cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1662
Views
0
Helpful
11
Replies

VPN Solution/Advice Needed

machine23
Level 1
Level 1

Currently we have a web portal called BASE-Q , Which is hosted on AWS and out public ip is whitelisted on AWS so anyone can access it from their browser. 

 

As of now the users that require BASE-Q from home are remoting on to a RDS server so they have access to it.

-( VPN Method -ASA 5516 Anyconnect- LDAP) - Split tunnel - so the remote users once connected still keep their own Public IP. is there any way the remote users can see the public ip of the work place in which case they can access the BASE-Q ( just a thought) ...

 

Now the remote users require access to BASE-Q straight from their device browser without having to RDP to a server. Please let me know if you need any more details.

What is the best way to achieve this? 

Thanks 

11 Replies 11

Hi,

Not sure if I fully understood your question, but....if you include the AWS IP address in your split tunnel, therefore ensuring this IP address is tunneled directly back to the ASA. Traffic to the AWS site will always come from your public IP address which is whitelisted.

 

HTH

Hi thanks for that I will try that and see how it goes 

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

   

    Clearly your configuration on AWS, allows access to the portal only from whitelisted IP's. If you want users to access the portal  directly from their browser, without VPN first, you would need to remove the whitelisting on AWS, as you don't know from which public IP they will be coming. You have two solutions to this:

       - if you have a proxy inside your company, make the web traffic go through the proxy and whitelist the proxy in AWS

       - users need to first establish a VPN connection to the ASA; with or without split tunnelling, you need to NAT users traffic towards AWS into the ASA's public IP address

 

Regards,

Cristian Matei.

Hi Cristian,

Correct about the AWS. Thanks for the advice, I will look at option 2 at this moment.

 

when you say NAT the users traffic , is it the VPN pool addresses that need NATing to the AWS IP ?

I have not done this setup before. Thanks again

Hi,

   

    Yes, you would need to NAT the VPN address pool into the IP allowed/whitelisted on AWS (which is the IP address configured on the ASA interface facing the AWS).

 

Regards,

Cristian Matei.

Got it and makes sense .. I will try this tomorrow thanks a lot

Hi Cristian ,

I have tried NAT but i could not get it to work but I am not 100% sure it is right , could you possibly show me an Example of how the NAT Rule should look like?

Thanks 

 

Hi,

 

   It depends if you have other NAT statements configured or not, as there is an order of operation how those are matched. Post your "show run nat" and "show run object".


Regards,

Cristian Matei.

thanks for the advice , since we had to accelerate due to the corona virus and limitations from the phone company we have now opted to do site to site from work to home(fortinets in everyhome) and that has now been configured.

thanks for your help 

Hi,

 

   The way i see it, also with S2S tunnels, the problem remains. If AWS allows access only from your main site public IP, when your remote users want to reach it, traffic needs to go through the tunnel, the headend needs to hairpin it out back the same interface, but not send it through the tunnel, but routed out the Internet and NAT'ing it to its public IP address Additionally, you need to ensure that on your main site, S2S traffic is excluded from NAT.


Regards,

Cristian Matei.

Hi , I have forced the remote site to use the wan ip of work and asked the work side to share the wan , that way .. Iam able to get to the aws site as the remote side keeps the work WAN up .The remote site is behind a NAT so on the s2s the NAT is enabled - only because we need to share the internet .. the above is a fortigate to fortigate just FYI ..

Thanks
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: