Re: permit VPN client to access outside interface

brianbono · ‎09-04-2007

how do i permit my remote vpn client to access my router that is situated on the outside interface.

i have this setup:

lan--firewall--router--internet

i was able to let the remote vpn client access resource on my DMZ. Now, i also need to allow it to access my router on one of its outside interface.

below is a sample config:

interface Ethernet0/0

nameif outside_bayantel

security-level 0

ip address 121.97.xx.xx 255.255.255.248

!

interface Ethernet0/1

nameif inside_lan_data

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ_to_Voice

security-level 50

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/3

nameif outside_PLDT

security-level 0

ip address 192.168.50.2 255.255.255.0

!

access-list inside_lan_data_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.168 255.255.255.248

access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248

access-list DMZ_to_Voice_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.100.168 255.255.255.248

access-list ccbslan_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list ccbslan_splitTunnelAcl standard permit host 192.168.200.2

access-list ccbslan_splitTunnelAcl standard permit host 192.168.50.1

ip local pool ccbslan_pool 192.168.100.170-192.168.100.175

global (outside_bayantel) 101 interface

global (outside_PLDT) 101 interface

nat (inside_lan_data) 0 access-list inside_lan_data_nat0_outbound

nat (inside_lan_data) 101 192.168.100.0 255.255.255.0

nat (DMZ_to_Voice) 0 access-list DMZ_to_Voice_nat0_outbound

nat (DMZ_to_Voice) 101 192.168.200.0 255.255.255.0

nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside

static (DMZ_to_Voice,outside_bayantel) 121.97.xx.xx 192.168.200.2 netmask 255.255.255.255

static (inside_lan_data,DMZ_to_Voice) 192.168.100.2 192.168.100.2 netmask 255.255.255.255

static (inside_lan_data,DMZ_to_Voice) 192.168.100.99 192.168.100.99 netmask 255.255.255.255

static (inside_lan_data,DMZ_to_Voice) 192.168.100.13 192.168.100.13 netmask 255.255.255.255

access-group outside_bayantel_access_in in interface outside_bayantel

access-group outside_PLDT_access_in in interface outside_PLDT

route outside_bayantel 0.0.0.0 0.0.0.0 121.97.79.25 1 track 1

route outside_PLDT 0.0.0.0 0.0.0.0 192.168.50.1 254

group-policy ccbslan internal

group-policy ccbslan attributes

dns-server value 192.168.100.3 4.2.2.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ccbslan_splitTunnelAcl

how do i allow the remote vpn client to access my router at 192.168.50.1?

acomiskey · ‎09-04-2007

You may have to allow same security level interfaces to communicate.

same-security-traffic permit inter-interface

brianbono · ‎09-04-2007

i've done that but still i cannot communicate to my router at Ethernet0/3.

access-list outside_PLDT_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.168 255.255.255.248

nat (outside_PLDT) 0 access-list outside_PLDT_nat0_outbound outside

are this NAT exempt configuration correct?

acomiskey · ‎09-04-2007

Not sure if you need the outside keyword on the end, but other than that it looks okay.

Does this router have a route to the vpn client subnet?

brianbono · ‎09-04-2007

no, the router does not have any route to the vpn client subnet. do i need to add?

acomiskey · ‎09-04-2007

The router would need to know how to get to the 192.168.100.168 255.255.255.248 network unless of course it's default route is the ASA.

brianbono · ‎09-04-2007

thanks bro... finally I'm able to connect to the router from my remote vpn client.