Announcement

Collapse
No announcement yet.

Configuring routing between two VPNs on ASA 5505

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuring routing between two VPNs on ASA 5505

    Hello!

    I'm total newb as far as Cisco is concerned.

    We have ASA 5505 which was set up by our ex outsourced system maintenance guys. Now we've run in some problems with VPN settings.

    We have two VPN configurations: one for users with laptops, they use CISCO VPN Client to connect; and the other is site2site VPN, which is set up between our network and GPRS APN. Both use RADIUS authentication.

    We have routing problems with the latter. I tested it and I can ping devices in GPRS APN from our local network, but not vice versa. There's no problem with TCP communication initiated from devices in local network with devices in GPRS APN.

    I also noticed that I can't access devices in GPRS APN if I am connected to network via client-site VPN (with cisco VPN client).

    Obviously there is something wrong with routing. Can you help me and what additional info do you need?

    TNX a bunch!

  • #2
    Re: Configuring routing between two VPNs on ASA 5505

    We have routing problems with the latter. I tested it and I can ping devices in GPRS APN from our local network, but not vice versa. There's no problem with TCP communication initiated from devices in local network with devices in GPRS APN.
    Could be the original admin of this device designed the rules (security policy) for one-way "established" communications across the site2site tunnel. If you need to change this, then check the ACL's that define the "intersting traffic" across the site2site tunnel. Without seeing the actual configuration, ACL's will probably need to be modified at both ends of the site2site tunnel.

    I also noticed that I can't access devices in GPRS APN if I am connected to network via client-site VPN (with cisco VPN client).
    The default security policy of the ASA does NOT permit vpn 2 vpn traffic. This can be overridden, but make sure you understand the impact of this "global" change. You would be allowing one vpn client PC to connect to another vpn client PC (like the president of your company).

    FWIW: I enabled this feature, but only because I have many many many home office users with VoIP phones at the other end of the tunnels. To allow a home office user to phone another home office user, I needed to enable this feature, but I also designed ACL's that only permitted IP phone 2 IP phone traffic between tunnels to meet established security policies of our company.

    If you feel like you understand the impact of enabling this feature, then checkout the following command:
    Code:
    same-security-traffic permit intra-interface

    Comment


    • #3
      Re: Configuring routing between two VPNs on ASA 5505

      You might review this to compare some of your config:
      http://www.compedia4us.com/2008/10/c...nel-using.html

      PS. thread moved to Cisco security.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment

      Working...
      X