Solved

Cisco ASA device

Posted on 2015-02-13
7
97 Views
Last Modified: 2015-02-16
We have a site-to-site VPN between 2 ASA devices from site 1 to site 2 working fine.  Have defined a new client VPN tunnel that will allow clients to connect inbound on site 1 ASA which is on same device connecting Site 1 to site 2.  This also works great allowing inbound VPN traffic to site 1.  It is technically possible to route traffic for folks connecting inbound VPN to traverse tunnel from site 1 to site 2 on same ASA?  If this is not technically possible on same ASA device due to the nature of VPN or device limitation, I'm thinking about using another VPN device to allow inbound clients to site 1 although they will need to traverse 2nd VPN connecting site 1 to site 2.  Would that be technically possible? If so, I will try to figure out a way but need to know if I'm wasting my time where I cannot have clients come in on one VPN then traverse another VPN to site 2.  Any help will be appreciated.  Thank You!
0
Comment
Question by:Geo Cullen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 40609506
when you say "Have defined a new client VPN tunnel", can you clarify if this is a site-to-site VPN or via remote VPN client used on PC?

for now I'll assume you are pertaining to connecting 3 sites via site-to-site VPN.

28616768---Cisco-ASA-device.png
also, can you provide details on the following:
1. why can't new site have direct S-2-S VPN towards Site2? (We might be able to provide better solution, if we can understand the restrictions and targets)
 the following reason I know could be:
 a. new site needs to connect to both devices on site1 and site2
 b. new site cannot establish VPN towards site2 due to policy (different clients/administration) maybe.

So basically what you are asking from what I understand is that you wish to make site1 a hub, while new site and site2 as spoke. For new site and site 2 communication you would like it to traverse the hub (site1) using a single ASA. If that is an accurate description of your inquiry, simple answer would be yes, you would be able to configure a hub and spoke design site-to-site VPN between these three sites. But do note, that you would be having inefficiencies, traffic from new site to site2, will consume bandwidth twice on site1 which is acting as the hub. Hence I've inquired if you can lift restrictions on creating a meshed designed between 3 sites instead.
0
 
LVL 78

Expert Comment

by:arnold
ID: 40609515
Your remote VPn needs to include the IP range from site 2. The site to site VPN needs the REMOTE VPN IPs if different from site 1 IPs included in the nonat ACL.

You amy need to add syslog or permit VPN traffic on site 1ASA.

Is your site to site unrestricted, or you have ACLs defining what types of access is allowed?.
0
 

Author Comment

by:Geo Cullen
ID: 40609738
Thank you for the reply ffleisma, no, the new client VPN tunnel is a remote client tunnel. (from PC's)

Site 1 has most application services locally then a few remote applications from Site 2.  Recently new broadband internet link has been  installed allowing remote client inbound VPN to Site 1.  Problem, is once clients connect to inbound VPN they cannot traverse site-to-site tunnel to Site 2.  

I'm led to believe due to the nature of VPN, one cannot traverse 2 VPN tunnels and I believe if routes have been established properly it is possible especially since its contained on one ASA device.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Geo Cullen
ID: 40609745
Thank you arnold, it sounds like it is feasible to to traverse 2 VPN tunnels providing IP routing is setup properly.  No ACL's involved, traffic is unrestricted.
0
 
LVL 78

Expert Comment

by:arnold
ID: 40609774
Is the remote VPN uses secure all such that when the vpn is established all the traffic except local and the vpn server are sent throu the tunnel?  In this case the remote client should be able toget to site 2 provided the same-security-traffic peremit intra-interface/inter-interface
There is sysopt connection permit-VPN or ipsec.

Or you have the tunnel secure the following and the ACL includes only the site 1 lan.
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 40609788
Hi George,

If that is the case, here is a good example or doing hair-pinning for your requirement. I'm just not sure on your ASA version, but check it out, it might help you. The author already does a pretty good job discussing the configuration, credit goes to him.

http://www.petenetlive.com/KB/Article/0000040.htm
0
 

Author Comment

by:Geo Cullen
ID: 40612018
Thank you for the link ffleisma, this should work out well!  Thank you to both of you for answering my question.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question