0

I have a lab subnet(10.10.25.1 from outside and its inside has 172.16.2.0/24) in the corporate network that's accessible via openVPN while people are in the office. (Their openVPN client would connect to 10.10.25.1).

I'm asked to make this lab subnet more easily accessible while people are outside of the office.

The frontend VPN infrastructure for the office is Cisco ASA Anyconnect.

People use Anyconnect to connect to corporate network from outside (coffee shops, home, etc). ASA has a public outside interface with public ip.

But when people use Anyconnect and then openVPN on top of it to access the lab subnet, their computers crash. I assume it's due to double NAT-ing and computer not being able to handle double VPN network adapters.

Is there a way to have this lab subnet more easily accessible? Or shall I have VNC/RDP desktops in the corporate network that can access the lab subnet on the users behalf?

Or is setting a NAT between another public IP with openVPN address more viable?

  • Why do you need `OpenVPN` in addition of `Anyconnect` (or reverse) ? – krisFR Apr 08 '15 at 22:30
  • Anyconnect is to connect to the Cisco ASA to connect to corporate network from outside of the office. The ASA's outside interface has public ip. But there is a pfSense in the corporate network that currently only has internal private ip as its outside interface. The pfSense servers as the router/FW for the lab devices behind it. So in other words, you have to use Anyconnect first to get into the corporate network, then access the openVPN server using private IP, since Anyconnect gets you into the corporate network. –  Apr 08 '15 at 22:35
  • Not everyone has the openVPN credentials to VPN into the pfSense. We don't want everyone to have access to lab devices. –  Apr 08 '15 at 22:39
  • What do you mean? –  Apr 08 '15 at 22:41

2 Answers2

0

I have experienced a similar situation when the office was using Cisco Virtual Office(CVO).

R&D dept had its own ASA/FW to host a lab subnet.

We solved the problem by using hardware vpn.

Issue an ASA or router to build site-to-site or DMVPN with the HQ router.

Then the hosts connecting behind the hardware VPN only has to use OpenVPN(in your case) to connect to the lab subnet. From the computer's side of the view, it only has one virtual adapter because hardware VPN connects to HQ.

Alternative solution is slightly risky but set a "ip nat"(assuming a Cisco router for PAT) between a public ip and the pfSense's gateway.

0

As an alternative, can you make the OpenVPN server public? Eliminate the dual VPNs, and just have people connect directly to the lab.

Jim G.
  • 2,607
  • 1
  • 18
  • 19