Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
3
Replies

Cisco ASA, mobile devices and same subnet

Marco Serato
Level 1
Level 1

‎05-16-2021 02:04 PM - edited ‎05-16-2021 02:06 PM

Hello
We use Cisco ASA as site-to-site VPN gateway.
Now one customer want to connect some mobile devices with site-to-site VPN to our ASA.

All these devices should be placed in the same subnet (remote network).
How can I connect different mobile devices which connect separately via site-to-site VPN to our ASA and all devices are placed in the same subnet (remote network from ASA view).

Is there a feature or known procedure for this requirement?

 

Many thanks.

Marco

Labels:
0 Helpful
3 Replies 3

Marco Serato
Level 1
Level 1

‎05-20-2021 12:47 PM - edited ‎05-20-2021 12:47 PM

Has nobody an idea or is this not possible?

A picture for a better understanding is attached.

Preview file
36 KB
0 Helpful

Sheraz.Salim
VIP
VIP
In response to Marco Serato

‎05-20-2021 02:29 PM

you can change the nat rule of the remote network to a different ip.
Example
!
object network Mobile-Site1-Real
host 192.168.0.10
!
object network Mobile-Site1-Mapped
host 172.16.0.10
!
object network ASA-Host-Device
host 10.10.10.1
nat (inside,outside) source static ASA-Host-Device ASA-Host-Device destin static Mobile-Site1-Mapped Mobile-Site1-Real no-proxy-arp route-lookup
!

 

to give you an idea here is a cisco document https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

please do not forget to rate.
0 Helpful

Marco Serato
Level 1
Level 1
In response to Sheraz.Salim

‎05-26-2021 06:14 AM

Hello

Itried to understand the whole thing based on the Cisco documentation. But it don't really succeed.

As additional information, there are around 50 mobile devices.

Is it correct that every mobile device (remote) can connect to IPsec Site-2-Site-VPN and its remote local IP is mapped to an IP of a NAT subnet on the central ASA?

In your example, the remote local IP 192.168.0.10 is mapped to the local ASA NAT IP 10.10.10.1?

This would then have to be done 50 times?

Is it possible to specify an IP via FQDN names during the authentication process of the site-2-site tunnel?

Someone told me this feature is called Road Warrior.


I am confused.


Thanks.

 

0 Helpful
Customers Also Viewed These Support Documents