Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

permit VPN client to access outside interface

how do i permit my remote vpn client to access my router that is situated on the outside interface.

i have this setup:

lan--firewall--router--internet

i was able to let the remote vpn client access resource on my DMZ. Now, i also need to allow it to access my router on one of its outside interface.

below is a sample config:

interface Ethernet0/0

nameif outside_bayantel

security-level 0

ip address 121.97.xx.xx 255.255.255.248

!

interface Ethernet0/1

nameif inside_lan_data

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ_to_Voice

security-level 50

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/3

nameif outside_PLDT

security-level 0

ip address 192.168.50.2 255.255.255.0

!

access-list inside_lan_data_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.168 255.255.255.248

access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248

access-list DMZ_to_Voice_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.100.168 255.255.255.248

access-list ccbslan_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list ccbslan_splitTunnelAcl standard permit host 192.168.200.2

access-list ccbslan_splitTunnelAcl standard permit host 192.168.50.1

ip local pool ccbslan_pool 192.168.100.170-192.168.100.175

global (outside_bayantel) 101 interface

global (outside_PLDT) 101 interface

nat (inside_lan_data) 0 access-list inside_lan_data_nat0_outbound

nat (inside_lan_data) 101 192.168.100.0 255.255.255.0

nat (DMZ_to_Voice) 0 access-list DMZ_to_Voice_nat0_outbound

nat (DMZ_to_Voice) 101 192.168.200.0 255.255.255.0

nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside

static (DMZ_to_Voice,outside_bayantel) 121.97.xx.xx 192.168.200.2 netmask 255.255.255.255

static (inside_lan_data,DMZ_to_Voice) 192.168.100.2 192.168.100.2 netmask 255.255.255.255

static (inside_lan_data,DMZ_to_Voice) 192.168.100.99 192.168.100.99 netmask 255.255.255.255

static (inside_lan_data,DMZ_to_Voice) 192.168.100.13 192.168.100.13 netmask 255.255.255.255

access-group outside_bayantel_access_in in interface outside_bayantel

access-group outside_PLDT_access_in in interface outside_PLDT

route outside_bayantel 0.0.0.0 0.0.0.0 121.97.79.25 1 track 1

route outside_PLDT 0.0.0.0 0.0.0.0 192.168.50.1 254

group-policy ccbslan internal

group-policy ccbslan attributes

dns-server value 192.168.100.3 4.2.2.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ccbslan_splitTunnelAcl

how do i allow the remote vpn client to access my router at 192.168.50.1?

6 REPLIES
Green

Re: permit VPN client to access outside interface

You may have to allow same security level interfaces to communicate.

same-security-traffic permit inter-interface

Community Member

Re: permit VPN client to access outside interface

i've done that but still i cannot communicate to my router at Ethernet0/3.

access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248

nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside

are this NAT exempt configuration correct?

Green

Re: permit VPN client to access outside interface

Not sure if you need the outside keyword on the end, but other than that it looks okay.

Does this router have a route to the vpn client subnet?

Community Member

Re: permit VPN client to access outside interface

no, the router does not have any route to the vpn client subnet. do i need to add?

Green

Re: permit VPN client to access outside interface

The router would need to know how to get to the 192.168.100.168 255.255.255.248 network unless of course it's default route is the ASA.

Community Member

Re: permit VPN client to access outside interface

thanks bro... finally I'm able to connect to the router from my remote vpn client.

167
Views
5
Helpful
6
Replies
CreatePlease to create content