cullen
ID: 40612018
Thank you for the link ffleisma, this should work out well!  Thank you to both of you for answering my question.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now