ASA 5505 SSL VPN -- VPN sessions connecting to outside network

Answered Question

When SSL VPN sessions are established, they can access the internal network (behind the ASA) without any problem. I had to create a NAT exception rule for this (as per Document ID 99756).


But I cannot get access to the outside network. Do I need a NAT rule or an access rule? ASDM logging doesn't show any access errors.


Split tunneling isn't an option as the purpose of this is to gain access to Internet-based resources from prohibited networks.


Correct Answer by acomiskey about 9 years 3 months ago

Sorry for the delay, try...


webserver inside ip = x.x.x.x

webserver external ip = y.y.y.y

inside host subnet = z.z.z.z/24


same-security-traffic permit intra-interface

static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255

global (inside) 1 interface


Correct Answer by acomiskey about 9 years 3 months ago

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside)


That should do it...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dongdongliu Mon, 02/18/2008 - 18:54
User Badges:

hi Shawn

where can not you access outside?

what`s the about configuretion?



Correct Answer
acomiskey Tue, 02/19/2008 - 06:51
User Badges:
  • Green, 3000 points or more

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside)


That should do it...

Perfect. I picked that up from another thread (that I think you even answered). IMHO Cisco should add this in as an optional step in the SSL VPN examples.


Do you know if its possible to access statically natted hosts from the inside via their external IPs?


Ie, host1 is statically natted, hosts2-10 are not and they resolve host1's http URLs by the external IP (name resolution is happening internal and not passing through the firewall), but they cannot hairpin through the firewall to connect via the external IP.

acomiskey Tue, 02/19/2008 - 08:38
User Badges:
  • Green, 3000 points or more

So if I understand correctly, a host on the inside tries to access yourdomain.com, which resolves to an external ip. This external ip is translated in your firewall to an internal ip. To get this to work, the setup would be something like this...


webserver inside ip = x.x.x.x

webserver external ip = y.y.y.y

inside host subnet = z.z.z.z/24


same-security-traffic permit intra-interface

static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255

global (inside) 10 interface

nat (inside) 10 z.z.z.z 255.255.255.0


That should do the trick.

acomiskey Fri, 02/22/2008 - 07:21
User Badges:
  • Green, 3000 points or more

Could you post your config?

Correct Answer
acomiskey Mon, 02/25/2008 - 07:20
User Badges:
  • Green, 3000 points or more

Sorry for the delay, try...


webserver inside ip = x.x.x.x

webserver external ip = y.y.y.y

inside host subnet = z.z.z.z/24


same-security-traffic permit intra-interface

static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255

global (inside) 1 interface


Actions

This Discussion