Announcement

Collapse
No announcement yet.

Remote Access VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remote Access VPN

    Hi, Running ASA5505 at the office, where we have 3 Site to Site VPNs running from this device.

    My Site to Sites say are called site1, site2 & site3

    Ive now set-up remote access vpn for some user to connect into the office from home, using the ciso client (IPSEC)
    I can connect and access resources on the LAN, however i cannot connect to resources at either of Sites 1,2 or 3, i.e the resources connected by the site to site vpn. from the office this is no problem.

    When i look at the IP which the client gets it does not show a gateway address. i was assuming the new gateway would be the ASA? i only see gateway of my router at home.

    Any ideas.


    Thanks

  • #2
    Re: Remote Access VPN

    yep it would need a different gateway
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Remote Access VPN

      Hi, Thanks for the reply,
      Can you advise where i would set this?

      Thanks

      Comment


      • #4
        Re: Remote Access VPN

        not for certain - it'd be amongst the settings that are issued to the DHCP client.. just unaware myself of where it would be on an ASA
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Remote Access VPN

          Without seeing the actual ASA or L2L peer router configuration, its hard to tell where the problem is.

          Since the VPN client can access resourses on the LAN, I doubt this is a routing issue on the client side. Based on your description, this sounds more like a configuration problem on the ASA and/or the L2L peer router configuration regarding NAT exclusion and/or the secured routes across the tunnels. Chances are the packet is making it to the destination, but does not make it back due to it being nat'd or not being secured across the tunnel(s).

          I would suggest checking the ASA and the L2L peer router configuration for the following:

          1) NAT Exclusion configuration includes the remote access VPN client address pool to L2L netblocks. Same thing on the L2L peer router VPN configuration. Think reply traffic.

          2) Secured routes from remote access VPN client to L2L netblocks. Same thing on the L2L peer routers. Again, think reply traffic.

          3) The ASA is configured for intra-interface routing. i.e. permit vpn to vpn traffic. By default, the ASA does not permit vpn to vpn traffic.
          Code:
          same-security-traffic permit intra-interface
          A useful command on the ASA is "show crypto ipsec sa". Then look for your security association entry. This will point out whether or not traffic is being secured in both directions across the tunnel(s). The packets encrypted and decrypted fields. From the ASA's perspective, encrypt = encrypt to remote peer, decrypt = decrypt from peer. If you have either encrypt or decrypt incrementing and the other is not incrementing, then items 1 or 2 above need to be checked.

          Code:
           
          #pkts encaps: 415, #pkts encrypt: 415, #pkts digest: 415
          #pkts decaps: 362, #pkts decrypt: 362, #pkts verify: 362
          Another useful command is "show xlate" to view the translation tables (nat).

          Comment


          • #6
            Re: Remote Access VPN

            Originally posted by macka001 View Post
            Hi, Running ASA5505 at the office, where we have 3 Site to Site VPNs running from this device.

            My Site to Sites say are called site1, site2 & site3

            Ive now set-up remote access vpn for some user to connect into the office from home, using the ciso client (IPSEC)
            I can connect and access resources on the LAN, however i cannot connect to resources at either of Sites 1,2 or 3, i.e the resources connected by the site to site vpn. from the office this is no problem.

            When i look at the IP which the client gets it does not show a gateway address. i was assuming the new gateway would be the ASA? i only see gateway of my router at home.

            Any ideas.


            Thanks
            if the vpn connects, but you cannot access devices--it may be a nonat issue. verify if your remote access vpn configuration has a nonat access-list that it uses to get to the other networks.

            Comment

            Working...
            X