NAC Appliance with ASA (for remote user VPN)

I have a pair of firewall 5520 cisco which is used as a VPN gateway (for remote user VPN) and perimeter firewall Internet (to provide outbound internet connectivity).

We allow the NAC to remote VPN users. I have it will be deployed with active 3 layer inband.

The problem with this design is that how to ensure that outgoing internet traffic does not pass through the CASE?

I heard about couple of optioins:

-ACB (for send only IP subnet to VPN users remote to go through CASE)

-Version 8.x characteristic of ASA (Restrcit access to VLAN under Group Policy).

I intend to do with ASA firewall where I can set a new subinterface on the SAA (with a new tag VLAN) and under the group policy for remote user VPN, I select the option to "restrict access to the new VLAN.

My question is: is - it still works (even if the firewall have a route to the internal network by using the 'inside' interface and NOT the new interface of the NAC). If this does not work, please let me know what are the other options for this type of deployment.

Thanks in advance.

Hello

It should work. Please see the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102

HTH,

Faisal

Tags: Cisco Security

Similar Questions

  • How to use ACS 5.2 to create a static ip address user for remote access VPN

    Hi all

    I have the problem. Please help me.

    Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.

    I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:

    1Ajouter step to attribute a static IP address to the user attribute dictionary internal:

    Step 2select System Administration > Configuration > dictionaries > identity > internal users.

    Step 3click create.

    Static IP attribute by step 4Ajouter.

    5selectionnez users and identity of the stage stores > internal identity stores > users.

    6Click step create.

    Step 7Edit static IP attribute of the user.

    I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.

    so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.

    Wait for you answer, no question right or not, please answer, thank you.

    There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached

  • Option of DAP for the verification of the registry for remote access VPN Anyconnect v 3.0 + users

    Hi all

    I'm trying to assign the attribute DAP users VPN (Anyconnect 3.0 +) who fulfil certain conditions of registry. When setting up political DAP, while selecting the condition of the register, it is in error as "secure desktop cisco (CSD) is not enabled, CSD should be enabled to configure the registry endpoint attribute. But as I link percevied, to check the attribute registry "scan host' which is integrated in the module anyconnect 3.0 will be charged. So why he asks me to activate the CSD? CSD is really necessary to verify the registry attribute even if we use anyconenct 3.0 +? Any pointer

    The end of the ASA must be activated and more bits based on AnyConnect.

    Notes elsewhere in the link you quoted, it is said ' host Scan automatically identifies the operating systems and service packs on any remote device establishing a clientless SSL VPN and AnyConnect Cisco client session and when the host Scan/CSD or CSD is activated on the SAA. " (emphasis added).

    FYI Cisco is to denigrate these features over time for the Posture of scanning at the ISE in conjunction with the new posture AnyConnect 4.0 module.

  • ASA to remote access VPN with external IP dynamic

    Hi forum,

    I was wondering if it was possible to set up an ASA to provide access to remote connections VPN (IPSEC or WebVPN/SSL) of the outside world, if the external IP address is dynamic (i.e. obtained through DHCP)?  I understand how to use DynamicDNS to provide a host name for the VPN clients, I ask simply if the SAA can be configured to allow VPN connections from a DHCP interface addressed.  I understand there are problems with the site to site VPN when both sides are addressed in a dynamic way, but it seems that the remote VPN access should work.  Just hoping to confirm this before I go and I'm working on a config.

    Thanks in advance...

    The same configuration applies.

    In my view, that the only difference is that with the external IP being dynamic:

    interface e0/0

    IP address dhcp setroute

    crypto map

    The only difference is that (the PCF file) VPN clients should have the VPN connection with a hostname (rather than an IP address) and the IP must be solved at the IPs of the SAA.

    I'll try to find you an example configuration if you do not.

    Federico.

  • How can I assign the static fixed IP for remote access VPN users

    Hi team,

    I have a requirement to assign a fixed static IP users VPN remote access in ASA, please help how I can achice this

    Thanks in advance
    Mikael

    username user1 attributes

    VPN-framed-ip-address 10.200.115.78 255.255.0.0

  • ASA 5505 - remote access VPN to access various internal networks

    Hi all

    A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x.

    Here is the config:

    :

    ASA Version 8.2 (5)

    !

    ciscoasa hostname

    enable encrypted password xxx

    XXX encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 200.190.1.15 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address 255.255.255.0 xxxxxxx

    !

    exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

    connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

    banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

    passive FTP mode

    access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any

    outside_access_in list extended access permit icmp any external interface

    access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0

    Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0

    MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

    access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

    inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool

    IP verify reverse path to the outside interface

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ICMP allow all outside

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 200.190.1.0 255.255.255.0

    inside_access_in access to the interface inside group

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1

    Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1

    Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1

    Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    http server enable 10443

    http server idle-timeout 5

    Server of http session-timeout 30

    HTTP 200.190.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    Crypto ca trustpoint _SmartCallHome_ServerCA

    Configure CRL

    Crypto ca certificate chain _SmartCallHome_ServerCA

    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

    (omitted)

    quit smoking

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Crypto isakmp nat-traversal 3600

    Telnet timeout 5

    SSH 200.190.1.0 255.255.255.0 inside

    SSH timeout 5

    SSH version 2

    Console timeout 5

    dhcpd outside auto_config

    !

    a basic threat threat detection

    scanning-threat shun threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    allow outside

    internal MD_SSL_Gp_Pol group strategy

    attributes of Group Policy MD_SSL_Gp_Pol

    VPN-tunnel-Protocol webvpn

    WebVPN

    list of URLS no

    disable the port forward

    hidden actions no

    disable file entry

    exploration of the disable files

    disable the input URL

    internal MD_IPSEC_Tun_Gp group strategy

    attributes of Group Policy MD_IPSEC_Tun_Gp

    value of banner welcome to remote VPN

    VPN - connections 1

    VPN-idle-timeout 5

    Protocol-tunnel-VPN IPSec webvpn

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl

    the address value Remote_IPSEC_VPN_Pool pools

    WebVPN

    value of the RDP URL-list

    attributes of username (omitted)

    VPN-group-policy MD_IPSEC_Tun_Gp

    type of remote access service

    type tunnel-group MD_SSL_Profile remote access

    attributes global-tunnel-group MD_SSL_Profile

    Group Policy - by default-MD_SSL_Gp_Pol

    type tunnel-group MD_IPSEC_Tun_Gp remote access

    attributes global-tunnel-group MD_IPSEC_Tun_Gp

    address pool Remote_IPSEC_VPN_Pool

    Group Policy - by default-MD_IPSEC_Tun_Gp

    IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp

    pre-shared key *.

    !

    !

    context of prompt hostname

    : end

    The following ACL and NAT exemption ACL split tunnel is incorrect:

    MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

    inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

    It should have been:

    Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0

    access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

    Then 'clear xlate' and reconnect with the VPN Client.

    Hope that helps.

  • Remote user VPN IPSec does not work

    Hello

    I'm trying to configure a remote IPsec VPN on a Cisco router user 1921 but it doesn't work for some reason I don't understand. Does anyone have an idea? I forgot something?

    Thank you in advance for your help!

    This is part of my configuration:

    AAA new-model

    !

    local AuthentVPN AAA authentication login

    local AuthorizVPN AAA authorization network

    !

    AAA - the id of the joint session

    !

    username password xxxxxx xxxxx 0 0 encrypted

    !

    crypto ISAKMP policy 1

    BA aes 256

    preshared authentication

    Group 5

    life 3600

    !

    ISAKMP crypto client configuration group vpnclient

    key XXXXXXXXXXXXXXXXXXXXXXXX

    DNS 192.168.0.254

    GVA area. INTRA

    pool IPPoolVPN

    ACL 100

    !

    !

    Crypto ipsec transform-set esp - aes esp-sha-hmac T1

    tunnel mode

    !

    crypto dynamic-map 10 DynMap

    game of transformation-T1

    !

    list of authentication of crypto client myMap AuthentVPN map

    card crypto myMap AuthorizVPN isakmp authorization list

    client configuration address map myMap crypto answer

    card crypto myMap 100-isakmp dynamic ipsec DynMap

    !

    interface Dialer1

    MTU 1492

    the negotiated IP address

    IP access-group RESTRICT_ENTRY_INTERNET in

    NAT outside IP

    IP virtual-reassembly in

    encapsulation ppp

    Dialer pool 1

    Dialer-Group 1

    PPP authentication pap callin

    PPP chap hostname xxxxxxxxx

    PPP chap password 0 xxxxxxxxx

    PPP pap sent-name of user password 0 xxxxxxxxxxxx xxxxxxxxxxxxxx

    crypto myMap map

    !

    IP pool local 192.168.10.0 IPPoolVPN 192.168.10.253

    !

    overload of IP nat inside source list 110 interface Dialer1

    !

    access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

    access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

    The conflict will be terminated and should be avoided. It might work if you disable split-mining and road, all via the VPN client...

    Ideally business networks should not use 192.168.0.0/24; 1 or 2 either since they are common in home routers... you can also have them change their home network easily

    Patrick

  • Why firefox 3.0.19 crashes with segfault for regular users while sudo user it dose not?

    Why firefox 3.0.19 segmentation fault during a regular users use, when a sudo user it dose not have it?

    ID of the Crash

    13233

    User Agent

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.4; .NET CLR 1.1.4322; .NET CLR 2.0.50727;. InfoPath.2 CLR 3.0.04506.648 .NET; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

    Do you use Linux?
    If so, then what distribution?
    You posted with an IE 8 user agent.

    If you're on Linux, using a version of Firefox for your Linux distribution or the normal version of Firefox from the Mozilla site?

    Have you checked that your configuration meets the requirements of Firefox?
    http://www.mozilla.com/firefox/system-requirements-v3.html - Firefox 3 system requirements

    See also http://kb.mozillazine.org/Installing_Firefox

  • Usign PowerCLI to set Options to the Console computer virtual for remote users

    I really miss onxy...   Such a wonderful tool.  I'm looking for a script to change the Options of Console of Virtual Machine for remote, as shown here:

    VSphere Documentation Centre

    Someone has any idea how to set these variables?

    Thank you

    J

    The relevant virtual machine configuration settings are RemoteDisplay.maxConnections and tools.guest.desktop.autolock.


    You can change these settings with the (get |) New | The value | (Remove) - AdvancedSetting cmdlets. For example, run:
    Get - VM MyVM1 | New-AdvancedSetting - name "RemoteDisplay.maxConnections" - value 3 - confirm: $false - Force

    Get - VM MyVM1 | New-AdvancedSetting - name 'tools.guest.desktop.autolock'-'true' value - confirm: $false - Force

  • Disable XAuth for remote access VPN

    Hi guys,.

    I would like to know if I can jump XAuth for access to remote VPN on a router.

    Here's my config, all working beautifully, always on connection I do not see any window username & password after having clicked on the Vpn profile.

    local VPNUSERSAUTH AAA authentication login
    local AAA VPNUSERS authorization network
    ra-user privilege 0 1cannotTELu secret user name
     
    crypto ISAKMP policy 7
    BA aes
    sha hash
    preshared authentication
    Group 2
     
    Configuration group customer crypto isakmp VPNUSERS
    theKEYallneedt0 key
    VPN-pool
    ACL ACL-SPLIT-VPN
     
    Crypto ipsec transform-set esp-3des esp-sha-hmac 3DES-SHA
    crypto dynamic-map VPNDYNMAP 1
    game of transformation-ESP-AES128-SHA
    market arriere-route
     
    list of authentication of card crypto map-OUTSIDE client VPNUSERSAUTH
    list of crypto card authorization card-OUTSIDE isakmp VPNUSERS
    client configuration address card crypto map-OUTSIDE meet
    card crypto 6500 map-OUTSIDE-isakmp ipsec dynamic VPNDYNMAP
     
    local IP VPN-POOL 10.1.24.1 pool 10.1.24.25
    IP extended ACL-SPLIT-VPN access list
    ip licensing 192.168.11.0 0.0.0.255 10.1.24.0 0.0.0.255
     
    Thank you very much!

    Hi Florin,

    In the case of remote VPN access, the user must be authenticated by name of user and password or certificates.
    You can deploy authentication certificate based as follows: -.
    http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation-IKE-protocols/22520-unityclient-iOS.html#router-config

    This will use the certificate for authentication of users and only requires name of user and password.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Refuse the remote user VPN to access PC using VPN from Site users to partner Site

    Hi Experts,

    Installation program:

    We have configured IPSEC Site - Site VPN between Cisco ASA 5510 and Sonicwall.

    Tunnel is in place and working well, we are able to access the remote workstation to partner and Vis Versa.


    Requirment: We want to deny remote VPN users, who are our partners access to the workstation.

    Example:

    Remote IP address range: 192.168.200.x/2r4

    Local IP address range: 192.168.10.x/24

    Deny traffic from 192.168.200.x/24 to 192.168.10.x/24

    Thanks in advance

    Kiran Kumar CH

    Hi Kiran,

    You want to deny certain IP addresses of the Remote LAN (of the L2L tunnel), to connect to your workstation?

    Thus, if the remote network 192.168.200.0/24, want to deny some of these machines to connect to 192.168.10.x?

    If this is the case, you can create ACL VPN (VPN filters) on the SAA to restrictive traffic through the tunnel from the IPs.

    Please clarify if I have misunderstood.

    Federico.

  • Disable the redirection of printer for remote users only

    Hi we have a customer's requirement that when users connect to the view platform 5.2 internally (via PCoIP) they are able to get both printers mapped with GPO printing location and all locally connected usb printers. However, when a user is working from outside the LAN you must disable the printer redirection all - they don't want sensitive documents outside of the office printing.

    What is the best way to achieve this?

    In case anyone is interested, I managed to solve this problem using a vbs script, executed using the agent to view GPO RunOnConnect. He questions the volatile environmental variables for the name of the view server connection external access. and if it matches then verifies membership in a group. If not a member of the remote-printing-authorized group it disables services of thinprint.

    strComputer = "."
Set objNetwork = WScript.CreateObject("Wscript.Network")
Set objSysInfo = CreateObject("ADSystemInfo" )
strUserDN = objSysInfo.userName
Set objUser = GetObject("LDAP://" & strUserDN)
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objShell = CreateObject("WScript.Shell")

'--------------------------------------------------------
' IsMember Function
'--------------------------------------------------------
Function IsMember(strGroup)
' Function to test one user for group membership.
' objUser is the user object with global scope.
' strGroup is the NT Name of the group to test.
' objGroupList is a dictionary object with global scope.
' Returns True if the user is a member of the group.

Dim objGroup
If IsEmpty(objGroupList) Then
   Set objGroupList = CreateObject("Scripting.Dictionary" )
   objGroupList.CompareMode = vbTextCompare
   For Each objGroup In objUser.Groups
      objGroupList(objGroup.sAMAccountName) = True
   Next
End If
IsMember = objGroupList.Exists(strGroup)
End Function

'--------------------------------------------------------
' Check to see if client logged into external View Connection Servers
' Disable printing if not member of AD Group remote-printing-allowed
'--------------------------------------------------------
If objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") = "GR1VCSV01.domain.net" _
Or objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") = "GR1VCSV02.domain.net" _
Then
If IsMember("remote-printing-allowed") Then
   echo "Virtual Printing Enabled"
Else
Set colServiceList = objWMIService.ExecQuery _
    ("Select * from Win32_Service where Name = 'TPAutoConnSvc' OR Name = 'TPVCGateway'")
For Each objService in colServiceList
    If objService.State = "Running" Then
        objService.StopService()
        Wscript.Sleep 5000
    End If
    errReturnCode = objService.ChangeStartMode("Disabled")
end if
end If

  • No Internet connectivity with ASA 5505 VPN remote access

    Hello

    I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?

    Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.

    Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?

    I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.

    Thank you very much for you help.

    Concerning

    Salman

    Salman

    What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.

    You have at least 2 options:

    -You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.

    -You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command

    permit same-security-traffic intra-interface

    HTH

    Rick

  • How can I send parameters preconfigured VPN client to a remote user

    Dear all,

    I have an ASA 5510 using VPN IP - SEC for remote users. I want to send all settings pre-configured for the VPN client.

    How can I save the configuration file and send to a remote user?

    Concerning

    Configure the vpn profile in your vpn client, and then send them the .pcf file located in the directory Program Files/Cisco Systems VPN/customer/profiles. Then all they have to do is import it into their client.

  • Reverse road injection for remote VPN Clients

    Hello world

    you will need to confirm if reverse road injection is used only for Site to site VPN?

    Also to say that we have two sites using site-to-site vpn

    Site A                                                         Site B

    Private private IP IP

    172.16.x.x                                                    172.20.x.x

    Now, as we VPN site to site, we can either activate the NAT - T option which will allow 172.16 IP reach site B as 172.16 only.

    Do not change the IP address.

    Option 2

    IF we don't allow NAT - T and if we allow injection road Revese and we use say Protocol ospf on ASAs in site A and B.

    In this case, we allow IPPS so that we can announce the private road 172.16. on the internet right of site B?

    Concerning

    MAhesh

    Hello Mahesh,

    "Reverse road injection (RRI) is used to fill in the routing table of an internal router that is running OSPF Open Shortest Path First () protocol or the RIP (Routing Information) protocol for Remote Clients VPN sessions or a local area network LAN."

    Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

    As a result, allowed RRI ASA learn routing information for connected peers and advertising via RIP or OSPF.

    NAT - T is automatically detected and used when the local or the remote peer is behind NAT.

    To answer your question:

    If NAT - T is required and enabled, then it will automatically be used peer VPN. Then, with IPP in place, remote network will be added to the routing as static routes table, so they can be advertised by OSPF.

    HTH.

    Please note all useful messages.

Maybe you are looking for