VPN Client internet access

Answered Question
May 3rd, 2010

Hi,

I need to make users connected with vpn client to central office's lan, going to internet using the central office's internet connection. I mean wihout having split-tunnel and without using an internal proxy. I would like to know if it is possible with PIX or ASA. I think it's like to tell to have traffic going in and out the firewall using the same outside interface. Thank you very much in advance for your appreciated support.

Best regards

Angelo

Correct Answer by Jennifer Halim about 6 years 9 months ago

Yes, definitely can.

You would need to configure the following:

same-security-traffic permit intra-interface

Plus, assuming that you already have "global (outside) 1 interface", you can configure the following:

nat (outside) 1

For example: if the ip pool subnet for the vpn client is 192.168.100.0/24, then the following:

nat (outside) 1 192.168.100.0 255.255.255.0

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 05/03/2010 - 00:17

Yes, definitely can.

You would need to configure the following:

same-security-traffic permit intra-interface

Plus, assuming that you already have "global (outside) 1 interface", you can configure the following:

nat (outside) 1

For example: if the ip pool subnet for the vpn client is 192.168.100.0/24, then the following:

nat (outside) 1 192.168.100.0 255.255.255.0

Hope that helps.

ANGELO DE MASI Mon, 05/03/2010 - 04:12

Hi, thanks a lot for your right advice.

Regards

angelo

PS: Does it also mean that I could also make a vpn connection on my firewall starting from the inside? I mean just for testing purpose. Thanks.

Jennifer Halim Mon, 05/03/2010 - 04:17

As far as routing is concern, if you connect to the ASA inside interface, it would be different to when you are connecting to the outside interface.

When connecting to the outside, the VPN Pool would be routed to the outside interface, and when connecting to the inside interface, now the VPN Pool would be routed to the inside interface, hence the NAT statement will also change to the inside interface instead of outside.

It will not be a true test of when VPN is connected via the outside interface.

ANGELO DE MASI Mon, 05/03/2010 - 04:23

Ok it's all prefectly clear. Thank you very much. So the only way to

test vpn connectivity is to have another internet connection.

Regards

angelo

Actions

This Discussion