VPN S2S to Remote Access

edgar.deharo · ‎02-10-2016

Hello all,

I have a problem with a two VPNs on Cisco ASA 5545.

We have a one VPN (Remote access) but it is dynamic VPN because the clients have a dynamic IP (the clients use thegreenbow). This VPN share some networks. As example, this networks can be 1.1.0.0/16 as a remote network and 2.2.2.0/24 and also 1.1.0.0/16.

On the other hand, we have a Remote access VPN (we use a VPN Client). If I assign a IP to the client on the range 1.1.0.0/16, I can't pìng to any host of the 1.1.0.0/16 network and also can't to 2.2.2.0/24 (I include this networks on the split tunneling).

I have put differents combinations of NAT (on the first position), I have revised ACL... And I can't find the way to arrive to networks 1.1.0.0/16 and 2.2.2.0/24 from the Remote access VPN.

Is it possible? Or I'm trying something that it's no possible?

Thanks

Sebastian Velez · ‎02-15-2016

Hi edgar.deharo,

I am quite confuse with the description of your problem. Please let me know if this is what you tried to say:

You have a site-to-site tunnel between two 5545. One of the ASAs has the local networks 1.1.0.0/16 and 2.2.2.0/24.

The other ASA handles remote VPN clients and you want them to access the 1.1.0.0/16 and the 2.2.2.0/24 through the site-to-site tunnel.

edgar.deharo · ‎02-16-2016

Hello Sebastian.

Thanks to respond. I will try to expain better.

I have only 1 cisco ASA 5545. On this ASA I connect a lot of clients via Site-to-Site tunnel with a IPSec client (TheGreenBow). The name of this Site-to-Site tunnel is 2.2.2.2 (because it's a Dynamic Site-to-Site) and the remote network is 10.15.0.0/16 (forgets the networks that I said on the first post).

Now I'm interested on create a new Remote Access VPN to connect with the Cisco VPN Client but I wish to use the same remote network that in Site-to-Site (I wish my remote vpn clients have an IP on 10.15.0.0/16).

My test is this: I create the site-to site with an other remote network (for example 10.16.0.0/16) and remote vpn clients work OK on the network 10.15.0.0/16 (I can do a ping to my local netowrk). But when I change the site-to-site to a 10.15.0.0/16 remote network, my vpn clients stops receiving response from local network but the site-to-site clients (TheGreenBow) works OK (I can ping to my local network).

My question is: it is possible to have site-to-site and remote acces with the same remote network?

Thanks!

Sebastian Velez · ‎02-25-2016

Hi edgar.deharo

I am afraid that you can't have multiple VPN tunnels (Site-to-Site, Dynamic to Static or VPN clients) on the same range. This will cause an overlap and the ASA will only send it to the one with lower sequence number. Dynamic connections are usually applied at the end of your crypto map list with a sequence number of 65535 so they will be the last ones the firewall will check.

David Castro F. · ‎03-06-2016

Hello Edgar,

Adding to what my peer just advised which is right, there are 2 ways to have this resolved, there is a simple one which I recommend or a even a difficult one that you can use if needed:

1. Simple one: Assign a different IP local pool or DHCP scope with different IP addresses to the VPN clients.

2. Or this difficult one: You may NAT through the VPN tunnel, but in that case you will need to change the IP addresses defined in the interesting traffic, which will cause more work to do, but it is a still an option, on this case a Twice NAT will be required,

Let me know if you have further questions, please rate the helpful posts and mark it as correct if your questions is answered!

Regards,

David Castro,