I'm wondering if this is possible : I seem to remember reading somewhere that it is, but do you think I can find the article?
(please see attached NET01.JPG file)
I have an ASA5510 with a few servers sitting behind it and some users that authenticate locally to the ASA to access those servers sitting on the 3560, all on the 10.255.255.0/24 network. Nothing too complicated there.
I've recently purchased a CSS11501 and have it configured to load balance between two WWW servers on a 10.0.120.0/24 network using a virtual IP address back on the 10.255.255.0/24 network (10.255.255.51).
When I attach myself to the 3560 and use http://10.255.255.51 I see the expected results, HTTP requests from server 1, sometimes from server 2. The CSS is working just fine.
However, now I need to get my remote clients access to the two servers behind the CSS and I'm finding it a little more tricky than I initially thought. I'm sure I read somewhere that I can simply add a "route inside 10.0.120.0 255.255.255.0 10.255.255.10" to my ASA adding a route to the CSS and then that handles the routing from that point forward. Of course, I need to ensure that the VPN client split tunnel group my VPN clients are using includes both 10.0.120.10 and 10.0.120.11 and then I should be OK to move forward. However in testing this doesn't work.
Re: VPN Client access to servers behind ASA and CSS
Based on the first half of your description, i understand the 2 servers being accessed using the VIP of 10.255.255.51 from the LAN works fine.
Now when using the VPN client, are you going to be accessing the servers using their original IPs (10.0.120.10 and 10.0.120.11) or using the VIP (10.255.255.51)??
If it's going to use the original IPs then what you have mnetioned is correct about the split tunnel access-lists. Also, ensure that the internal switch is able to route packets to the VPN pool of IP addresses to the ASA.
If it's going to use the VIP, then you will need to add the VIP to the split ACL (10.255.255.51). Please share a sanitized configuration and also the above details for a clearer problem description.
Setting up some 3rd party devices for my Fire and Rescue trucks that will VPN back to our FPR-2110. I can blatantly see what's going on with the IKEv2 platform and protocol debugs on. It's selecting the wrong dynamic map!IKEv2-PLAT-4: (32): Cry...
On January 22, 2020, the Cisco Product Security Incident Response Team (PSIRT) disclosed a vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC). The vulnerability could allow an unauthenticated, remote attac...
Meet the Authors Event - A Cybersecurity Deep Dive with Omar Santos
(Live event – Thursday, January 23rd, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 23rd, January 2020 at 10hrs PDT
Posting this for anyone interested in using a Raspberry PI as a flow collector for Stealthwatch. We created a very lightweight version of our software. It can create flows if the eth port is attached to a SPAN or you can forward NetFlow/IPFIX ...