07-01-2010 08:47 AM
I about have my vpn set up exactly like I need it. Users can connect to the vpn, and get a 172.16.17.0/24 ip address. These users can then access machines hidden behind the asa on the private 172.16.16.1/24 interface. Users on the 172.16.16.1 interface can also access any machine not on the private interface through the router using nat. What I cannot figure out how to do is to allow the vpn users to also access any machine not on the private interface through NAT on the router as well. Help would be appreciated.
ciscoasa# show route
Gateway of last resort is a.b.c.1 to network 0.0.0.0
C 172.16.16.0 255.255.254.0 is directly connected, igbprivate
S 172.16.17.20 255.255.255.255 [1/0] via a.b.c.189, igbpublic
C a.b.c.0 255.255.252.0 is directly connected, igbpublic
C 192.168.1.0 255.255.255.0 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via ak.b.c.124.1, igbpublic
access list
access-list 101 line 1 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0
nat statements in running-config
global (igbpublic) 1 interface
nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0
Solved! Go to Solution.
07-01-2010 11:30 AM
If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.
07-01-2010 11:05 AM
I think what you are saying you want is for one VPN user to be able to access another VPN user. If that is the case then you would want to look into Hairpining. I believe this will work for you, but seeing as I am struggling with getting it to work myself I cannot help you. If you google it you may find something that will lead you in the right direction.
07-01-2010 11:09 AM
Nope, not that. I have other machines that sit on the public side of this asa, and I would like to have the 172.16.17.0/24 addresses of the vpn clients to be able to access these through nat.
07-01-2010 11:13 AM
Are they physically on the other side of the ASA or are you just trying to access the Public names of machines actually located on the internal network?
07-01-2010 11:24 AM
I physically have machines on the public side of the asa, and the vpn users need to be able to send and receive traffic to/from them, i dont want to run a second cable to them for the private network.
Dan
07-01-2010 11:30 AM
If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.
07-01-2010 12:18 PM
This comment along with:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
was enough to get me going. Essentially i needed the two commands:
same-security-traffic permit intra-interface
nat (igbpublic) 1 172.16.17.0 255.255.255.0
then it roared to life. Thanks for the help.
Dan
07-01-2010 12:28 PM
No Problem, glad I could help.
07-01-2010 01:16 PM
I thought you would like to know between your commands and the link you posted I was finally able to wrap my head around what was supposed to happen. Then with a little more fiddling I was able to adapt that to 8.3. Thanks for posting a detailed resolution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide