02-23-2012 02:21 AM
Hi All,
I have been endlessly searching around online, and trying things on the firewall, and cant seem to find an answer to this problem. Its probably something really simple right under my nose!
I am using an ASA 5510, which currently has a few seperate site-to-site VPN connections configured, which connect to other Cisco devices on clients networks.
I work from home, so also connect to our network using Remote Access VPN (anyconnect) to connect to the network at the datacentre.
Just to be clear, here is my amazingly drawn network diagram;
[[my house]]-------------- <anyconnect VPN>------------[[ASA 5510 / Datacentre]]-----------<site-to-site>-----------------[[Client network]]
The problem I am having, is that I cannot connect directly from my house to the client network, I need to RDP into some server in the datacentre, then from there I can see the Cleints network.
Is there routing to be setup somewhere? between VPN's? Ive looked into the routing options on the firewall and cand seem to find anything that works.
I've searched for this and cant find answers, even some sources saying its impossible. Surely not?????
Solved! Go to Solution.
02-23-2012 01:10 PM
I put all your remote LAN segment into a object-group.
object-group network REMOTE-LANS
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248
network-object 10.0.21.0 255.255.255.0
network-object 212.9.20.240 255.255.255.248
access-list outside_nat0 extended permit ip 10.0.20.0 255.255.255.0 object-group REMOTE-LANS
access-list outside_nat0 extended permit ip object-group REMOTE-LANS 10.0.20.0 255.255.255.0
same-security-traffic permit intra-interface
nat (outside) 0 access-list outside_nat0
Let me know, the result
thanks
02-23-2012 06:49 AM
Yes it is possible and you just missing no-nat on the outside interface.
Please post your config and I will advise the no-nat where it must go.
thanks
Rizwan Rafeek
02-23-2012 07:54 AM
You will need to include the client network in your tunnel list, and configure 'same-security-traffic permit intra-interface'. Also, you will need to modify the site to site tunnel between the client network and the data center so that the addresses handed out to AnyConnect users are included in the encryption domain.
Matt
02-23-2012 12:46 PM
Thanks, its good to know it is possible after all.
Ill have to look at the 'same-security-traffic permit intra-interface' command
The addresses handed out to the Anyconnect clients are in the same subnet / range as the datacentre private network (as there are only about 10 devices there all on static private addresses), so if the client network already has our private network as part of the encryption domain, and the anyconnect clients are on the same addresses, nothing is required in that respect?
02-23-2012 12:33 PM
Hi Rizwan, I have attached the config to my first post, thanks.
02-23-2012 12:52 PM
name 10.0.21.0 Gower-Private
name 10.0.20.105 MAIL_APP_DNS
object-group network DM_INLINE_NETWORK_4
network-object host MAIL_APP_DNS
network-object host 10.0.20.110
object-group network DM_INLINE_NETWORK_3
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248
access-list outside_1_cryptomap extended permit ip 10.0.20.0 255.255.255.0 212.9.20.240 255.255.255.248
access-list outside_2_cryptomap_1 extended permit ip 10.0.20.0 255.255.255.0 Gower-Private 255.255.255.0
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
which is your remote LAN network segment, you are having issue with, cannot connect while on remote vpn client?
02-23-2012 01:10 PM
I put all your remote LAN segment into a object-group.
object-group network REMOTE-LANS
network-object 10.151.30.0 255.255.255.248
network-object 212.9.3.72 255.255.255.248
network-object 10.0.21.0 255.255.255.0
network-object 212.9.20.240 255.255.255.248
access-list outside_nat0 extended permit ip 10.0.20.0 255.255.255.0 object-group REMOTE-LANS
access-list outside_nat0 extended permit ip object-group REMOTE-LANS 10.0.20.0 255.255.255.0
same-security-traffic permit intra-interface
nat (outside) 0 access-list outside_nat0
Let me know, the result
thanks
03-01-2012 04:04 AM
Thank you very much!!! This worked a treat.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: