To access the remote network of Site to Site VPN using Remote VPN client

Unanswered Question
Apr 13th, 2010
User Badges:

Hi

,


Can somebody guide me how to access the network behind other end of site to site vpn while vpn client connects to the ASA.


Presently site to site vpn is running between two ASA.

Remote vpn too has been created and is able to access the network behind this ASA i.e local network.


I somehow wanted to use this remote vpn pool to act as interseting traffic to access the remote network.


Any pointer?



Reg,

Sushil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Federico Coto F... Tue, 04/13/2010 - 12:22
User Badges:
  • Green, 3000 points or more

Hi,


I've done this and all you need is to have the L2L and the remote VPN clients working and terminating on the ASA.

Then, include the pool in the interesting traffic for the L2L and the remote L2L subnet in the allowed VPN traffic for the VPN clients.


Enable the U-turn feature on the ASA.


This link will help you:


http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html


Federico.

dianewalker Wed, 04/14/2010 - 07:57
User Badges:

Federico,


I want to setup the same.  I am unable to open the link.  Is it possible to send the file in the PDF format?


Thanks.

dianewalker Wed, 04/14/2010 - 10:35
User Badges:

Federico,


Thanks very much for your prompt response and assistance.  I was able to get the PDF file.


One question:  in your previous reply, you said "I've done this and all you need is to have the L2L and the remote VPN clients working and terminating on the ASA".  How can I tell if it is terminating on the ASA?  Thanks.


Diane.

Federico Coto F... Wed, 04/14/2010 - 10:38
User Badges:
  • Green, 3000 points or more

To make sure if the VPN tunnel is terminating on the ASA, you check the tunnel with the command:


sh cry isa sa


Federico.

dianewalker Wed, 04/14/2010 - 10:51
User Badges:

Federico,


Thanks for your prompt response.  You are too fast!!!  I typed that command and got the response "There are no isakmp sas".  Does it mean the VPN tunnel is terminated at the ASA?"


What are the reasons not to terminate the VPN tunnel at the ASA?  Thanks.


Diane

Federico Coto F... Wed, 04/14/2010 - 11:06
User Badges:
  • Green, 3000 points or more

Are the VPN sites pointing to the public IP belonging to the ASA?


If so, when they try to establish the tunnel (by sending traffic), the tunnel should come up and you should see the tunnel active with the command

''sh cry isa sa''


If there are no isakmp sas, there are two possibilities:


1. If the tunnel is up, it means the tunnels are terminating on another device (not the ASA). You will need to see if there's another VPN device.

2. The tunnel is not establishing at all.


Federico.

dianewalker Wed, 04/14/2010 - 11:17
User Badges:

Federico,


I apologize for confusing you.  Please ignore my previous question.   I have not setup Site-to-Site VPN.  I am running remote VPN client (IPSEC VPN client).  What command can I use to see if the VPN tunnel is terminating at the ASA?


Thanks.


Diane

Federico Coto F... Wed, 04/14/2010 - 11:19
User Badges:
  • Green, 3000 points or more

Actually is the same command. And apply the same concept that I told you before.


Federico.

dianewalker Wed, 04/14/2010 - 13:03
User Badges:

Federico,


Thanks for your prompt response, again.  I just logged in to VPN client.  Then, I type "sh cry isa sa" at the ASA and the following is displayed.


Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 66.127.7.10
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE


Does it mean the VPN tunnel is terminated at the ASA?  What would I see if the VPN tunnel is not terminated at the ASA?  Thanks.


Diane

Federico Coto F... Wed, 04/14/2010 - 13:10
User Badges:
  • Green, 3000 points or more

This means the tunnel is in fact being terminated on the ASA.


If you want to check the traffic passing thru the ASA, you do ''sh cry ips sa''

You should see packets encap/decap


If the tunnel was not terminating on the ASA, you won't get any output on the ''sh cry isa sa''


Federico,

dianewalker Wed, 04/14/2010 - 13:17
User Badges:

Federico,


Thank you very much for your prompt response and information.  Yes, I do see traffic with the command "sh cry ips sa".  Do most people setup to terminate at the ASA?  Can you think of any reasons not to setup to terminate at the ASA?


Thanks.

Federico Coto F... Wed, 04/14/2010 - 13:20
User Badges:
  • Green, 3000 points or more

The ASA is the recommended termination point for VPN connections.


The only reasons not to terminate the VPN on the ASA, is because you need the connection to terminate on a different IP on a different device for admin purposes for example or routing issues. It all depends on your topology. But in short, if you can terminate the VPNs on the ASA and access the resources via the ASA, there's no reason why not terminate the VPNs on the ASA.


Federico.

dianewalker Wed, 04/14/2010 - 13:37
User Badges:

Thanks very much for taking time to respond to my questions promptly, Federico.  I greatly appreciate your assistance.


Diane

Actions

This Discussion