0

I have asked a similiar question, but didn't get any answers so i am going to try and rephrase.

i have 4 locations corporate and 3 remotes

when you are at the corporate location, you have full access to all networks. 192.168.3.x 192.168.2.x 192.168.1.x 192.168.0.x

all locations are connected via site-to-site vpn with the corporate location. if you are at a remote location, you have access to that location & the corporate location.

the corporate location handles all VPN traffic.

however, when you VPN into the corporate location, you can not see outside the corporate location.

can anyone provide some information or a link explaining how to allow the VPN users to see all locations?

thanks

static route configuration:

Gateway of last resort is 207.255.x.1 to network 0.0.0.0

C 207.255.x.0 255.255.255.0 is directly connected, outside

S 10.0.1.6 255.255.255.255 [1/0] via 207.255.x.1, outside

S 10.0.1.5 255.255.255.255 [1/0] via 207.255.x.1, outside

S 192.168.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside

C 192.168.1.0 255.255.255.0 is directly connected, inside

S 192.168.2.0 255.255.255.0 [1/0] via 192.168.2.1, inside

S 192.168.3.0 255.255.255.0 [1/0] via 192.168.3.1, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 207.255.x.1, outside

                 [1/0] via 192.168.1.1, outside
Jeff
  • 1,089
  • 5
  • 26
  • 46

2 Answers2

3

If you're sitting your VPN users in the same network as your office you need to add static routing to the other locations on your VPN client settings explicitely, unless you're using your VPN also as your default gateway.

My preferred solution though is to create a new network just for VPN remote users, this gives you a bit of a better view of who they are and what they do, from there on you can either choose to configure static routes on your clients or just activate the VPN as the default gateway for the user.

I'm not a fan of having the VPN as default gateway for the remote user traffic, so I recommend adding static routes to the configuration instead.

lynxman
  • 9,397
  • 3
  • 25
  • 28
  • thanks for pointing me in the right direction. by adding static routes to the other locations - do you mean the connection gateways under remote access VPN. do i need to configure these similar to the tunnel groups & crypto maps on the site-to-site vpn configuration? sorry i dont know alot about ASA configurations, this was all setup before my time, and no one left here really has an understanding of. interested in learning tho. – Jeff Jan 29 '11 at 18:25
  • The connection gateways under remote access VPN, by default your VPN Client will only know of the local network in which he's assigned, by adding static routes in the client it should all work as a bliss – lynxman Jan 30 '11 at 16:42
  • I see, this might be a stupid question but im not sure of it. so i would have my local network already there, then add the outside ip network with incremental metric values (1 local, 2 network2, etc.)? – Jeff Jan 31 '11 at 14:13
  • No need for incremental metric but you're on the right track, let's say that your office network is XX.XX.1.X and you get assigned an IP there, to add a route to network XX.XX.2.X you would just add a route through the endpoint of your VPN connection – lynxman Jan 31 '11 at 14:16
  • Ok I understand what you mean. Appreciate your help with this, thanks again. – Jeff Jan 31 '11 at 14:17
  • @lynxman, just to make sure i have this correct. If my gate at my main location is x.x.27.1 for my outside IP, and the remote network is 192.168.2.x that i want to access, the static route should be as folows? route 192.168.2.0 255.255.255.0 x.x.27.1 – Jeff Jan 31 '11 at 14:52
  • Almost there! The gateway needs to be the /internal/ endpoint of your VPN connection on your network side, if you don't know it try adding the route making endpoint your tunneling device from the client side – lynxman Jan 31 '11 at 15:03
  • @lynx the endpoint on the VPN clients network ? – Jeff Jan 31 '11 at 15:15
  • Yes, the endpoint on your client, you just need to say to your client computer to send the traffic through the VPN tunnel somehow – lynxman Jan 31 '11 at 15:17
  • so... say i had 5 vpn users on the network - i would need to set up a static route for each one of there endpoints in the static route table? – Jeff Jan 31 '11 at 15:24
  • The other way around, just add a static route per network you want to arrive in the VPN Client config, nothing you need to do on your end for that, it all is on the client side VPN config – lynxman Jan 31 '11 at 15:27
  • @lynx ok i understand now. thanks again for your help im going to go do some research etc. and see what i come up with. thanks for taking the time to explain this :P – Jeff Jan 31 '11 at 15:33
  • Happy to help! :) – lynxman Jan 31 '11 at 15:49
1

Couple of suggestions here. You may want to set up tunnels between the remote sites instead of routing via the main site, saves bandwidth etc. ASA site-to-site VPN is fairly limited and the routing is fairly tricky to troubleshoot etc a much nicer setup would be to use DMVPN and a routing protocol (such as EIGRP or OSPF). DMVPN can do next hop resolution whereby the spokes automatically set up tunnels between themselves instead of routing everything via the hub.

If you still wish to enable access between remote sites via your central site you should look in to the command:

same-security-traffic permit intra-interface

This allows the ASA to route traffic out on the same interface it came in on.

HampusLi
  • 3,478
  • 17
  • 14
  • i am not familiar enough with ASAs to want to change the configuration around.. yet atleast. the setup has been this way since before i got here, and there are 4 remote locations that depend heavily on the site-to-site vpn for a centralized database, if im going to break that connection i have to be able to bring it back up and quick or it could be my ass.. i appreciate your response tho, im going to look into the same-security-traffic permit intra-interface command. thanks – Jeff Jan 31 '11 at 15:15