ASA5505 VPN Client Feature Question

Unanswered Question
May 12th, 2009


To my understanding ASA 5505 can be configured as a VPN client. (Authenticating with a username/password from authenticating VPN Server)

When you put a device (a PC for example), behind the ASA5505(VPN Client), these devices are able to access resources on the head end of the VPN server.

My question is, are the devices behind the VPN server (head end) able to access devices behind the ClientASA5505, such as a PC?

My assumption is no, because I believe the ASA5505 is PAT'ing, and its not a 1:1 relationship between devices behind the firewall.

Can anyone confirm or validate this?

Is there any documentation to explain this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
John Blakley Tue, 05/12/2009 - 10:44


Traffic that's local will stay local. The client (ASA) is configured for network extension mode (NEM), and it will allow your inside network to be visible on the other side of the vpn tunnel. But computers that are on "this side" of the tunnel are still able to use their printers, see their other local computers, etc.

I'm not sure where PAT comes into play on this one ;-) The ASA brings the connection up on interesting traffic, and then depending on your interesting traffic acl, traffic that matches the acl will traverse the vpn tunnel.



nomair_83 Tue, 05/12/2009 - 12:04

All interesting traffic should not be PATTED so dont worry:)

fredj1234 Tue, 05/12/2009 - 15:34

Thanks for your replies,

I just wanted to ensure I exlained this properly.



The ASA is connecting as a vpn client (ASA5505) to the VPN Server (ASA5510)

Can SERVER123 connect to PC456 and PC456 connect to SERVER123?

Or is it a one way connection from PC456 to SERVER123?




This Discussion