I am stumped and need some advice. I have ASA working for remote users using public ips on both inside and outside. The users are able to VPN and access inside & outside reosources set in ACL for their group..great.
BUT, I am at witts end trying to allow users to surf out as they can now but with using the inside public ip, it is working with the outside ip were users are NAT'd to a private and go out on the external IP. I need them to go back out with the internal public IP.
Anyone, what are the steps as I am still struggling with ASA configs.
Sorry for the confusion, what I want is to leave internal users alone as they will not use the VPN. The VPN sits behind a firewall.
What I want is remote users to surf etc. with an internal interface public IP...I beleive I was confusing terminalogy and need to setup PAT for this, is this right? If so how do I accomplish setting this up so VPN users attach to outside interface then grab a private address(NAT) internall to ASA then surf out inside interface? Is this wrong approach?
We did implement similar setup, except VPN users are terminated in DMZ2 segment. Split tunneling is disabled so all of them (VPN users) must use corporate proxy & link to go out to the internet.
But this doesn't have much different if it's terminated on the inside interface. Check Cisco SAFE Blueprint recommendation.
Basically, all VPN users will get IP from a dedicated IP block (configure as DHCP) that sits on the internal/inside segment. On your firewall (or if you haven't congure any), you need to NAT out the DHCP address block or range to be translated out to access internet. And (optional) if you have ACL, make sure they are also allowed to go out accordingly.
Internet segment: 10.1.1.0/24
VPN user DHCP range: 10.1.3.0/24
global (outside) 2 xx.xx.xx.10 --> public IP
nat (inside) 2 10.1.3.0 255.255.255.0
The above configuration will allow VPN users that assign with any IP under 10.1.3.x range to go out to internet via xx.xx.xx.10 Public IP. Otherwise, they can only access internal resources.
And of course (optional), check the VPN configuration on proxy server to be used and how you allow them to go to the internet, either enabling/disabling split tunneling.
*enable=need to use corporate network to access internet
*disable=can access internet & corporate network simultaneously
I don't think the NAT will happen here. Even the VPN users pick up the IP from internal, they are considered at outside interface by ASA. If you do "show conn detail", you can see the vpn users are at outside. So "nat(inside)2 ...." may not happen.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :