02-15-2008 02:44 PM
When SSL VPN sessions are established, they can access the internal network (behind the ASA) without any problem. I had to create a NAT exception rule for this (as per Document ID 99756).
But I cannot get access to the outside network. Do I need a NAT rule or an access rule? ASDM logging doesn't show any access errors.
Split tunneling isn't an option as the purpose of this is to gain access to Internet-based resources from prohibited networks.
Solved! Go to Solution.
02-19-2008 06:51 AM
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside)
That should do it...
02-25-2008 07:20 AM
Sorry for the delay, try...
webserver inside ip = x.x.x.x
webserver external ip = y.y.y.y
inside host subnet = z.z.z.z/24
same-security-traffic permit intra-interface
static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255
global (inside) 1 interface
02-18-2008 06:54 PM
hi Shawn
where can not you access outside?
what`s the about configuretion?
02-19-2008 06:51 AM
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside)
That should do it...
02-19-2008 07:23 AM
Perfect. I picked that up from another thread (that I think you even answered). IMHO Cisco should add this in as an optional step in the SSL VPN examples.
Do you know if its possible to access statically natted hosts from the inside via their external IPs?
Ie, host1 is statically natted, hosts2-10 are not and they resolve host1's http URLs by the external IP (name resolution is happening internal and not passing through the firewall), but they cannot hairpin through the firewall to connect via the external IP.
02-19-2008 08:38 AM
So if I understand correctly, a host on the inside tries to access yourdomain.com, which resolves to an external ip. This external ip is translated in your firewall to an internal ip. To get this to work, the setup would be something like this...
webserver inside ip = x.x.x.x
webserver external ip = y.y.y.y
inside host subnet = z.z.z.z/24
same-security-traffic permit intra-interface
static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255
global (inside) 10 interface
nat (inside) 10 z.z.z.z 255.255.255.0
That should do the trick.
02-21-2008 05:47 PM
That worked like halfway.
It allowed me to access the inside host via its external address, but then I couldn't get to anything else and the log reported:
3 Feb 21 2008 19:42:27 305006 71.5.102.254 portmap translation creation failed for tcp src inside:192.168.1.44/1221 dst outside:71.5.102.254/1234
02-22-2008 07:21 AM
Could you post your config?
02-23-2008 06:22 AM
02-25-2008 07:20 AM
Sorry for the delay, try...
webserver inside ip = x.x.x.x
webserver external ip = y.y.y.y
inside host subnet = z.z.z.z/24
same-security-traffic permit intra-interface
static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255
global (inside) 1 interface
02-29-2008 06:23 AM
You're a genius, that seems to work perfectly.
I swear I look at these NAT rules and they make sense and then I try to do something and I'm lost.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide