Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2842
Views
0
Helpful
1
Replies

ASA 5505 site-to-site VPN tunnel and client VPN sessions

bmiller
Level 1
Level 1

‎11-15-2012 03:42 PM

Hello all

I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.

I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.

The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?

Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)

Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?

I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.

Thanks in advance for any assistance provided!

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-16-2012 05:40 AM

First question:

Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).

Second question:

Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.

Last question:

This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.

Here is what needs to be configured:

1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.

2) On site A configures: same-security-traffic permit intra-interface

3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:

On Site Z:

access-list permit ip

On Site A:

access-list permit ip

4) NAT exemption on site Z needs to include vpn client pool subnet as well.

Hope that helps.

Message was edited by: Jennifer Halim

0 Helpful
Customers Also Viewed These Support Documents