Remote VPN connection from a LAN

Unanswered Question
May 20th, 2008
User Badges:

Hi,


I have one LAN connected to the internet via an ASA 5505 (called LocalASA) and a router without NAT (we have 8 public IP).


I'd need to allow clients inside the LAN to connect to a remote VPN via software client, i.e. without having to set a site-to-site VPN on my ASA.


I've set up a rule that allows upd/500 to the remote firewall endpoint, but no luck: the rule gets no hits.


How can I set up this connection?


Thanks a lot.


Ciao

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sandman42 Wed, 05/21/2008 - 08:17
User Badges:

Yes I do block.


I allow only the traffic I want.


My question is: which port shall I enable in order to make it work?


I've tried also with an inside -> outside allow ip and outside -> inside allow ip, but the rule doesn't trigger, i.e. I have no entry in the log.


I'm a little bit confused....


About the ping, the remote doesn't respond to pings, but I've tried a remote hosts which responds, by adding these rules:


access-list inside_access_in extended permit icmp inside_network 255.255.255.0 host REMOTE-THAT-RESPONDS

access-list outside_access_in extended permit icmp host REMOTE-THAT-RESPONDS inside_network 255.255.255.0


The error I have is:


Deny icmp src outside:REMOTE-THAT-RESPONDS dst inside:OUTSIDE-VLAN-IP (type 0, code 0) by access-group "outside_access_in" [0x0, 0x0]


Where OUTSIDE-VLAN-IP is defined in


interface Vlan2

nameif outside

security-level 0

ip address OUTSIDE-VLAN-IP OUTSIDE-VLAN-NETMASK


It works if I change the rules to:


access-list inside_access_in extended permit icmp any host REMOTE-THAT-RESPONDS

access-list outside_access_in extended permit icmp host REMOTE-THAT-RESPONDS any


but it seems to me it's too wide using "any" keyword. Am I correct?


Thanks


Ciao


Actions

This Discussion