Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
0
Helpful
3
Replies

VPN from internal campus network to DC network.

Heino Human
Level 1
Level 1

‎09-23-2020 11:36 PM

Hi legends, 

 

I have just completed setting up RAVPN with MFA, one with Yubikey and one with Microsoft Azure NPS. The MS option is for general staff and the yubikey is for IT support staff. This is what the customer requested. 

 

Now, they would like VPN on the campus network, though only for IT staff. This is only to reach DC networks. We have multiple VRFs and each has a few IT staff that is required to reach the DC networks and this has to be over AnyConnect VPN. 

 

Our current solution is Palo Alto and setting that up was a piece of cake as you use the same loopback public facing IPs with DNS. 

 

Has anyone else had to set something up like this and if so, how do you get multiple VRFs VPN on the internal network? 

 

Any ideas, will be greatly appreciated! 

 

Thank you

Heino 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎09-23-2020 11:53 PM

Hi @Heino Human 

Use sub-interfaces on the ASA/FTD, the sub-interface on the switch would be defined in the correct VRF. You'd have to assign a different IP address pool to the IT Staff to reach the DC networks.

You aren't using ISE for aaa, so you cannot authorise access based on username.

HTH

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-24-2020 12:11 AM

As per my understanding as below :

 

 you IT staff connect to VPN to your office - then that staff needs to access DC using the same VPN. ( Hope you already have VPN between Corporate and DC network? do you ?

 

You have had different VPN profile can get a different IP address for the IT Staff required to access to DC,.

make access rule on your VPN to have that IP address can reach DC, is that works?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Heino Human
Level 1
Level 1
In response to balaji.bandi

‎09-24-2020 03:40 AM

hi guys, 

 

Firstly, we have internet firewalls, FTDs, and DC firewalls Palo Altos. The DC firewall also has internet access, though for DC services only. The campus network, use the internet firewalls for internet. Think east west, or north south to separate DC and internet. 

 

So we have all our users connecting from home to the campus network via anyconnect VPN, which is great and working. 

 

Now, they want IT staff, who are onsite on campus, to also use the VPN to access data center services, like databases etc that has sensitive information on it. For the the rest of general staff, they will access normal services on premises without VPN. 

 

 

When you setup AnyConnect, you connect to the outside interface and have an egress interface like inside. Now, we have to setup VPN via the inside interface. I should have mentioned, our internet firewall is like a router on a stick for all the VRFs. So from the inside Staff network, you traverse the internet firewall to get to the data center, or general services like CCTV or research network etc. 

 

So my end result would be connecting from onsite campus staff VRF network (for database admin staff) and say, IT Admin VRF network to the DC VRF via VPN. 

 

I hope this make a bit more sense. 

 

On a side note, yes, we use sub interfaces and have 9 VRFs to a switch with VLAN interfaces. We use BGP for routing between the firewall and switch to have the separate VRFs. 

0 Helpful
Customers Also Viewed These Support Documents