VPN from networks on multiple physical ATA interfaces.

Answered Question

Hello to all, and thank you in advance for any advice you can provide.

I have an ASA 5220 set up with 3 networks. I have one outside network, one inside network, and a "DSL" network. Everything works great, except I'm trying to clean up the way we connect with the VPN client.

At the moment, if we are outside of our network, we use the outside IP address of the router (x.x.A.1). When we are on the DSL subnet, we are unable to VPN to the outside IP address, so we are forced to use a completely separate set of credentials and to connect to the IP address of the DSL subnet (x.x.B.1).

Is there any way to set up the VPN in such a way that we would be able to use the same credentials to connect to either interface? I can use selective DNS to ensure that the requests are being sent to the proper IP address ... but as it stands, it won't accept one set of credentials on each interface.

Any assistance would be appreciated.

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 8 months ago

Question:

Did you try configuring a seperate crypto map entry for the DSL interface.

Lets say you have a crypto map entry like this..

crypto dynamic-map dynmap 65534 set transform-set myset

cry map outside_map 65536 ipsec-isakmp dynamic dynmap

cry map outside_map interface outside

Can you try creating another crypto map entry with a different name for the DSL interface.

Let me know.

Cheers

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ggilbert Thu, 02/01/2007 - 12:13

Questions to clarify:

When you say credentials, what do you mean by that? Is it the VPN group settings on the Client?

Your second paragraph is a bit confusing.

"When we are on the DSL subnet, we are unable to VPN to the outside IP address, so we are forced to use a completely separate set of credentials and to connect to the IP address of the DSL subnet"

Maybe the following output will clear my thoughts on your statement.

Can you please send me the out of the following.

a. Are the interfaces in a different subnet.

b. The security level of the three interfaces.

c. sh run | in crypto

Thanks

Gilbert

Gilbert,

Thank you very much. I cannot supply the crypto includes, as I have since removed the configuration to attempt to do it another way. However, I believe I can clarify sufficiently:

(0) outside interface: 71.71.71.1/30

(100) inside interface: 10.0.16.1/22

(0) DSL interface: 81.81.81.1/30

(four class C's routed to DSL)

In a traditional VPN scenario, when an employee is traveling and needs access to the inside network, I would have them VPN to 71.71.71.1 with their group name and shared secret, and their username and password. We have employees that do this, and it works great.

Now, imagine those same employees go home, and are now connected via their DSL, which resides off of the DSL interface on the firewall. When they try to VPN to 71.71.71.1, it no longer works. So, in my head, I figured I would set up another VPN group policy and set of usernames for them to connect to the DSL interface at 81.81.81.1 during those times. People obviously don't like the idea of maintaining multiple usernames and passwords for access to the same internal network however.

At this point, I can use selective DNS to make sure that if someone uses vpn.company.com to connect from the DSL subnet, they will be directed to the 81.81.81.1 IP, or anywhere else they will be directed to the 71.71.71.1 IP ... but how would I configure the group policies, etc to accept their group name, shared secret, username, and password on either interface?

Thank you again.

Correct Answer
ggilbert Thu, 02/01/2007 - 12:59

Question:

Did you try configuring a seperate crypto map entry for the DSL interface.

Lets say you have a crypto map entry like this..

crypto dynamic-map dynmap 65534 set transform-set myset

cry map outside_map 65536 ipsec-isakmp dynamic dynmap

cry map outside_map interface outside

Can you try creating another crypto map entry with a different name for the DSL interface.

Let me know.

Cheers

Gilbert

Actions

This Discussion