irksome cisco asa behaviour

Unanswered Question

Cisco ASA does not allow an interface to be contacted by hosts attached to another interface. Meaning: if I am on an internal interface, I cannot reach the external interface IP.

This is so irksome. Because it means that internal hosts cannot VPN to the external IP.

Anyone else find this painful? Do you have a solution?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Fri, 06/20/2008 - 06:26

paste your running config and also brief discussion about your topology.

Thanks for the reply.

I think I've solved the issue by using DNS rewriting.

Consider an internal and external network.

A user with a laptop has a vpn profile that points to an external ip.

The user can use the vpn profile when on the Internet to VPN back to the office.

However, the user will be unable to use that profile to create a VPN from the INTERNAL network, because it's not possible to contact the external interface ( address) from the internal network.

The problem can be solved elegantly by have the Cisco do a DNS rewrite of the dns reply that comes through the firewall. When an internal user queries, the request passes through the ASA to an external dns server. When the reply arrives back, the ASA replaces the reply ip address of the dns query for with the ip of the internal interface of the asa ASA.

Internal users are then able to create a vpn from the inernal network using the same hostname (


This Discussion