Just to clarify

jmbrewer9x · ‎08-03-2017

I'm trying to set this up using only the Outside interface (nothing attached to inside at all) I've got the VPN setup and I can connect to it from the outside, but I go no where after connecting. I can ping the inside address of the ASA, but nothing else on the inside network. So I'm curious what I may need to enter as far as routes.

For the setup I currently have, the 5508's outside interface is connected to a switch that connects to my router/firwalls inside interface. Lets assume my network is 192.168.1.0 255.255.255.0. I have the outside interface on my asa the address of 192.168.1.100. I setup the VPN to hand out addresses in the pool of 192.168.1.200-192.168.1.220. Is there any routes or firewall rules I would need to setup to pull this off?

Richard Bradfield · ‎08-03-2017

well there will only be one route as everything is going thru the outside interface

route outside 0.0.0.0 0.0.0.0 192.168.1.100

what is the Ip address of the outside interface of the 5508

I was just thinking about the NAT and how you subnet your 192.168.1.0

object network inside

subnet 192.168.1.0 255.255.255.128

lets make the vpn client 192.168.1.192/28

object CISCO-VPN-CLIENT

subnet 192.168.1.192 255.255.255.240

nat (outside,outside) source static CISCO-VPN-CLIENT CISCO-VPN-CLIENT destination static inside inside no-proxy-arp route-lookup

jmbrewer9x · ‎08-04-2017

I apologize Richard, I incorrectly said I could ping the inside interface of the ASA, I should have said outside. The outside interface is 192.168.1.100. So would the above still be good?

Also I don't have anything setting on the inside interface. Currently no interface is configured as inside. Should I set one up?

jmbrewer9x · ‎08-04-2017

Oh ok...sorry I see what your saying now. I'm creating the "inside" with that first command. Sorry it's too early and the caffeine hasn't kicked in yet. :) I'll give this a try.

Richard Bradfield · ‎08-04-2017

Just to clarify

your network looks like this

PC> Internet----< outside interface Firewall /Router inside interface>--192.168.1.0/24----< outside interface 5508 VPN termination>

so what are the IP addresses of inside interface of firewall/router and outside interface of 5508?

jmbrewer9x · ‎08-04-2017

Yes correct that is how the network is setup.

Instead of the route statement you have I already had one in place pointing to my gateway on lan (192.168.1.1, this is the IP of the router/firewall) The outside interface of the 5508 is that 192.168.1.100.

Also see above, I ended up changing the vpn pool to a totally different subnet when I retried everything.

jmbrewer9x · ‎08-04-2017

Okay so I gave this a try, but it didn't seem to work. I also tried just putting the vpn pool into a totally separate subnet. Below is what I did.

I did the first command as you suggested.

object network inside

subnet 192.168.1.0 255.255.255.0 (I just went ahead and made it the whole subnet because I changed the VPN-POOL to be on a different one)

object VPN-POOL

subnet 192.168.50.0 255.255.255.0

nat (outside,outside) source static VPN-POOL VPN-POOL destination static inside inside no-proxy-arp route-lookup

I still was unable to get to anything on 192.168.1.0 network..

Using ASA only as a VPN appliance behind a different router/firewall