Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
aa
New Member

irksome cisco asa behaviour

Cisco ASA does not allow an interface to be contacted by hosts attached to another interface. Meaning: if I am on an internal interface, I cannot reach the external interface IP.

This is so irksome. Because it means that internal hosts cannot VPN to the external IP.

Anyone else find this painful? Do you have a solution?

2 REPLIES
Silver

Re: irksome cisco asa behaviour

paste your running config and also brief discussion about your topology.

aa
New Member

Re: irksome cisco asa behaviour

Thanks for the reply.

I think I've solved the issue by using DNS rewriting.

Consider an internal and external network.

A user with a laptop has a vpn profile that points to vpn.company.com- an external ip.

The user can use the vpn profile when on the Internet to VPN back to the office.

However, the user will be unable to use that profile to create a VPN from the INTERNAL network, because it's not possible to contact the external interface (vpn.company.com address) from the internal network.

The problem can be solved elegantly by have the Cisco do a DNS rewrite of the dns reply that comes through the firewall. When an internal user queries vpn.company.com, the request passes through the ASA to an external dns server. When the reply arrives back, the ASA replaces the reply ip address of the dns query for vpn.company.com with the ip of the internal interface of the asa ASA.

Internal users are then able to create a vpn from the inernal network using the same hostname (vpn.company.com).

224
Views
0
Helpful
2
Replies
CreatePlease to create content