04-13-2010 11:28 AM
Hi
,
Can somebody guide me how to access the network behind other end of site to site vpn while vpn client connects to the ASA.
Presently site to site vpn is running between two ASA.
Remote vpn too has been created and is able to access the network behind this ASA i.e local network.
I somehow wanted to use this remote vpn pool to act as interseting traffic to access the remote network.
Any pointer?
Reg,
Sushil
04-13-2010 12:22 PM
Hi,
I've done this and all you need is to have the L2L and the remote VPN clients working and terminating on the ASA.
Then, include the pool in the interesting traffic for the L2L and the remote L2L subnet in the allowed VPN traffic for the VPN clients.
Enable the U-turn feature on the ASA.
This link will help you:
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html
Federico.
04-14-2010 07:57 AM
Federico,
I want to setup the same. I am unable to open the link. Is it possible to send the file in the PDF format?
Thanks.
04-14-2010 08:52 AM
See if you can access the link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/asa82cfg.pdf
If not, you can tell us which are the networks on all sides and the VPN client, so we can guide you with the commands.
Federico.
04-14-2010 10:35 AM
Federico,
Thanks very much for your prompt response and assistance. I was able to get the PDF file.
One question: in your previous reply, you said "I've done this and all you need is to have the L2L and the remote VPN clients working and terminating on the ASA". How can I tell if it is terminating on the ASA? Thanks.
Diane.
04-14-2010 10:38 AM
To make sure if the VPN tunnel is terminating on the ASA, you check the tunnel with the command:
sh cry isa sa
Federico.
04-14-2010 10:51 AM
Federico,
Thanks for your prompt response. You are too fast!!! I typed that command and got the response "There are no isakmp sas". Does it mean the VPN tunnel is terminated at the ASA?"
What are the reasons not to terminate the VPN tunnel at the ASA? Thanks.
Diane
04-14-2010 11:06 AM
Are the VPN sites pointing to the public IP belonging to the ASA?
If so, when they try to establish the tunnel (by sending traffic), the tunnel should come up and you should see the tunnel active with the command
''sh cry isa sa''
If there are no isakmp sas, there are two possibilities:
1. If the tunnel is up, it means the tunnels are terminating on another device (not the ASA). You will need to see if there's another VPN device.
2. The tunnel is not establishing at all.
Federico.
04-14-2010 11:17 AM
Federico,
I apologize for confusing you. Please ignore my previous question. I have not setup Site-to-Site VPN. I am running remote VPN client (IPSEC VPN client). What command can I use to see if the VPN tunnel is terminating at the ASA?
Thanks.
Diane
04-14-2010 11:19 AM
Actually is the same command. And apply the same concept that I told you before.
Federico.
04-14-2010 01:03 PM
Federico,
Thanks for your prompt response, again. I just logged in to VPN client. Then, I type "sh cry isa sa" at the ASA and the following is displayed.
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 66.127.7.10
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Does it mean the VPN tunnel is terminated at the ASA? What would I see if the VPN tunnel is not terminated at the ASA? Thanks.
Diane
04-14-2010 01:10 PM
This means the tunnel is in fact being terminated on the ASA.
If you want to check the traffic passing thru the ASA, you do ''sh cry ips sa''
You should see packets encap/decap
If the tunnel was not terminating on the ASA, you won't get any output on the ''sh cry isa sa''
Federico,
04-14-2010 01:17 PM
Federico,
Thank you very much for your prompt response and information. Yes, I do see traffic with the command "sh cry ips sa". Do most people setup to terminate at the ASA? Can you think of any reasons not to setup to terminate at the ASA?
Thanks.
04-14-2010 01:20 PM
The ASA is the recommended termination point for VPN connections.
The only reasons not to terminate the VPN on the ASA, is because you need the connection to terminate on a different IP on a different device for admin purposes for example or routing issues. It all depends on your topology. But in short, if you can terminate the VPNs on the ASA and access the resources via the ASA, there's no reason why not terminate the VPNs on the ASA.
Federico.
04-14-2010 01:37 PM
Thanks very much for taking time to respond to my questions promptly, Federico. I greatly appreciate your assistance.
Diane
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: