cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1432
Views
0
Helpful
12
Replies

client-to-site vpn with resource on outside interface

nitass
Level 1
Level 1

Hi,

I'd like to configure client-to-site ipsec vpn using asa as attachment. I've tested but it seemed that it didn't work. I'm not sure if it's possible or not. Could anyone advise me please?

Thanks in advance,

Nitass

1 Accepted Solution

Accepted Solutions

Network diagram

Here's what you can do. On the ASA add a static host route for Server, but have it point to the inside interface of Firewall.

route inside 10.0.2.100 255.255.255.255 10.0.1.254

The Firewall knows to go out the e2 interface because it's directly connected.

On the Server you will need to a static route for the VPN Pool pointing to Firewall.

route add 10.0.3.0 mask 255.255.255.0 10.0.2.254

On the Firewall you will also need to add a route for the VPN Pool.

route inside 10.0.3.0 255.255.255.0 10.0.1.200

View solution in original post

12 Replies 12

Collin Clark
VIP Alumni
VIP Alumni

I've always had a hard time getting that scenario to work. You could also route the traffic back out the 'outside' interface or use split tunneling.

Hi,

Thanks for your reply. Anyway, I couldn't catch you. Would you mind explaining me a little bit more? I'd like to know if it's possible to route the traffic which is destined to network X thru the inside interface. How can I configure it? Please advise.

Thanks in advance,

Nitass

Let's try it from another angle:

Instead of going through Network Y, is it OK to go out the 'outside' interface on 'Cisco ASA' directly on Network X?

You can also configure routing to go through 'Firewall', but it will be more work. If that is a requirement, it can be done though.

Hi,

Thanks for your prompt reply. ;)

I see. Going out thru the outside interface seems to be simpler. However, this is a requirement from customer. Could you please suggest how to configure it to go out on the inside interface?

Many thanks,

Nitass

I am struggling with the same problem. We currently have a PIX for the firewall and a Cisco 3005 VPN concentrator for IPSec. With that scenario, the connection works as described in the diagram (substitue the VPN for the ASA). The tunneled default route always sends traffic to the server through the INSIDE interface of the VPN (ASA). I'm looking at buying an ASA to replace the VPN and have installed it along with the VPN for testing. However, I can't get the traffic to flow as in the diagram and instead it appears that the ASA sends traffic out it's X network interface. The server then responds to its default gateway, which is the firewall rather than the ASA. This happens even though I've got the tunneled default router on the ASA being a router on network Y. To try and figure this out, I see that when I have an IPSec connection with the Cisco client to my VPN concentrator, and I do a "tracert" to any internal IP, I see the VPN concentrator as the first hop. When I try the same thing with an IPSec connection to the ASA, I don't get the ASA as the first hop in a "tracert". I've tried changing static routes on the ASA to make this work, but with no success.

You will need to add a static route (and add it to your cryptos) for that public IP to route through your network and out 'Firewall'. Otherwise it will do exactly what you're seeing. The 'firewall' will not accept that packet in because it was not originated from it's inside and has no TCP connection for it.

Attached file is what I did in my lab. As I checked, I think the traffic i.e. PING traffic from VPN client to server was routed to outside interface rather than the inside one because if I enabled same-security-traffic permit intra-interface command at ASA and changed routing (at firewall) of network 10.0.3.0/24 to the inside interface of ASA instead, the VPN client could successfully ping the server.

Anyway, I prefer to route the traffic going out on the inside interface.

Please advise.

Network diagram

Here's what you can do. On the ASA add a static host route for Server, but have it point to the inside interface of Firewall.

route inside 10.0.2.100 255.255.255.255 10.0.1.254

The Firewall knows to go out the e2 interface because it's directly connected.

On the Server you will need to a static route for the VPN Pool pointing to Firewall.

route add 10.0.3.0 mask 255.255.255.0 10.0.2.254

On the Firewall you will also need to add a route for the VPN Pool.

route inside 10.0.3.0 255.255.255.0 10.0.1.200

david.wolover
Level 1
Level 1

Thanks for the response, I'll give that a try.

Collin,

You are right. Adding a static host route is the point. ;-)

I also updated the configuration and log as attachment.

Thanks again,

Nitass

I see that you're using Netscreens. Do you know how to view QoS statistics in them?

Collin,

I have never seen any QoS statistic there. I think you may need to get it thru SNMP.

HTH,

Nitass

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: