cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
14991
Views
0
Helpful
3
Replies
alistair.cowan
Beginner

VPN Client - Multiple Connection Capability?

Hi Folks,

My basic question is, does Cisco VPN Client allow two simultaneous VPN connections at once?

I want to set up the following:

User Client (Remote Access VPN via Internet)--> Head Office ASA 5520 A/S Pair --> (Remote Acces VPN via Internet) --> Branch Office ASA 5510S+ A/S Pair

So, in order to access the branch office system, the user must:

1. Connect to Head Office ASA peer via Cisco VPN Client (user/password authentication)

Head Office ASA peer gives a private 172.16.1.x IP, and is configured to route all requests to Branch Office's public ASA IP via it's own public IP address.

2. Once Head Office VPN established, user establishes a SECOND VPN tunnel from Cisco VPN client (user/password and cert-based auth)

I.e. Branch office sees the VPN connection attempt originating from the head office public IP, and therefore permits the VPN traffic through the ACLs and allows the VPN negotiations to continue as normal.  Client is given another private IP address, 192.168.10.x.

Basically, I need to limit Branch Office remote-access VPN so that it is only accessible from the Head Office public IP address, not the user's home public IP address (and therefore the entire internet).


I know this is unusual setup, and many would argue about the security sensibility of allowing two concurrent VPN connections.  These are both trusted networks, strict ACLs would be in play and there is a long background story behind this requirement...

Many thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
raga.fusionet
Enthusiast

Alistair,

You could limit the access of VPN connections to the branch office by blocking connections on ports UDP 500, UDP 4500 and ESP and allowing it only from your head office. That way, only the explicitly allowed public IP Address from your head office would be able to connect to your branch office using an IPSec tunnel.

Now, about the Second tunnel I dont think that's possible. As far as I'm aware of you cant have two VPN client connections at the same time from the same client. The VPN will not let you do that, that's basically becuase when you have a VPN Client session the VPN adapter comes up and you can only one VPN virtual adapter.

Since I dont think this is feasible I would advice to try something like this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

That would provide you with the connectivity you are looking for without the need of a second VPN tunnel from the client side.

I hope this helps.

Raga

View solution in original post

3 REPLIES 3
raga.fusionet
Enthusiast

Alistair,

You could limit the access of VPN connections to the branch office by blocking connections on ports UDP 500, UDP 4500 and ESP and allowing it only from your head office. That way, only the explicitly allowed public IP Address from your head office would be able to connect to your branch office using an IPSec tunnel.

Now, about the Second tunnel I dont think that's possible. As far as I'm aware of you cant have two VPN client connections at the same time from the same client. The VPN will not let you do that, that's basically becuase when you have a VPN Client session the VPN adapter comes up and you can only one VPN virtual adapter.

Since I dont think this is feasible I would advice to try something like this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

That would provide you with the connectivity you are looking for without the need of a second VPN tunnel from the client side.

I hope this helps.

Raga

Raga,

Thanks very much for your response - I haven't come across this configuration before and it seems that it should satisfy our requirements so I'll give it a go.

Good to have confirmation on the Cisco VPN Client too, I hadn't considered it in terms of the virtual network adaptor before.

Thanks again,

Alistair

Sure anytime 

Create
Recognize Your Peers
Content for Community-Ad