Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
2
Replies

irksome cisco asa behaviour

aa
Level 1
Level 1

‎06-16-2008 10:11 AM - edited ‎02-21-2020 02:03 AM

Cisco ASA does not allow an interface to be contacted by hosts attached to another interface. Meaning: if I am on an internal interface, I cannot reach the external interface IP.

This is so irksome. Because it means that internal hosts cannot VPN to the external IP.

Anyone else find this painful? Do you have a solution?

0 Helpful
2 Replies 2

owillins
Level 6
Level 6

‎06-20-2008 06:26 AM

paste your running config and also brief discussion about your topology.

0 Helpful

aa
Level 1
Level 1
In response to owillins

‎06-23-2008 09:51 AM

Thanks for the reply.

I think I've solved the issue by using DNS rewriting.

Consider an internal and external network.

A user with a laptop has a vpn profile that points to vpn.company.com- an external ip.

The user can use the vpn profile when on the Internet to VPN back to the office.

However, the user will be unable to use that profile to create a VPN from the INTERNAL network, because it's not possible to contact the external interface (vpn.company.com address) from the internal network.

The problem can be solved elegantly by have the Cisco do a DNS rewrite of the dns reply that comes through the firewall. When an internal user queries vpn.company.com, the request passes through the ASA to an external dns server. When the reply arrives back, the ASA replaces the reply ip address of the dns query for vpn.company.com with the ip of the internal interface of the asa ASA.

Internal users are then able to create a vpn from the inernal network using the same hostname (vpn.company.com).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card