Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
0
Helpful
3
Replies

Cisco ASA and client VPN

Marko Rodic
Level 1
Level 1

‎03-01-2018 01:02 AM - edited ‎02-21-2020 07:27 AM

Hello guys,

 

A client of ours is using old ASA(version 8.2(2)), and they have old VPN clients connecting to their network. Everything is working fine, clients are connecting from different places, up until they try to connect second VPN client from same location(I'm presuming that location is behind some router or firewall and has same IP as first connection). If they do that, second VPN client connects, first one stays connected and working fine, but second one has no traffic coming through.

 

In other words, if they try to connect with two VPN clients from same public IP(private IPs are different, ofc :D), they both connected, but only the first one that connects has traffic going through VPN

 

I am sorry I don't have any precise information. My question is, do ASA have some sort of restrictions towards VPN clients connecting with same public IP? Maybe they need different type of licenses or something? 

Labels:
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎03-03-2018 06:26 AM

Hi

 How can you make sure the traffic is actually leaving the remote location.

 There's no limitation as far as I know on the ASA side, however, give the presented scenario, the other end can be the problem.

 Try to run some show command and show that traffic is being encrypt traffic but no decrypt traffic.

Show crypto ? Must help you.

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful

Ajay Saini
Level 7
Level 7

‎03-03-2018 11:55 PM

Hello,

 

Assuming that this is about the IPSec remote access VPN, it should not work since all the connections are coming to the ASA using the NATted ip address and there is no way for the ASA to figure out if the connection is coming from multiple internal ip address or just one public ip.

For the ASA, all traffic comes from a single client since this is a remote access vpn. Even if the second connection is built, the traffic shall always work on first connection.

 

HTH

AJ

 

 

0 Helpful

syrehan
Level 1
Level 1

‎03-04-2018 11:45 PM

Hello!

I encountered the same problem once when I was working with Pfsense back in the day. What I did was subnet the existing set of public IPs I had for WAN connection into a smaller pool and create an outbound rule so that any user in the internal network with a private wishes to use VPN of known types like "pptp, l2tp, Ipsec etc" I created an alias for their known ports and associated them with the NAT outbound rule which allowed them to get the vpn access going. 

 

I found another way that all of the above can be done via 1:1 NAT by assigning the user wishing to use VPN with a different public IP other than the one used by the WAN connection from the available pool of public IPs.

 

Hope that gives a few things to try on your end.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card