Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
4
Replies

VPN from networks on multiple physical ATA interfaces.

Go to solution
ktackett
Level 1
Level 1

‎02-01-2007 11:04 AM - edited ‎02-21-2020 02:50 PM

Hello to all, and thank you in advance for any advice you can provide.

I have an ASA 5220 set up with 3 networks. I have one outside network, one inside network, and a "DSL" network. Everything works great, except I'm trying to clean up the way we connect with the VPN client.

At the moment, if we are outside of our network, we use the outside IP address of the router (x.x.A.1). When we are on the DSL subnet, we are unable to VPN to the outside IP address, so we are forced to use a completely separate set of credentials and to connect to the IP address of the DSL subnet (x.x.B.1).

Is there any way to set up the VPN in such a way that we would be able to use the same credentials to connect to either interface? I can use selective DNS to ensure that the requests are being sent to the proper IP address ... but as it stands, it won't accept one set of credentials on each interface.

Any assistance would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to ktackett

‎02-01-2007 12:59 PM

Question:

Did you try configuring a seperate crypto map entry for the DSL interface.

Lets say you have a crypto map entry like this..

crypto dynamic-map dynmap 65534 set transform-set myset

cry map outside_map 65536 ipsec-isakmp dynamic dynmap

cry map outside_map interface outside

Can you try creating another crypto map entry with a different name for the DSL interface.

Let me know.

Cheers

Gilbert

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎02-01-2007 12:13 PM

Questions to clarify:

When you say credentials, what do you mean by that? Is it the VPN group settings on the Client?

Your second paragraph is a bit confusing.

"When we are on the DSL subnet, we are unable to VPN to the outside IP address, so we are forced to use a completely separate set of credentials and to connect to the IP address of the DSL subnet"

Maybe the following output will clear my thoughts on your statement.

Can you please send me the out of the following.

a. Are the interfaces in a different subnet.

b. The security level of the three interfaces.

c. sh run | in crypto

Thanks

Gilbert

0 Helpful

Go to solution
ktackett
Level 1
Level 1
In response to ggilbert

‎02-01-2007 12:30 PM

Gilbert,

Thank you very much. I cannot supply the crypto includes, as I have since removed the configuration to attempt to do it another way. However, I believe I can clarify sufficiently:

(0) outside interface: 71.71.71.1/30

(100) inside interface: 10.0.16.1/22

(0) DSL interface: 81.81.81.1/30

(four class C's routed to DSL)

In a traditional VPN scenario, when an employee is traveling and needs access to the inside network, I would have them VPN to 71.71.71.1 with their group name and shared secret, and their username and password. We have employees that do this, and it works great.

Now, imagine those same employees go home, and are now connected via their DSL, which resides off of the DSL interface on the firewall. When they try to VPN to 71.71.71.1, it no longer works. So, in my head, I figured I would set up another VPN group policy and set of usernames for them to connect to the DSL interface at 81.81.81.1 during those times. People obviously don't like the idea of maintaining multiple usernames and passwords for access to the same internal network however.

At this point, I can use selective DNS to make sure that if someone uses vpn.company.com to connect from the DSL subnet, they will be directed to the 81.81.81.1 IP, or anywhere else they will be directed to the 71.71.71.1 IP ... but how would I configure the group policies, etc to accept their group name, shared secret, username, and password on either interface?

Thank you again.

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to ktackett

‎02-01-2007 12:59 PM

Question:

Did you try configuring a seperate crypto map entry for the DSL interface.

Lets say you have a crypto map entry like this..

crypto dynamic-map dynmap 65534 set transform-set myset

cry map outside_map 65536 ipsec-isakmp dynamic dynmap

cry map outside_map interface outside

Can you try creating another crypto map entry with a different name for the DSL interface.

Let me know.

Cheers

Gilbert

0 Helpful

Go to solution
ktackett
Level 1
Level 1

‎02-02-2007 12:22 AM

Sir, this worked wonderfully. Thank you very much for your assistance.

I simply added the additional interface to the crypto map, and enabled isakmp on the interface ... and it accepted connections without trouble.

Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents