06-29-2009 09:26 AM
Here is the setup. I am working on trying to use ASA's at "jump servers" for remote access to network devices. The idea would be to connect to the ASA via a clientless VPN connection and then connect to the network devices.
My question is this. For working remotely, we connect to the corporate network using the Cisco VPN client. Once connected with the client, would it be possible to create another VPN connection to an ASA internally?
Also, if I were to setup multiple ASA jump servers at different locations (say one in a data center and another in the corporate office), would I be able to connect to both ASA's at the same time if I needed to access devices in both locations?
Thanks.
06-29-2009 12:24 PM
Hi Jason,
As far as I know, you will only be able to use the Cisco VPN client to connect to one remote access VPN at a time. You could setup multiple site-to-site VPNs, but this would limit you on mobility and require hardware at the user's end of the connection where the site-to-site tunnels could be terminated.
Hope that helps.
-Mike
06-29-2009 12:36 PM
I think the only way to do this without requiring hardware at your client sites,as the other gentlemen pointed out, is to setup your VPN servers in a hub and spoke configuration, IE they would all have a site0to-site VPN connection back to the Hub, you as a client, could then connect to any of the ASA's (VPN servers) and have access to any of the other remote sites.
Although I'm sure there is a way to run multiple VPN profiles on a single computer, I'm just unaware of it :)
If I were to design it, I would either hub and spoke, or mesh my ASA's in a site-to-site VPN connection, but this only works if you have static IP's at each location. At a minimum you need 1 static IP to act as a hub, if the other ASA's don't have static IP addresses, that severely limits your connections, as the spokes would always have to initiate the connection to the hub.
Craig
06-29-2009 12:47 PM
Let me see if I can clear this up. I'm not sure if I explained it all correctly.
I want to setup and use an ASA internally as a jumping off point to connect to our internal network devices. We would connect to the ASA via WebVPN.
The only problem with this is that we don't want to make the ASA accessibly from the Internet.
Currently, we use the Cisco VPN client to connect to our corporate network from outside through a concentrator.
Now, would I be able to first connect to our concentrator with the client, and then create kind of a tunnel-within-a-tunnel and create a connection to the ASA with WebVPN?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide