Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

swb
New Member

ASA 5505 SSL VPN -- VPN sessions connecting to outside network

When SSL VPN sessions are established, they can access the internal network (behind the ASA) without any problem. I had to create a NAT exception rule for this (as per Document ID 99756).

But I cannot get access to the outside network. Do I need a NAT rule or an access rule? ASDM logging doesn't show any access errors.

Split tunneling isn't an option as the purpose of this is to gain access to Internet-based resources from prohibited networks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside)

That should do it...

Green

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

Sorry for the delay, try...

webserver inside ip = x.x.x.x

webserver external ip = y.y.y.y

inside host subnet = z.z.z.z/24

same-security-traffic permit intra-interface

static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255

global (inside) 1 interface

9 REPLIES
New Member

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

hi Shawn

where can not you access outside?

what`s the about configuretion?

Green

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside)

That should do it...

swb
New Member

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

Perfect. I picked that up from another thread (that I think you even answered). IMHO Cisco should add this in as an optional step in the SSL VPN examples.

Do you know if its possible to access statically natted hosts from the inside via their external IPs?

Ie, host1 is statically natted, hosts2-10 are not and they resolve host1's http URLs by the external IP (name resolution is happening internal and not passing through the firewall), but they cannot hairpin through the firewall to connect via the external IP.

Green

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

So if I understand correctly, a host on the inside tries to access yourdomain.com, which resolves to an external ip. This external ip is translated in your firewall to an internal ip. To get this to work, the setup would be something like this...

webserver inside ip = x.x.x.x

webserver external ip = y.y.y.y

inside host subnet = z.z.z.z/24

same-security-traffic permit intra-interface

static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255

global (inside) 10 interface

nat (inside) 10 z.z.z.z 255.255.255.0

That should do the trick.

swb
New Member

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

That worked like halfway.

It allowed me to access the inside host via its external address, but then I couldn't get to anything else and the log reported:

3 Feb 21 2008 19:42:27 305006 71.5.102.254 portmap translation creation failed for tcp src inside:192.168.1.44/1221 dst outside:71.5.102.254/1234

Green

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

Could you post your config?

swb
New Member

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

Sure. I added the output of "show tech support".

Green

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

Sorry for the delay, try...

webserver inside ip = x.x.x.x

webserver external ip = y.y.y.y

inside host subnet = z.z.z.z/24

same-security-traffic permit intra-interface

static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255

global (inside) 1 interface

swb
New Member

Re: ASA 5505 SSL VPN -- VPN sessions connecting to outside netwo

You're a genius, that seems to work perfectly.

I swear I look at these NAT rules and they make sense and then I try to do something and I'm lost.

325
Views
0
Helpful
9
Replies