cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2912
Views
30
Helpful
22
Replies

Recommended VPN Server configuration

fbeye
Level 4
Level 4

Hello

 

I was wondering what would be considered  the correct/ current VPN setup to use.

 

My situation is residential and I am simply wanting to use my iOS devices (iPhone/iPad) to access specific IP address on my LAN to read/write documents and multimedia via VPN.

 

I know iPhone / IPad has VPN Support but would prefer to use Cisco anyConnect client software. 

Was just looking for a direction to take in regards to which confirmation format and security to use so I know where to research.

 

thank you 

22 Replies 22

You can ignore that bit, that is the ISE/RADIUS configuration. It's irrelevant if you are using local authentication. It sounds like you've got the basic VPN setup and working on the windows PC? It's just the split-tunnel configuration that is now required?

Good Morning

That is correct... I can connect and authenticate but can not access anything on the internet or LAN, which is where the split-tunnel comes in and I will do when I get home. My only confusion is that I set the outside interface as the VPN access but then set the NAS interface as the internal opposed to “inside” but inside isn’t my network I use.

Ok. Just ensure you have a no-nat rule, to ensure traffic between the RA VPN Pool network and the NAS network (and any other network if required) is not natted.

HTH

I recall “excluding” the vpn from NAT and also in general on my ASA that 1/8 NAS Interface has no NAT at all but looking at my running-confit I see;
nat (NAS,outside) source static any any destination static

Look like you already have this:-

nat (NAS,outside) source static any any destination static NETWORK_OBJ_10.0.3.96_28 NETWORK_OBJ_10.0.3.96_28 no-proxy-arp route-lookup

which would no nat traffic from the NAT interface to outside, you may want to tweak "any" to the object relating to the NAT network.

If you wish to provide RAVPN access to other networks, you'd need to create another similar rule, just change the "NAT" nameif to the other interface name and the source network.

HTH

Ok, I am getting somewhere... I added the lines of code as you suggested and I now have, through the VPN, Internet access using my Hotspot, not VPN. But the VPN is connected and here are it's Routes;

 

Non-Secured Routes (IPv4)
0.0.0.0/0
Secured Routes (IPv4)
10.0.2.0/24
8.8.8.8/32

 

Now the Subnet POOL I have used is 10.0.3.101-10.0.3.105 and my PC has connected as 10.0.3.101.

 

At this point I am unable to ping or connect to 10.0.2.111 (my NAS) which is reached through the GigabitInterface 1/8 with and IP of 10.0.2.115 which gets it's IP from a separate Router with 10.0.2.1 Gateway.

Would I need to create and ACL or some sort of Route to 10.0.2.111 through 10.0.2.115 which goes to 10.0.2.1?

If I understand you correctly the default gateway of the NAS is not the ASA, in which case I would imagine the NAS would not have a route to your RAVPN network 10.0.3.0/24. So therefore, yes you would need to define a static route on the NAS for that network and route it via the ASA.

HTH

Ahhh that was my final issue.

 

Well my friend, you were an awesome teacher. I have it working the way I want it too.... On my Laptop I connected to my cell phone hotspot to verify I was completely off my home network and connected to the vpn. I then mounted my NAS drive and it mounted without issue.

 

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: