VPN from networks on multiple physical ATA interfaces.
Hello to all, and thank you in advance for any advice you can provide.
I have an ASA 5220 set up with 3 networks. I have one outside network, one inside network, and a "DSL" network. Everything works great, except I'm trying to clean up the way we connect with the VPN client.
At the moment, if we are outside of our network, we use the outside IP address of the router (x.x.A.1). When we are on the DSL subnet, we are unable to VPN to the outside IP address, so we are forced to use a completely separate set of credentials and to connect to the IP address of the DSL subnet (x.x.B.1).
Is there any way to set up the VPN in such a way that we would be able to use the same credentials to connect to either interface? I can use selective DNS to ensure that the requests are being sent to the proper IP address ... but as it stands, it won't accept one set of credentials on each interface.
Re: VPN from networks on multiple physical ATA interfaces.
Thank you very much. I cannot supply the crypto includes, as I have since removed the configuration to attempt to do it another way. However, I believe I can clarify sufficiently:
(0) outside interface: 188.8.131.52/30
(100) inside interface: 10.0.16.1/22
(0) DSL interface: 184.108.40.206/30
(four class C's routed to DSL)
In a traditional VPN scenario, when an employee is traveling and needs access to the inside network, I would have them VPN to 220.127.116.11 with their group name and shared secret, and their username and password. We have employees that do this, and it works great.
Now, imagine those same employees go home, and are now connected via their DSL, which resides off of the DSL interface on the firewall. When they try to VPN to 18.104.22.168, it no longer works. So, in my head, I figured I would set up another VPN group policy and set of usernames for them to connect to the DSL interface at 22.214.171.124 during those times. People obviously don't like the idea of maintaining multiple usernames and passwords for access to the same internal network however.
At this point, I can use selective DNS to make sure that if someone uses vpn.company.com to connect from the DSL subnet, they will be directed to the 126.96.36.199 IP, or anywhere else they will be directed to the 188.8.131.52 IP ... but how would I configure the group policies, etc to accept their group name, shared secret, username, and password on either interface?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...