07-20-2008 02:49 PM - last edited on 03-25-2019 05:40 PM by ciscomoderator
Greetings like many people we connect to our customers via either permanent vpn connectivity or via locking down management access to our external company ip address.
Is it possible to configure the ASA 5510 so that i can connect to it using the cisco vpn client from any location and then connect to customers network which are in turn locked down to only permit connections from our external network?
At present i am having to connect to one of our internal servers and use it as a jump of point to connect to customer networks when im off site.
Regards
07-20-2008 10:37 PM
include all needed networks in the split-tunneling ACL
07-21-2008 02:55 PM
Thank you for your reply, i have tried adding said networks to the split tunnel list but am unable to connect to the customer networks via there outside management address.
Regards
07-21-2008 02:59 PM
Yes, its possible.. I have alreay set up this for here but i want to know which FW is using by customer becoz I had make it on ASA which was installed on other location. Cheers
07-21-2008 03:04 PM
I am using an ASA 5510 with 8.0.3(19) code, customer sites use a mix of ASA's, 2800's, 3800's etc for edge connectivity.
07-21-2008 03:00 PM
We'd have to see the config. Make sure you have something like...
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1
07-21-2008 03:09 PM
Cheers, i currently have the same-security-traffic permit intra-interface statement in place, please find the relevant config below.
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address ***.***.***.*** 255.255.255.240
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.997
vlan 997
nameif demo
security-level 100
ip address 172.27.255.1 255.255.255.0
!
interface Ethernet0/1.998
vlan 998
nameif guest
security-level 25
ip address 172.30.255.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif access
security-level 100
ip address 172.29.255.1 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif voice
security-level 100
ip address 172.28.255.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.255.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
access-list ITTelco_SpliTunnel remark ****** Split Tunnel Encrypted Traffic ******
access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0
access-list exempt_nat0_outbound extended permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0
mtu outside 1500
mtu demo 1500
mtu guest 1500
mtu access 1500
mtu voice 1500
mtu management 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-60360.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 guestoutbound
nat (demo) 0 access-list exempt_nat0_outbound
nat (guest) 2 172.30.255.0 255.255.255.0
nat (access) 0 access-list exempt_nat0_outbound
nat (access) 1 172.29.255.0 255.255.255.0
nat (voice) 0 access-list exempt_nat0_outbound
nat (voice) 1 172.28.255.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
route demo 172.26.255.0 255.255.255.0 172.27.255.2 1
!
policy-map type inspect im im_Block
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect icmp error
inspect pptp
inspect ipsec-pass-thru
inspect im im_Block
policy-map serv-pol-outbound
class csc-scan-class
csc fail-open
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
it-fw-5510#
07-21-2008 10:45 PM
access-list ITTelco_SpliTunnel standard permit 172.24.0.0 255.248.0.0
no access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0
07-22-2008 02:17 PM
07-22-2008 03:57 PM
See my previous post. You have no "nat (outside)" command.
07-23-2008 03:35 PM
Ah apologies, i shall give that a go in the morning.
Thank you for your help so far
07-22-2008 11:22 PM
do as Adam Comiskey said
and in this case you should disable split tunneling.
09-16-2008 12:46 PM
Did anyone figure out how to do this, I am having same problem (need to be able to vpn in to office then make connections out to internet via the ip space of the remote office, for security reasons).
I am using a PIX501
09-16-2008 02:18 PM
Can't be done with a pix 501 or any pix running version 6 code.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide