Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA: Connect anyconnect client from within inside IPsec tunnel

I have a Cisco ASA on a dynamic WAN IP with a IPsec site-to-site tunnel to a remote linux host in a datacenter with a static WAN IP. All non local traffic is tunneled and the datacenter end is the default gateway for internet traffic. Essentially, the datacenter is the WAN for this location. This meets our requirements, however this has broken Anyconnect remote access to this ASA's inside network.

I'm already looking for options to forward traffic from the datacenter WAN to a host behind the ASA's DMZ interface and proxy it back at the ASA, since inter interface traffic seems to not be possible. I'm also considering replacing the field's anyconnect clients with OpenVPN and using the datacenter host as the destination for VPN connections.

That being said, both are more complex than I would like to deal with, so I'm hoping I'm missing an option in the ASA that will allow me to NAT traffic from a remote client to the outside interfaces dynamic IP while remaining inside the tunnel. I'm aware of the overhead, but since the location is served by a 3g modem, this datacenter tunnel is my way around the dynamic IP.

Here's a diagram of the connection:

{10.0.0.0/24}INSIDE------|___LOCAL___OUTSIDE(dynamic)=======/
{10.254.254.0/24}DMZ-----|

/=========(static)WAN___REMOTE___|---LAN{172.16.2.0/24}

The ASA's Metric 1 route is the datacenter's static IP using the 3g modem as the gateway. Metric 2 route is default (0.0.0.0/0) using 172.16.2.1 as the gateway.

The ASA VPN side is set to make the DMZ network availible in the tunnel, and the datacenter side is set to make 0.0.0.0/0 availible. However even a TCPing to the DMZ interface of the ASA from the datacenter reports port 443 closed on 10.254.254.1 even though VPN access is turned on.

Thank you for any help working with the ASA's features or confirmation I'll have to look at options beyond the ASA if I want to retain remote access inside.

Everyone's tags (1)
125
Views
0
Helpful
0
Replies
CreatePlease login to create content