Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Impossible to redirect traffic from Outside to Intranet

Hi,

I use Annyconnect to permit connection of remote clients

to Inside network.

Pool for remote clients 192.168.10.1-100

internal network 192.6.0.0

Anyconnect works fine to access the internal network but now the customer would like that the remote clients

with an IP address in 192.168.10.x could access directly equipements

on the distant site (Subnet 172.16.10.0)  through the Intranet interface (no VPN on Intranet interface, connected to MPLS)

Intranet interface has an IP address in 192.168.1.0.

Here is the path for the traffic:

Annyconnect clients 192.168.10.1-100 --> Outside  'FW'   Intranet -->  Distant network 172.16.10.0

# Security-levels on the ASA 5510 cluster at rel 8.4.7

Inside 100

Outside 0

Intranet 50

Since we don't have the same security level for Intranet and Outside

i have first proposed to create an access-list which permit ip from 192.168.10.1-100 to 172.16.10.0

applied Outbound on the Intranet interface  but it doesn't work

Then i have tried to apply the same access-list Inbound on the outside interface but same issue.

I would like if there is something special to do.

We don't apply NAT on Intranet interface, the remote ASA firewall has been configured to see as Source IP

the anyconnect IP address 192.168.10.1-100

 

Best regards.

A-Even

 

 

 

 

 

 

1 REPLY

Hello,First of all traffic

Hello,

First of all traffic from the clients going to the Distant network will not need any sort of FW Access-List due to the sysopt connection permit-vpn.

 

What you will need to do is:

-If using any sort of split-tunneling make sure you allow the traffic to the distant network.

-Make sure the devices behind the MPLS network know that in order for reach that VPN Anyconnect Pool of addresses they need to send the traffic to the ASA.

-Make sure the NoNat Rule on the ASA includes traffic from the distant Interface to the VPN Anyconnect Pool.

-If any ACL on the Intranet interface, allow the traffic that will be generated from the distant network.

 

Does it make sense?

 

Jcarvaja,

Remember to rate all of the helpful posts!!!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
57
Views
0
Helpful
1
Replies
CreatePlease login to create content