Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN from networks on multiple physical ATA interfaces.

Hello to all, and thank you in advance for any advice you can provide.

I have an ASA 5220 set up with 3 networks. I have one outside network, one inside network, and a "DSL" network. Everything works great, except I'm trying to clean up the way we connect with the VPN client.

At the moment, if we are outside of our network, we use the outside IP address of the router (x.x.A.1). When we are on the DSL subnet, we are unable to VPN to the outside IP address, so we are forced to use a completely separate set of credentials and to connect to the IP address of the DSL subnet (x.x.B.1).

Is there any way to set up the VPN in such a way that we would be able to use the same credentials to connect to either interface? I can use selective DNS to ensure that the requests are being sent to the proper IP address ... but as it stands, it won't accept one set of credentials on each interface.

Any assistance would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN from networks on multiple physical ATA interfaces.

Question:

Did you try configuring a seperate crypto map entry for the DSL interface.

Lets say you have a crypto map entry like this..

crypto dynamic-map dynmap 65534 set transform-set myset

cry map outside_map 65536 ipsec-isakmp dynamic dynmap

cry map outside_map interface outside

Can you try creating another crypto map entry with a different name for the DSL interface.

Let me know.

Cheers

Gilbert

4 REPLIES
Cisco Employee

Re: VPN from networks on multiple physical ATA interfaces.

Questions to clarify:

When you say credentials, what do you mean by that? Is it the VPN group settings on the Client?

Your second paragraph is a bit confusing.

"When we are on the DSL subnet, we are unable to VPN to the outside IP address, so we are forced to use a completely separate set of credentials and to connect to the IP address of the DSL subnet"

Maybe the following output will clear my thoughts on your statement.

Can you please send me the out of the following.

a. Are the interfaces in a different subnet.

b. The security level of the three interfaces.

c. sh run | in crypto

Thanks

Gilbert

New Member

Re: VPN from networks on multiple physical ATA interfaces.

Gilbert,

Thank you very much. I cannot supply the crypto includes, as I have since removed the configuration to attempt to do it another way. However, I believe I can clarify sufficiently:

(0) outside interface: 71.71.71.1/30

(100) inside interface: 10.0.16.1/22

(0) DSL interface: 81.81.81.1/30

(four class C's routed to DSL)

In a traditional VPN scenario, when an employee is traveling and needs access to the inside network, I would have them VPN to 71.71.71.1 with their group name and shared secret, and their username and password. We have employees that do this, and it works great.

Now, imagine those same employees go home, and are now connected via their DSL, which resides off of the DSL interface on the firewall. When they try to VPN to 71.71.71.1, it no longer works. So, in my head, I figured I would set up another VPN group policy and set of usernames for them to connect to the DSL interface at 81.81.81.1 during those times. People obviously don't like the idea of maintaining multiple usernames and passwords for access to the same internal network however.

At this point, I can use selective DNS to make sure that if someone uses vpn.company.com to connect from the DSL subnet, they will be directed to the 81.81.81.1 IP, or anywhere else they will be directed to the 71.71.71.1 IP ... but how would I configure the group policies, etc to accept their group name, shared secret, username, and password on either interface?

Thank you again.

Cisco Employee

Re: VPN from networks on multiple physical ATA interfaces.

Question:

Did you try configuring a seperate crypto map entry for the DSL interface.

Lets say you have a crypto map entry like this..

crypto dynamic-map dynmap 65534 set transform-set myset

cry map outside_map 65536 ipsec-isakmp dynamic dynmap

cry map outside_map interface outside

Can you try creating another crypto map entry with a different name for the DSL interface.

Let me know.

Cheers

Gilbert

New Member

Re: VPN from networks on multiple physical ATA interfaces.

Sir, this worked wonderfully. Thank you very much for your assistance.

I simply added the additional interface to the crypto map, and enabled isakmp on the interface ... and it accepted connections without trouble.

Thanks again.

110
Views
0
Helpful
4
Replies