EasyVPN server-client, serverside-initated traffic wont work
I've configured an ASA5510 as a central Easu VPN-server. A home office user hasa a ASA5505 that is configured as a VPN Client (the vpnclient-commands). The tunnel works great, but there is an application that initiates TCP-sessions from the Hub-lan destinated to the computer at home, behind the ASA5505 VPN-client. And this traffic won't work. And Now I am uncertain. Should this work or not?
Topology: Central net: 172.17.1.0/24 and a few other 172.17.x.y-nets
Home-net: 172.18.8.0/28 (central ASA config prepared for more future home networks in the 172.18.8.0/24-range
Relevant server-side configuration:
access-list Inside_nat0_outbound extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0
access-list VPN5005_split_tunnel extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0
So, an user behind the 5505 has IP 172.17.8.10. The computer has full connectivity to all central servers on the 172.17.1.0-net. However, a server needs to initiate a TCP-session to 172.17.8.10 and it won't work. Should it work? Or do we need a solution with a Lan-2-Lan-tunnel with static IP at home to get this thing working?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...