Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
10
Helpful
4
Replies

Is the vpn pool proxied

v-naughton
Level 1
Level 1

‎10-19-2005 03:37 AM

Quick question. I am configuring VPN clients on an ASA box and for the vpn pool I would like to know does the ASA box use its own address on behalf of the clients for communication with internal networks or do I need to add a route to the vpn pool on an internal router (ASA box is not the default gateway)

Thanks,

Vincent

Labels:
0 Helpful
4 Replies 4

jackko
Level 7
Level 7

‎10-19-2005 05:05 AM

remote pc encrypts the packet destined for the lan behind the asa. asa receives the packet, decrypts it and try to determine the next hop. so as long as asa has a route to the destination/lan, the remote vpn access will work.

e.g. remote pc <--> vpn <--> asa <--> net1 <--> rt <--> net2

for remote pc to access net1 via vpn, no route is required as net1 is directly connected to asa. alternatively, for remote pc to access net2 via vpn, a route pointing to rt for net2 is required on asa.

0 Helpful

v-naughton
Level 1
Level 1
In response to jackko

‎10-19-2005 07:53 AM

Jack thanks for that.

So you are saying is that the internal networks only need a route to my ASA (and my ASA needs static routes to all my Internal networks).

This is the case I can ping anything on the internal network from the ASA.

My vpn client config is exactly the same as above except that I have a Checkpoint Firewall in front of the ASA. The ASA has a private IP network address off a specific Interface of the Checkpoint. The Checkpoint has an external IP address published for the ASA.

I can connect (even authenticate to Cisco ACS which in turn is pointing to AD) but that's it.......Not suer if its a problem with all the nat gateways....I have Nat T switched on also.....any thoughts appreciated.....

Thanks,

Vincent

0 Helpful

jackko
Level 7
Level 7
In response to v-naughton

‎10-19-2005 02:49 PM

just a quick thought.

if there is an internal router connected to other subnets, the router would need a route pointing to asa for the vpn client pool subnet, unless the router has the asa as its default gateway.

e.g. remote pc <--> vpn <--> asa <--> net1 <--> rt <--> net2

on the rt, either it's got:

ip route 0.0.0.0 0.0.0.0 ; or

ip route

jackko
Level 7
Level 7
In response to jackko

‎10-19-2005 03:03 PM

also verify the checkpoint inbound access rule whether it's permitting the following for asa:

udp 500

udp 4500

ip 50 (i.e. esp)

Customers Also Viewed These Support Documents