access many subnets using vpn ?

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
hey guys
we have this remote vpn setup for people at work like me ;)
we have a pcf file I use and we use our Active Directory as a RADIUS

I can only remote directly into 1 subnet? I want to remote into these subnets all from home thru the remote vpn setup on the asa 5505 vpn device? how do I allow direct access to many subnets. these subnets
are routed in our network I just cant type in the server name
say SRV2 because it is on the 192.168.2.x subnet I can only remote into
any machine that is on the 1.X subnet? How do I allow many subnets
through our vpn device. Direct access is faster than double remoting off of a server at the 1.x to other servers. I want direct routed access. You
know type in the server name and bam I am routed to it by server name
translated with DNS :)
do I make static route??? or what?icon_thumright.gif


  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Technically, Active Directory doesn't natively speak RADIUS. It does LDAP instead, with a bunch of other protocols for Windows systems (RPC, SMB, Kerberos, etc.), but you use something like IAS or NPS to serve as the RADIUS intermediary between the DC and ASA. You probably have it set up like this already (you might have one of these services installed on the DC itself).

    In any case, VPN gateways allow you to specify which destination networks to tunnel. You define these in a list and indicate in the connection profile on the gateway side that the networks in that list will be tunneled from the client. Since you mentioned a PCF file, I'm assuming you're talking about the older IPsec-based Cisco VPN Client. I only use the ASA for SSL / AnyConnect clients so I don't know the configuration specifics off-hand (because I'm too lazy to look right now), but that's how it's done on the older 3000 series concentrators and all the other VPN gateway devices I've managed over the years. I can't imagine the ASA being any different.

    Are you allowing split-tunneling?
    Hopefully-useful stuff I've written:
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    if you can get internet access and remote desktop same time then I have split-tunneling right?

    where can I get good examples on how to config this and yep it is an asa mean using a pcf is old? SSL vpn is okay tooo but I am sure ssl /vpn is easier it is IPSEC/UDP I believe..
    I guess what I should of said about our AD is that it is used as an authentication server to be more exact ;)
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Split-tunneling just means that you configure the client-gateway profile to tunnel only traffic to specific destination networks on (usually) the internal side of the firewall / VPN device via the client's virtual adapter, while everything else goes directly out the physical interface directly to the Internet. If you don't split-tunnel, then Internet-bound traffic has to go down the VPN tunnel, hop through the internal corporate network side, and then to the Internet.

    The latter example allows potential filtering and inspection of Internet-bound traffic to enforce policies, filter some types of payloads, etc.. It comes at a performance penalty for both the client and gateway, however. It's the more secure method as a generalization if you're performing that kind of inspection or requiring the use of an internal proxy.

    If you don't know if you're split-tunneling or not, do a traceroute to one of your internal networks that you currently have access to, then a traceroute to a public Internet host. You'll see the difference right off the bat at the first couple of hops if you're supporting split-tunnels.

    How are you managing the ASA? Via ASDM or via CLI? I'm pretty sure Cisco has documentation for this. You just need to define the networks that you want to tunnel and apply it to your IPsec group profile.

    Cisco has been in the process of phasing out the IPsec client for years now. A lot of large organizations still use it, but many have already migrated to the AnyConnect client. Less hassle from not having to deal with protocols 50/51, IKE, etc., and virtually all public locations (such as Wi-Fi hotspots) will allow out TCP 443. AnyConnect requires additional licensing, however, if the number of clients in your environment are particularly large. The 5505 with a base license comes with support for two AnyConnect clients.
    Hopefully-useful stuff I've written:
  • powerfoolpowerfool Member Posts: 1,663 ■■■■■■■■□□
    The access-list that defines the VPN traffic must have all of those subnets defined. Also, if the ip pool that has your address is not routable (for whatever possible reason), you will need to setup a route to that pool on the router(s) connecting those subnets and point it to the ASA.

    Other than that, access-lists on the internal network could block your traffic.

    That is all I can think of w/o my morning coffee.
    2023 Renew: [ ] Terraform Associate [X] AZ-204 [X] AZ-305 [ ] AZ-400 [X] AZ-5002023 New: [ ] AWS SAA [ ] AWS SAP [ ] CKAD
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Check your "No NAT" policies to make sure you are (no)NATing those subnets correctly, and check the VPN Filter on the tunnel-group you are using to see if traffic is restricted. Finally, make sure those subnets are reachable from the firewall.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    wow thanks guys wow great infor going to check on this stuff all of it.
    so cool thanks for your guys's time and help you are very appreciated ;)
Sign In or Register to comment.