Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2327
Views
0
Helpful
4
Replies

Ssl vpn, only one interface acting as outside/inside

Go to solution
Malette40
Level 1
Level 1

‎09-01-2010 01:08 PM

Hi all,

I'm trying to set up an SSL VPN (not clientless) with a cisco ASA 5510, but i am a little blocked since for tests the vpn will be in the same subnet as the destination to reach and therefore there will be only one interfaces connected to the network which would deal with internal and external traffic. I enclosed a diagram of what i am trying to do and my ASA configuration, hopes that would be helpful.

The entire network is for historical reasons on routed public ip addresses. There are acls in order to block the traffic from the internet to the workstation on our network  which is 8.8.36.0/24.

Since i am not in charge of the management of this network, i would like to perform vpn tests in several steps.

1) First step is to test this vpn from the inside to the inside

2) Second step would be to test this vpn from outside the internet to the inside network

3) and the last step would be to put this vpn into a separate vlan

For the first step, i tried to connect to the vpn server with the anyconnect client, no problem with the vpn establishement, and i am correctly obtaining an ip from the pool (for example: 8.8.36.181) but I cannot contact internal workstation on the 8.8.36.0/24 network.

I'im sure I am missing something in the configuration, would it be possible to help me ?

Thanks in Advance,

Labels:
71448-config_asa.txt.zip
45 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7

‎09-01-2010 02:46 PM

1. please use a different subnet as vpn client pool other than your internal network 8.8.36/24

2. since the traffic will make a U turn on ASA, you need the following command.

same-security-traffic permit intra-interface

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Yudong Wu
Level 7
Level 7

‎09-01-2010 02:46 PM

1. please use a different subnet as vpn client pool other than your internal network 8.8.36/24

2. since the traffic will make a U turn on ASA, you need the following command.

same-security-traffic permit intra-interface

0 Helpful

Go to solution
Malette40
Level 1
Level 1
In response to Yudong Wu

‎09-01-2010 11:56 PM

Thanks for your fast answer, I tried to change the client vpn pool and the intra traffic command, but still cannot contact internal workstations, perhaps this could be split tunneling issues, because I have already an IP addr in the internal network ?

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to Malette40

‎09-02-2010 03:19 PM

Sorry, I might mis-understand what you are trying to test.

Is your SSL VPN client connecting to ASA from outside interface?

If yes, after SSL vpn is up, your client could not talk to a host behind ASA?

Could you please provide the full configuration file?

After you SSL VPN is up, can you initiate some traffic to the inside host and then capture the following command?

show vpn-sessiondb svc

0 Helpful

Go to solution
Malette40
Level 1
Level 1
In response to Yudong Wu

‎09-06-2010 11:03 AM

Thanks for your answer.

After some thoughts, what I was trying seems to be impossible. In fact I was trying to bind inside and outside "logical" interfaces into the same physical interface with the same network, which involves routing problems.

I did rewrite my configuration, i will only do a classical vpn setup with one inside and one outside interface and with different logical network addressing.

Many Thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents