I am doing VPN proof of concept testing on my ASA 5505 in preparation for migration to two other 5510s. I have set up two VPN groups; one that allows for split tunneling, but grants user access in the internal NAT'ed network and one that does hairpinning, forcing the user back out on the same interface using a viable IP address range.
The former is working just fine, but I am having problems getting the latter to work.
I can connect to any server on the internal network but cannot route back to the Internet. I am using an internal DNS server in the internal network and it can resolve IP addresses no problem.
I suspect I am missing something relatively minor. Can someone take a look at my 5505 config and let me know what is happening?
I have this set up within my work network, 192.168.252.0/24. The outside IP of the firewall is 192.168.252.76 (DHCP assigned) and the internal network behind the firewall is 192.168.1.0/24. The VPN IP address range is 192.168.2.0/26. I have a Linux test server sitting behind the firewall using 192.168.1.2, which I can access just fine using the split tunneling and the hairpin method. But after connecting to the firewall using hairpinning and NO split tunneling, all my other outside connections drop.
Thanks in advance.
The vpn clients are considered to be sourced from whichever interface the vpn is terminating on. In your case, the outside interface. If you wanted to pat the vpn clients on the outside interface to 64.xx.xx.96 address.
global (outside) 2 64.xx.xx.96 255.255.255.224
nat (outside) 2 192.168.2.64 255.255.255.192