Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA - how to allow global NAT and AnyConnect VPN through border and external interfaces?

ISP provided redundant links that route our public IP space through a border network.  The 2 ISP handoffs go into a pair of 3750 switches, layer 2, and the switches uplink to an active/standby ASA pair.

 

The ASA outside interface, Gi 0/0, has an IP address in the border network.  The ASA inside interface, Gi 0/1, has an IP address in our public IP block.  Our internal private networks are subinterfaces, Gi 0/1.1 and Gi 0/1.2.  ISP routes our public IP space to the IP assigned to Gi 0/1.  The default route out the ASA points to the ISP border gateway VIP.  We have verified internet traffic is routing properly.

 

But what I am having trouble with is getting both a global NAT to allow all private nodes access to the internet, and AnyConnect VPN to respond on Gi0/1.  Your typical configuration examples have a public IP address on the outside, and private IP on the inside.  In our case we also have the "border" network to deal with.  Can anyone point me in the right direction?

 

For example:

 

Gi 0/0 - 10.0.0.1 255.255.255.248 (border network - this is really a public IP but using private for example) security level 0

Gi 0/1 - 192.168.0.1 255.255.255.0 (our public IP block - again this is really a public) security level 1

Gi 0/1.1 - 172.16.0.1 255.255.255.0 (internal private network) security level 100

 

ISP border VIP is 10.0.0.2 255.255.255.248 - ASA default route is to 10.0.0.2.

ISP routes 192.168.0.0/24 to 10.0.0.1.

When setting up AnyConnect to listen on 192.168.0.1, it does not respond to requests over the internet.

I can put a system on 192.168.0.2 255.255.255.0 on an internal switch behind the firewall, open firewall ports, and access it over the internet, confirming the routing is working properly.

 

 

 

 

 

 

 

95
Views
0
Helpful
0
Replies
CreatePlease to create content