Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
1
Replies

Impossible to redirect traffic from Outside to Intranet

andre even
Level 1
Level 1

‎03-26-2014 07:07 AM - edited ‎03-11-2019 08:59 PM

Hi,

I use Annyconnect to permit connection of remote clients

to Inside network.

Pool for remote clients 192.168.10.1-100

internal network 192.6.0.0

Anyconnect works fine to access the internal network but now the customer would like that the remote clients

with an IP address in 192.168.10.x could access directly equipements

on the distant site (Subnet 172.16.10.0)  through the Intranet interface (no VPN on Intranet interface, connected to MPLS)

Intranet interface has an IP address in 192.168.1.0.

Here is the path for the traffic:

Annyconnect clients 192.168.10.1-100 --> Outside  'FW'   Intranet -->  Distant network 172.16.10.0

# Security-levels on the ASA 5510 cluster at rel 8.4.7

Inside 100

Outside 0

Intranet 50

Since we don't have the same security level for Intranet and Outside

i have first proposed to create an access-list which permit ip from 192.168.10.1-100 to 172.16.10.0

applied Outbound on the Intranet interface  but it doesn't work

Then i have tried to apply the same access-list Inbound on the outside interface but same issue.

I would like if there is something special to do.

We don't apply NAT on Intranet interface, the remote ASA firewall has been configured to see as Source IP

the anyconnect IP address 192.168.10.1-100

 

Best regards.

A-Even

 

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-26-2014 07:04 PM

Hello,

First of all traffic from the clients going to the Distant network will not need any sort of FW Access-List due to the sysopt connection permit-vpn.

 

What you will need to do is:

-If using any sort of split-tunneling make sure you allow the traffic to the distant network.

-Make sure the devices behind the MPLS network know that in order for reach that VPN Anyconnect Pool of addresses they need to send the traffic to the ASA.

-Make sure the NoNat Rule on the ASA includes traffic from the distant Interface to the VPN Anyconnect Pool.

-If any ACL on the Intranet interface, allow the traffic that will be generated from the distant network.

 

Does it make sense?

 

Jcarvaja,

Remember to rate all of the helpful posts!!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card