Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
10
Helpful
3
Replies

VPN client, IPSEC and Cloud system

Go to solution
Paolo Fenili
Level 1
Level 1

‎11-06-2017 05:50 AM - edited ‎03-12-2019 04:42 AM

Dear All,

Recently we migrated several virtual machines to a Cloud System server.

Our local server is connected to the Cloud through an IPSEC VPN connection, for all hosts within our premises everything is working fine.

The problem occurs when a laptop, connecting through any external network, reaches to our local server using the normal client Cisco VPN: they can't connect to the Cloud's virtual machines while for all the others vm within our premises everything is working fine as usual.

My suspicion is that whenever an external host attemps to connect to the virtual machine's IP the installed vpn client deroutes this traffic to the internet rather than our local server, is it possible?

Thank you

Best regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to Paolo Fenili

‎11-23-2017 08:38 AM

If you are not using NAT for VPN clients then they will get to the firewall with the IP address it was assigned by the dhcp pool.

 You should run a packet tracer with origin IP client VPN, destination IP cloud machine and see what happen. Either NAT or routing may be broken.

 

-If I helped you somehow, please, rate it as useful.-

  

View solution in original post

3 Replies 3

Go to solution
Flavio Miranda
VIP
VIP

‎11-06-2017 06:40 AM

Hello @Paolo Fenili

I helped some with a very similar issue last week. Remote vpn clients wasn´t able to connect to a service on the clould.

 The steps we followed was:

-Validate if firewall is applying ACL to Clients VPN (It was not)

-Validate if NAT was in place (It was)

-Validate if VM as able to reply to VPN Clients.

After change on the NAT policies and adjustments on the routing, Remote clients were able to access.

Make sure this steps can help you.

 

-If I helped you somehow, please, rate it as useful.-

 

Go to solution
Paolo Fenili
Level 1
Level 1
In response to Flavio Miranda

‎11-23-2017 08:25 AM

First of all, thank you for your precious advice @Flavio Miranda

I checked all your steps and i found the firewall can't see the VPN VLAN.

I tried both pinging the ip address of a laptop connected through Cisco VPN client from the firewall, and using packet tracer to check whether the firewall can see the laptop, both attemps without success.

If i Ping it from my computer (on the lan) the laptop answers.

Indeed although I added the VPN client address pool to the VLANs group that can communicate to the cloud, this didn't work.

Sorry for the silly questions, but to solve this issue I think I can use two ways:

1. easiest way I can change the client address pool of the remote laptop using an IP pool address which is known to be seen by the Firewall.

 

2.  I can allow the two "VLANs" to talk to each other: in order to do this, I must work on the core switch,is that right? out of curiosity  can you please write me how I can be sure that the firewall vlan can't talk with the remote laptops.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Paolo Fenili

‎11-23-2017 08:38 AM

If you are not using NAT for VPN clients then they will get to the firewall with the IP address it was assigned by the dhcp pool.

 You should run a packet tracer with origin IP client VPN, destination IP cloud machine and see what happen. Either NAT or routing may be broken.

 

-If I helped you somehow, please, rate it as useful.-

  

Customers Also Viewed These Support Documents