ASA5505 VPN Client Feature Question

fredj1234 · ‎05-12-2009

Hi,

To my understanding ASA 5505 can be configured as a VPN client. (Authenticating with a username/password from authenticating VPN Server)

When you put a device (a PC for example), behind the ASA5505(VPN Client), these devices are able to access resources on the head end of the VPN server.

My question is, are the devices behind the VPN server (head end) able to access devices behind the ClientASA5505, such as a PC?

My assumption is no, because I believe the ASA5505 is PAT'ing, and its not a 1:1 relationship between devices behind the firewall.

Can anyone confirm or validate this?

Is there any documentation to explain this?

TIA,

-Fred

John Blakley · ‎05-12-2009

Fred,

Traffic that's local will stay local. The client (ASA) is configured for network extension mode (NEM), and it will allow your inside network to be visible on the other side of the vpn tunnel. But computers that are on "this side" of the tunnel are still able to use their printers, see their other local computers, etc.

I'm not sure where PAT comes into play on this one ;-) The ASA brings the connection up on interesting traffic, and then depending on your interesting traffic acl, traffic that matches the acl will traverse the vpn tunnel.

HTH,

John

HTH, John *** Please rate all useful posts ***

nomair_83 · ‎05-12-2009

All interesting traffic should not be PATTED so dont worry:)

fredj1234 · ‎05-12-2009

Thanks for your replies,

I just wanted to ensure I exlained this properly.

__________VPNClient(XAUTH)__________VPN-Server

PC456-------ASA5505---INTERNET---ASA5510--SERVER123

The ASA is connecting as a vpn client (ASA5505) to the VPN Server (ASA5510)

Can SERVER123 connect to PC456 and PC456 connect to SERVER123?

Or is it a one way connection from PC456 to SERVER123?

Thanks,

Fred