Solved: vpn over ethernet

suthomas1 · ‎12-04-2013

Hi,

I am reposting this thread, sorry for that.

Is it possible to run remote access vpn for users over metro ethernet, as the users will be logging in to the HQ using remote access vpn over metro ethernet link.

This metro ethernet link connects the HQ with the branch office.

We want to test the following scenario for remote access users.

- One main office is hosting servers behind ASA 5585 firewall

- another branch office is located within the same city in a short distance, but connected via metro ethernet link to the main office ( no internet link exists in branch )

- Users from branch office needs to connect to main office servers placed behind the firewall

- Security considerations set by the subsidary say that the users in branch office must use a vpn client for authentication to the servers & not directly access the servers

Can we configure remote access vpn in the main office ASA , knowing that there is no internet link in branch office & the users at branch will be using metro ethernet link between the two offices to connect to vpn?

Appreciate all help. Thanks in advance

Jouni Forss · ‎12-04-2013

Hi,

I am not sure why it wouldnt.

As long as the users can connect to the IP address of the interface of the HQ ASA (through which the Branch site is found) then you should be able to configure IPsec VPN for that interface and enable them to use VPN to connect to parts of your internal network.

I assume that the Branch network is currently using the Internet connection through the HQ site and traffic to all the internal HQ networks is still blocked. Or perhaps allowed but will be changed to require VPN to access.

- Jouni

View solution in original post

Jouni Forss · ‎12-04-2013

Hi again,

As long as there is connectivity between the sites I don't see any problem with configuring the HQ ASA interface behind which Branch is located to accept VPN connections.

If the HQ site has a Crypto Map attached to its current external/public interface then you can even attach that Crypto Map to this new interface or create a new Crypto Map for the Branch site ASA interface completely.

Naturally the way this is configured depends completely on your current setup/configurations on the HQ ASA. (Where servers are located on the HQ ASA, where is Branch located on the HQ ASA etc.)

- Jouni

suthomas1 · ‎12-04-2013

Thanks Jouni.

The connection would look like this;

Servers -> HQ ASA ------------------------------------------------Branch Office ------ Users

(Metro Ethernet Link)

Only the HQ has an ASA, we'll be employing remote access vpn for users at branch office to remote connect to HQ for accessing the servers.

I was just wondering because there is only a metro ethernet link over which users in branch office would remote in to HQ, will this remote access work as it is over a ethernet link.

Jouni Forss · ‎12-04-2013

Hi,

I am not sure why it wouldnt.

As long as the users can connect to the IP address of the interface of the HQ ASA (through which the Branch site is found) then you should be able to configure IPsec VPN for that interface and enable them to use VPN to connect to parts of your internal network.

I assume that the Branch network is currently using the Internet connection through the HQ site and traffic to all the internal HQ networks is still blocked. Or perhaps allowed but will be changed to require VPN to access.

- Jouni

suthomas1 · ‎12-04-2013

Thanks again.

That is correct, the branch internet is accessible only via HQ.

If the authentication is two pronged ( first with radius logins & second using token authentication ), what attributes from ASA side needs to be configured/placed on the authentiction/token server.

Jouni Forss · ‎12-04-2013

Hi,

Sad to say that this is a question that I wont be able to answer really.

We do use separate AAA servers (and RSA SecurID tokens) but they are environments that have been set up by someone else along with some IT people from our company.

- Jouni