I'd like to see if somebody here can help me with an in-principle answer on which direction take.
We have an office LAN (192.168.100.0/24) connected to a production data centre (10.100.0.0/16) via a VPN. The office firewall is an ASA 5505. In addition, we have people connecting to the office firewall from home via IPSec client access.
Home Production
| |
| |
------|-----
|
| outside
------------
| ASA 5505 |
|-----------
| inside
|
| Office LAN
Our problem is that when connecting from home, it's not possible to connect to the production network at all, i.e. can't ping from 192.168.1.2 (my home PC) to 10.100.34.3
I understand that there may be some restrictions here because both the home endpoint and the production endpoint go into the "outer" interfaces.
My questions are:
- Is it possible to even set up this topology using a Cisco ASA 5505? If so, what do you do to make traffic flow from one VPN connection to another?
- If not possible, how do you make it possible? Put a L3 switch behind the ASA and put routing logic in place there?
This is bugging us a lot because we keep having to go through jump hosts and SSH forwarding in the office when working outside, which is really time consuming and doesn't work for everything.
Best Answer
Yes, this configuration is possible using a Cisco 5505. It's referred to as a VPN hairpin because traffic from the outside interface is coming inbound and then routing back outbound through the same outside interface.
There are three key components to this configuration.
1) Allow communication in/out of the same interface
2) Add the RAS VPN pool IP space to the interesting traffic for the site to site VPN.
3) Add a no-nat entry for the relevant traffic from outside to outside
This is assuming you're on a post 8.3 code.