Greetings like many people we connect to our customers via either permanent vpn connectivity or via locking down management access to our external company ip address.
Is it possible to configure the ASA 5510 so that i can connect to it using the cisco vpn client from any location and then connect to customers network which are in turn locked down to only permit connections from our external network?
At present i am having to connect to one of our internal servers and use it as a jump of point to connect to customer networks when im off site.
Thank you for your reply, i have tried adding said networks to the split tunnel list but am unable to connect to the customer networks via there outside management address.
Yes, its possible.. I have alreay set up this for here but i want to know which FW is using by customer becoz I had make it on ASA which was installed on other location. Cheers
I am using an ASA 5510 with 8.0.3(19) code, customer sites use a mix of ASA's, 2800's, 3800's etc for edge connectivity.
We'd have to see the config. Make sure you have something like...
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1
Cheers, i currently have the same-security-traffic permit intra-interface statement in place, please find the relevant config below.
ip address ***.***.***.*** 255.255.255.240
no ip address
ip address 172.27.255.1 255.255.255.0
ip address 172.30.255.1 255.255.255.0
ip address 172.29.255.1 255.255.255.0
ip address 172.28.255.1 255.255.255.0
ip address 192.168.255.1 255.255.255.0
same-security-traffic permit inter-interface
access-list ITTelco_SpliTunnel remark ****** Split Tunnel Encrypted Traffic ******
access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0
access-list exempt_nat0_outbound extended permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0
mtu outside 1500
mtu demo 1500
mtu guest 1500
mtu access 1500
mtu voice 1500
mtu management 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-60360.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 guestoutbound
nat (demo) 0 access-list exempt_nat0_outbound
nat (guest) 2 172.30.255.0 255.255.255.0
nat (access) 0 access-list exempt_nat0_outbound
nat (access) 1 172.29.255.0 255.255.255.0
nat (voice) 0 access-list exempt_nat0_outbound
nat (voice) 1 172.28.255.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
route demo 172.26.255.0 255.255.255.0 172.27.255.2 1
policy-map type inspect im im_Block
match protocol msn-im yahoo-im
inspect h323 h225
inspect h323 ras
inspect icmp error
inspect im im_Block
service-policy global_policy global
prompt hostname context
access-list ITTelco_SpliTunnel standard permit 172.24.0.0 255.248.0.0
no access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0
Did anyone figure out how to do this, I am having same problem (need to be able to vpn in to office then make connections out to internet via the ip space of the remote office, for security reasons).
I am using a PIX501