05-27-2014 04:52 AM
Hi everyone,
Here is my scenario.
INTERNET <------->
ASA5520 <----> INTERNAL (with DHCP Server)
VPN (USER / StS) <------->
I´m "playing" with an ASA 5520. I´ve successfully configure the ASA to use the internal DHCP server for client addressing. I configured this so I could register the clients with the DNS server.
When I configured the VPN with a local pool all is great, I can "magically" go everywhere, even though I don’t configure an interface/sub interface on the ASA in the same subnet or set a gateway for the clients.
My problem is in understanding VPN routes and gateway. I can´t figure it out how VPN traffic/routes works …
How do I send traffic back to the VPN? How do I add a route to it?
Should I configure a sub interface on the outside interface for each VPN subnet?
Should I configure a gateway on the clients?
I´m enjoying a lot the ASA but this is starting to give me a headache.
Could you please help sort out this “magic” happens?
Thanks in advance.
Francisco
05-27-2014 06:22 AM
How do I send traffic back to the VPN? How do I add a route to it?
This really depends on the type of VPN you configure. In S2S VPN the interesting traffic, ie. traffic that is to be routed over the VPN, is defined in an ACL. If the traffic matches on both source and destination of the crypto ACL this tells the ASA to send the traffic over the VPN tunnel. As for remote access VPN, the routes back to the clients is dynamically created as the clients connect to the VPN. This is also a good reason why you should use a unique subnet when allocating IPs to the remote access VPN pool.
Should I configure a sub interface on the outside interface for each VPN subnet?
There is no subinterface, or any interface configuration for that matter, when configuring VPN
Should I configure a gateway on the clients?
You do not configure any default gateway or route on the client PCs.
--
Please remember to select a correct answer and rate
05-27-2014 10:24 AM
Thank you so much for your explanations. I´m starting to see some light at the end of the tunnel (group).
Let´s hope its not a train.
I´ve used the VPN Wizard and when I connect I do see a route to the client/32. this is how the ASA "guesses" how to get to the client.
My only problem now is how to configure the VPN to use the internal DHCP. As you can see attached I´ve set the DHCP servers and scope but I keep getting the message on the client "no address assignment". I don´t know what else to tick on the ASDM.
Could you please help me out
Thanks again
Francisco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide