Remote VPN connection from a LAN

sandman42 · ‎05-20-2008

Hi,

I have one LAN connected to the internet via an ASA 5505 (called LocalASA) and a router without NAT (we have 8 public IP).

I'd need to allow clients inside the LAN to connect to a remote VPN via software client, i.e. without having to set a site-to-site VPN on my ASA.

I've set up a rule that allows upd/500 to the remote firewall endpoint, but no luck: the rule gets no hits.

How can I set up this connection?

Thanks a lot.

Ciao

andrew.prince · ‎05-21-2008

Francesco,

Are you blocking any traffic on the "inside" interface of LocalASA??

From the local LAN - can you ping the remote VPN gateway IP address??

sandman42 · ‎05-21-2008

Yes I do block.

I allow only the traffic I want.

My question is: which port shall I enable in order to make it work?

I've tried also with an inside -> outside allow ip and outside -> inside allow ip, but the rule doesn't trigger, i.e. I have no entry in the log.

I'm a little bit confused....

About the ping, the remote doesn't respond to pings, but I've tried a remote hosts which responds, by adding these rules:

access-list inside_access_in extended permit icmp inside_network 255.255.255.0 host REMOTE-THAT-RESPONDS

access-list outside_access_in extended permit icmp host REMOTE-THAT-RESPONDS inside_network 255.255.255.0

The error I have is:

Deny icmp src outside:REMOTE-THAT-RESPONDS dst inside:OUTSIDE-VLAN-IP (type 0, code 0) by access-group "outside_access_in" [0x0, 0x0]

Where OUTSIDE-VLAN-IP is defined in

interface Vlan2

nameif outside

security-level 0

ip address OUTSIDE-VLAN-IP OUTSIDE-VLAN-NETMASK

It works if I change the rules to:

access-list inside_access_in extended permit icmp any host REMOTE-THAT-RESPONDS

access-list outside_access_in extended permit icmp host REMOTE-THAT-RESPONDS any

but it seems to me it's too wide using "any" keyword. Am I correct?

Thanks

Ciao