09-04-2007 07:41 AM - edited 03-11-2019 04:06 AM
how do i permit my remote vpn client to access my router that is situated on the outside interface.
i have this setup:
lan--firewall--router--internet
i was able to let the remote vpn client access resource on my DMZ. Now, i also need to allow it to access my router on one of its outside interface.
below is a sample config:
interface Ethernet0/0
nameif outside_bayantel
security-level 0
ip address 121.97.xx.xx 255.255.255.248
!
interface Ethernet0/1
nameif inside_lan_data
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ_to_Voice
security-level 50
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
nameif outside_PLDT
security-level 0
ip address 192.168.50.2 255.255.255.0
!
access-list inside_lan_data_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.168 255.255.255.248
access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248
access-list DMZ_to_Voice_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.100.168 255.255.255.248
access-list ccbslan_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list ccbslan_splitTunnelAcl standard permit host 192.168.200.2
access-list ccbslan_splitTunnelAcl standard permit host 192.168.50.1
ip local pool ccbslan_pool 192.168.100.170-192.168.100.175
global (outside_bayantel) 101 interface
global (outside_PLDT) 101 interface
nat (inside_lan_data) 0 access-list inside_lan_data_nat0_outbound
nat (inside_lan_data) 101 192.168.100.0 255.255.255.0
nat (DMZ_to_Voice) 0 access-list DMZ_to_Voice_nat0_outbound
nat (DMZ_to_Voice) 101 192.168.200.0 255.255.255.0
nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside
static (DMZ_to_Voice,outside_bayantel) 121.97.xx.xx 192.168.200.2 netmask 255.255.255.255
static (inside_lan_data,DMZ_to_Voice) 192.168.100.2 192.168.100.2 netmask 255.255.255.255
static (inside_lan_data,DMZ_to_Voice) 192.168.100.99 192.168.100.99 netmask 255.255.255.255
static (inside_lan_data,DMZ_to_Voice) 192.168.100.13 192.168.100.13 netmask 255.255.255.255
access-group outside_bayantel_access_in in interface outside_bayantel
access-group outside_PLDT_access_in in interface outside_PLDT
route outside_bayantel 0.0.0.0 0.0.0.0 121.97.79.25 1 track 1
route outside_PLDT 0.0.0.0 0.0.0.0 192.168.50.1 254
group-policy ccbslan internal
group-policy ccbslan attributes
dns-server value 192.168.100.3 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ccbslan_splitTunnelAcl
how do i allow the remote vpn client to access my router at 192.168.50.1?
09-04-2007 07:50 AM
You may have to allow same security level interfaces to communicate.
same-security-traffic permit inter-interface
09-04-2007 09:58 AM
i've done that but still i cannot communicate to my router at Ethernet0/3.
access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248
nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside
are this NAT exempt configuration correct?
09-04-2007 11:22 AM
Not sure if you need the outside keyword on the end, but other than that it looks okay.
Does this router have a route to the vpn client subnet?
09-04-2007 12:21 PM
no, the router does not have any route to the vpn client subnet. do i need to add?
09-04-2007 12:22 PM
The router would need to know how to get to the 192.168.100.168 255.255.255.248 network unless of course it's default route is the ASA.
09-04-2007 02:25 PM
thanks bro... finally I'm able to connect to the router from my remote vpn client.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: