https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793524#M970072 <HTML><HEAD></HEAD><BODY><P>Not sure if you need the outside keyword on the end, but other than that it looks okay.</P><P></P><P>Does this router have a route to the vpn client subnet?</P></BODY></HTML> Tue, 04 Sep 2007 18:22:45 GMT acomiskey 2007-09-04T18:22:45Z https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793521#M970069 <P>how do i permit my remote vpn client to access my router that is situated on the outside interface.</P><P></P><P>i have this setup:</P><P>lan--firewall--router--internet</P><P></P><P>i was able to let the remote vpn client access resource on my DMZ. Now, i also need to allow it to access my router on one of its outside interface.</P><P></P><P>below is a sample config:</P><P></P><P>interface Ethernet0/0</P><P> nameif outside_bayantel</P><P> security-level 0</P><P> ip address 121.97.xx.xx 255.255.255.248 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside_lan_data</P><P> security-level 100</P><P> ip address 192.168.100.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> nameif DMZ_to_Voice</P><P> security-level 50</P><P> ip address 192.168.200.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/3</P><P> nameif outside_PLDT</P><P> security-level 0</P><P> ip address 192.168.50.2 255.255.255.0 </P><P>!</P><P>access-list inside_lan_data_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.168 255.255.255.248 </P><P>access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248 </P><P>access-list DMZ_to_Voice_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.100.168 255.255.255.248 </P><P>access-list ccbslan_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 </P><P>access-list ccbslan_splitTunnelAcl standard permit host 192.168.200.2 </P><P>access-list ccbslan_splitTunnelAcl standard permit host 192.168.50.1 </P><P></P><P>ip local pool ccbslan_pool 192.168.100.170-192.168.100.175</P><P>global (outside_bayantel) 101 interface</P><P>global (outside_PLDT) 101 interface</P><P>nat (inside_lan_data) 0 access-list inside_lan_data_nat0_outbound</P><P>nat (inside_lan_data) 101 192.168.100.0 255.255.255.0</P><P>nat (DMZ_to_Voice) 0 access-list DMZ_to_Voice_nat0_outbound</P><P>nat (DMZ_to_Voice) 101 192.168.200.0 255.255.255.0</P><P>nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside</P><P>static (DMZ_to_Voice,outside_bayantel) 121.97.xx.xx 192.168.200.2 netmask 255.255.255.255 </P><P>static (inside_lan_data,DMZ_to_Voice) 192.168.100.2 192.168.100.2 netmask 255.255.255.255 </P><P>static (inside_lan_data,DMZ_to_Voice) 192.168.100.99 192.168.100.99 netmask 255.255.255.255 </P><P>static (inside_lan_data,DMZ_to_Voice) 192.168.100.13 192.168.100.13 netmask 255.255.255.255 </P><P>access-group outside_bayantel_access_in in interface outside_bayantel</P><P>access-group outside_PLDT_access_in in interface outside_PLDT</P><P>route outside_bayantel 0.0.0.0 0.0.0.0 121.97.79.25 1 track 1</P><P>route outside_PLDT 0.0.0.0 0.0.0.0 192.168.50.1 254</P><P>group-policy ccbslan internal</P><P>group-policy ccbslan attributes</P><P> dns-server value 192.168.100.3 4.2.2.2</P><P> vpn-tunnel-protocol IPSec </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value ccbslan_splitTunnelAcl</P><P></P><P>how do i allow the remote vpn client to access my router at 192.168.50.1?</P><P></P> Mon, 11 Mar 2019 11:06:25 GMT https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793521#M970069 brianbono 2019-03-11T11:06:25Z https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793522#M970070 <HTML><HEAD></HEAD><BODY><P>You may have to allow same security level interfaces to communicate.</P><P></P><P>same-security-traffic permit inter-interface</P></BODY></HTML> Tue, 04 Sep 2007 14:50:27 GMT https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793522#M970070 acomiskey 2007-09-04T14:50:27Z https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793523#M970071 <HTML><HEAD></HEAD><BODY><P>i've done that but still i cannot communicate to my router at Ethernet0/3.</P><P></P><P>access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248 </P><P>nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside</P><P></P><P>are this NAT exempt configuration correct?</P><P></P><P></P></BODY></HTML> Tue, 04 Sep 2007 16:58:31 GMT https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793523#M970071 brianbono 2007-09-04T16:58:31Z https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793524#M970072 <HTML><HEAD></HEAD><BODY><P>Not sure if you need the outside keyword on the end, but other than that it looks okay.</P><P></P><P>Does this router have a route to the vpn client subnet?</P></BODY></HTML> Tue, 04 Sep 2007 18:22:45 GMT https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793524#M970072 acomiskey 2007-09-04T18:22:45Z https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793525#M970074 <HTML><HEAD></HEAD><BODY><P>no, the router does not have any route to the vpn client subnet. do i need to add?</P><P></P></BODY></HTML> Tue, 04 Sep 2007 19:21:04 GMT https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793525#M970074 brianbono 2007-09-04T19:21:04Z https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793526#M970076 <HTML><HEAD></HEAD><BODY><P>The router would need to know how to get to the 192.168.100.168 255.255.255.248 network unless of course it's default route is the ASA.</P></BODY></HTML> Tue, 04 Sep 2007 19:22:51 GMT https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793526#M970076 acomiskey 2007-09-04T19:22:51Z https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793527#M970077 <HTML><HEAD></HEAD><BODY><P>thanks bro... finally I'm able to connect to the router from my remote vpn client.</P></BODY></HTML> Tue, 04 Sep 2007 21:25:21 GMT https://community.cisco.com/t5/network-security/permit-vpn-client-to-access-outside-interface/m-p/793527#M970077 brianbono 2007-09-04T21:25:21Z