VPN from within the network I need to connect to

Unanswered Question
Feb 5th, 2009

I have a local office here that I have deployed a Cisco ASA 5505 device. To enable remote access for employees, I have enabled VPN access using an AAA server that authenticates requests from the Cisco VPN clients on the router. The remote employeees have laptops that are not members of the domain, so to gain domain access they utilize the VPN connection that authenticates their account against Active Directory. The problem I'm having is that when these remote employees are actually in the office using the network they have to connect to when working remotely, they have to use VPN to authenciate them to the local servers. Do I have to make an adjustment to the outbound security policies on the router to allow VPN connections to connect to the outside interface from within the same network?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Thu, 02/05/2009 - 15:53

Correct me if I am wrong, when they are on the Corporate Office they still need to authenticate to the Domain to gain access to these servers? If this with a computer that does not belong to the domain as well?

westernmotor Thu, 02/05/2009 - 16:44

That is correct. The partners in this business primarily work out of their homes in different cities. Their laptops are not members of the domain since they are rarely here. They authenticate to the domain for files sharing and email by tunneling in thru VPN. On the rare occasion that they are actually in town and working from the office, they need to have the ability to establish a tunnel from within the network to authenticate them to the domain. So, what happens is the tunnel request needs to go outside of the network and then come back in to reach the outside interface and establish a VPN tunnel on the ASA. As it is now, if they attempt a connection from within the network, they get an error that the server is not responding. I'm assuming it's due to a missing ACL on the router. Hopefully this makes sense.

Ivan Martinon Fri, 02/06/2009 - 07:28

OK, understood, with your current setup, having the vpn configured to the outside, this won't work, you will need to apply the same crypto map that you have applied to the outside into the inside interface, as well as enable isakmp on the inside interface too, but that does not end there, you need to enable the command "same-security" to permit intra-interface.


This Discussion