Hello. I am trying to implement the following scenario on ASA5520 firewall. The firewall serves two purposes... It is used as firewall and DHCP server for internal clients as well as VPN concentrator to access internal network via AnyConnect VPN client. I would like to make it transparent for external and internal clients who is connected to the one of inside interfaces to access Internet so they can use one public IP address to VPN in. Something like on the picture above. So far I can do VPN from outside and inside but I can not use the outside public IP address when trying to VPN in from inside. Is there any mechanism to do U-Turn on outside interface so the traffic can come back to the same interface. I use a global pool of public IP addresses. All internal clients on "Internet" vlan reside on the subnet PATed using one public IP address and another public IP address is used for WEBVPN.
The response I'm about to provide may definitely not solve your problem, but I'm hoping it will point you in the right direction.
We had a similar requirement (Anyconnect VPN users connecting and then having to hairpin or U-turn back out for internets) and wrestled with it for a long time. Here are the primary configurations we made:
same-security-traffic permit intra-interface
*and* here was the final solution: we had to place the NAT on the outside interface. Our remote access users IP Pool was, say, 192.168.1.0 255.255.255.0 so we natted that by:
nat (outside) 1 192.168.1.0 255.255.255.0
After we made those two configurations changes, it worked.
Hi. Thank you for the reply. This is my current network layout which allows me to do hairpining on the firewall outside interface. My plan is to move DHCP/DNS services to the firewall itself but once it's done the U-turn simply stops working. The whole point is to get rid of old 2651 router. May be I am trying to squeeze too many services/functions into one box .
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :