Solved: Remote Access VPN with Multiple Endpoints

Jon Eyes · ‎01-22-2018

Im not sure how it is called but here's the scenario.

We have multiple offices (lets use 3 office for simplicity) across US and APAC. Remote users vpn into the site to where their required resources lives. Say a user needs a files in each site, he needs to vpn into site1 to get file1, vpn into site2 to get file2 and so on.

We are looking for a solution wherein the users only needs to login into a single endpoint then that endpoint routes or decides how these users will be able to reach those files.

Please refer to the attachment, hope it helps.

Mohammed al Baqari · ‎01-22-2018

There is no way of doing this. The traffic needs to U-Turn from VPN end
which is ASA. You can have direct client to site without passing thought
headend.

View solution in original post

Mohammed al Baqari · ‎01-22-2018

Why not to have a single pair of ASAs to terminate VPN and then based on the username (or you can use DAP) you can grant user access to the specific site. This is doable.

Jon Eyes · ‎01-22-2018

Hi Mohammed,

Thanks for the reply.

You mean use the ASA pair as a hop-off to reach the other sites? Yeah that would work, i thought about that as well. Our concern in that setup is the effective latency and speed of data transfer since the data will traverse into two tunnel. At least that's how i understand it.

We're looking for a DMVPN'ish solution but instead of an appliance as the spoke, the anyconnect/vpn-client act as the spoke

Mohammed al Baqari · ‎01-22-2018

There is no way of doing this. The traffic needs to U-Turn from VPN end
which is ASA. You can have direct client to site without passing thought
headend.