Remote VPN user needs to access RDP thru site to site VPN
I have two sites (Site A and Site B) connected by Cisco ASA 5506 site to site VPN. Internally, routing appears to work fine. Device in Site A can access devices in Site B and vice versa.
Site A has all servers, DNS. DUO authentication is setup to do 2FA for remote users that connect to Site A. At Site B, there are no servers, no DNS, no DUO Auth. All users must use the Site A VPN to connect to the corporate network. I have users that must VPN to Site A and use RDP to access workstations in Site B.
However, these users can access Site A devices only. They cannot ping nor otherwise RDP to the devices in Site B while connected to the VPN at Site A. I am sure the devices in Site B do not know how to get back to the remote VPN subnet.
Interestingly, the ASAs cannot ping the devices at the other site either. If I try to ping the server at Site A from the ASA in Site B, it does not reply. I feel this is an internal routing issue in the ASAs configuration.
I feel this is an internal routing issue in the ASAs configuration.
I would have to agree, or firewall / routing policies haven't been setup correctly
By the looks of it (and correct me if I'm wrong) you have a P2P VPN tunnel connecting site A to Site B
Depending on how policies are setup, Site A should be able to access resources on Site B and vice versa with out the need for users to VPN into the opposite site while at the other.
Connecting to a device on Site B through the same tunnel via external VPN connection would require additional policies and/or rules
ASKER
Correct: anyone at either site can acces anything at the other site through the vpn.
Correct: remote/home/field users that vpn into site a can only access site a devices. But I need them to access all devices at either site. This is what I need resolved.
I'm using different hardware but the premise should be the same.
(SSL VPN User connects to Site A to use resources on Site A as well as Site B and C which are connected to each other via VPN Tunnels)
To do this needed to make a few modifications
1) The SSL VPN routes and User Routes had to be altered to add the VLAN for the portion of the network allowed through the VPN Tunnel
2) I had to add the SSL VPN IP range into a address object in the firewall for Site B and create a policy allowing it to access the desired VLAN(s)
Since your remote user can access Site A devices I don't think you'll need to worry about (1)
I think your issue is within (2)
Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”
</P>
ASKER
2) I had to add the SSL VPN IP range into a address object in the firewall for Site B and create a policy allowing it to access the desired VLAN(s)
You'll need to allow 10.10.10.0/24 through the tunnel between SiteA and SiteB, otherwise the ASA at each end will try to route traffic to/from 10.10.10.0/24 to/from 192.168.200.0/24 via the internet.
ASKER
I think we're all pretty-much saying the same thing in that you need to add the subnet for the remote users to the IPSec tunnel (it'll be a source subnet at SiteA and a destination subnet at SiteB).
</P>
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
TRUSTED BY
ASKER