Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
0
Helpful
2
Replies

VPN Routes (with internal DHCP)

FranciscoRC
Level 1
Level 1

‎05-27-2014 04:52 AM

Hi everyone,

Here is my scenario.

INTERNET           <------->

                                            ASA5520 <----> INTERNAL (with DHCP Server)

VPN (USER / StS) <------->

 

I´m "playing" with an ASA 5520. I´ve successfully configure the ASA to use the internal DHCP server for client addressing. I configured this so I could register the clients with the DNS server.

When I configured the VPN with a local pool all is great, I can "magically" go everywhere, even though I don’t configure an interface/sub interface on the ASA in the same subnet or set a gateway for the clients.

My problem is in understanding VPN routes and gateway. I can´t figure it out how VPN traffic/routes works …

How do I send traffic back to the VPN? How do I add a route to it?

Should I configure a sub interface on the outside interface for each VPN subnet?

Should I configure a gateway on the clients?

 

I´m enjoying a lot the ASA but this is starting to give me a headache.

Could you please help sort out this “magic” happens?

 

Thanks in advance.

Francisco

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎05-27-2014 06:22 AM

How do I send traffic back to the VPN? How do I add a route to it?

This really depends on the type of VPN you configure.  In S2S VPN the interesting traffic, ie. traffic that is to be routed over the VPN, is defined in an ACL.  If the traffic matches on both source and destination of the crypto ACL this tells the ASA to send the traffic over the VPN tunnel.  As for remote access VPN, the routes back to the clients is dynamically created as the clients connect to the VPN.  This is also a good reason why you should use a unique subnet when allocating IPs to the remote access VPN pool.

Should I configure a sub interface on the outside interface for each VPN subnet?

There is no subinterface, or any interface configuration for that matter, when configuring VPN

Should I configure a gateway on the clients?

You do not configure any default gateway or route on the client PCs.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

FranciscoRC
Level 1
Level 1
In response to Marius Gunnerud

‎05-27-2014 10:24 AM

Thank you so much for your explanations. I´m starting to see some light at the end of the tunnel (group).

Let´s hope its not a train.

 

I´ve used the VPN Wizard and when I connect I do see a route to the client/32. this is how the ASA "guesses" how to get to the client.

My only problem now is how to configure the VPN to use the internal DHCP. As you can see attached I´ve set the DHCP servers and scope but I keep getting the message on the client "no address assignment". I don´t know what else to tick on the ASDM.

Could you please help me out

 

Thanks again

Francisco

Preview file
75 KB
Preview file
129 KB
0 Helpful
Customers Also Viewed These Support Documents