Having a problem with remote vpn client

reginoletellis · ‎01-26-2013

Hello all;

I am having a bit of a problem with our cisco vpn client. I originally set it up successfully and users that connect to it have been able to function perfectly on our previous single network. NOW however; we have added a second location about 8 miles away. Same domain; but different LAN....connected successfully by site to site VPN with two ASA 5505's.....the problem of course now is that I can't figure out how to get my vpn clients to see my other network...or I lack the knowledge of how to do it....can anybody help?

Jouni Forss · ‎01-26-2013

Hi,

Can you confirm that the following are true

You have central location with ASA5505
The central location has VPN Client configurations
You have added a remote location with ASA5505 that connects to central site
You want VPN Clients to be able to connect to the remote site through the VPN Client connection to the central site ASA5505
If all the above are true, are you using Full Tunnel VPN Client or Split Tunnel?

Naturally if you can share you configuration (except for any sensitive information) it would be easy to go through the settings

But here are some things to consider regarding the configurations.

As your remote users connections enter through the "outside" of the cental ASA5505 you have to notice that they also leave/head out from the same "outside" interface as the Remote site LAN is located behind that interface through the L2L VPN connection
- You should probably add the following configurations (unless already present ofcourse)
  - same-security-traffic permit inter-interface
  - same-security-traffic permit intra-interface
- These make it possible for the traffic to enter and leave the same interface and it also makes it possible for 2 interface with identical security-levels to communicate with eachother

You will need a NAT configuration to make it possible for your VPN Client users to communicate with the LAN behind the L2L VPN connection

You will need to add the VPN Client Pool in the ACL that defines the networks belonging to the L2L VPN connection so that the central site ASA knows to forward the traffic from the VPN Client to the L2L VPN

IF you are using Split Tunnel VPN you will need to add the Remote Site LAN to the Split Tunnel ACL

Those are some thing that come to mind. But as I said the easiest way to get these things working usually is when we have the configurations of the firewall to work with. Otherwise we can just point out things that I mentioned above without any specific information or configurations.

Hopefully the above was helpfull

- Jouni

reginoletellis · ‎01-29-2013

Hello Jouni;

My apologies for the late reply! Thank you for responding. To answer your questions:

1. Yes; the central location is an ASA 5505. In fact; the remote location is also an ASA 5505 that is connected by a site to site vpn.

2. The central location is the one with the VPN Client configuration.

3. I do want the clients connecting to the central location client vpn to be able to connect to the remote site LAN as well.

4. The existing client vpn config is a split level VPN.

My current config is setup as follows:

Central LAN: 192.168.xxx.0 255.255.255.0

External GW: 209.xxx.xx.x

VPN client issues virtual I.P.s of:

192.168.5.x

going to

remote location of:

50.xx.xx.0 external GW

192.168.212.0 Internal LAN

I am not sure I understand ANY of the suggestions you listed here (I am really NOT a firewall guy....I just know enough to be dangerous I guess) maybe you can explain it as you would to a 5 year old...lol...but I will definitely take a look and try to find what you mentioned and go from there...

Thanks!!!