01-19-2016 10:03 PM - edited 03-05-2019 03:09 AM
Hi,
We have Cisco ASA 5505 pix firewall and I have done the basic configuration and enabled DHCP on the firewall.
What i would like to know is, is there a way to test if the DHCP and internet from this firewall is working fine by connecting it into our existing network and without taking any downtime?
This is to test that the firewall works fine with current setup and ready to go in production.
Any help is highly appreciated
Thanks,
Sagar
Solved! Go to Solution.
01-20-2016 05:42 PM
"ip name-server" allows the ASA to do DNS lookups. Not likely to be very important.
To enable the ASA to give out the DNS servers of the ISP via DHCP use:
dhcpd dns <isp name server 1> <isp name server 2>
01-25-2016 01:09 AM
I can't generate any config for you because there isn't enough information.
You need to extend outside_cryptomap_2 to include the pool used for VPN users, on both ends of the VPN.
You then need to create a rule saying not to NAT traffic between the two VPNs, and an access rule to allow it.
01-19-2016 10:26 PM
You could configure the outside interface to use DHCP, and then plug it into the inside of your current network, and then your machine into the back of the 5505.
01-20-2016 12:50 AM
Hi Philip,
Thanks, this works.
Now, if I want to put under production, I will need to enter the ISP IP details and DNS. Can you please share me the command for same
Thanks for your help
Cheers
01-20-2016 08:14 AM
the commands are pretty much the same as IOS,
config t
interface gi0/0 ip address 192.69.69.1 255.255.255.252
ip name-server 10.10.10.1
01-20-2016 11:47 AM
And don't forget the default route.
route outside 0.0.0.0 0.0.0.0 a.b.c.d
01-23-2016 04:09 AM
Thanks Philip. This helped and appreciate your help in same. My firewall is setup and working fine in network.
Now, I need to configure users who can connect to this firewall using Cisco VPN client or Any VPN client. Do you have the steps for same?
Also, I have configured site-to-site vpn from this firewall to my servers located in cloud.
So, I need to make sure, when my user connects using vpn client, they get access to those servers located in cloud.
Please help
Thanks,
Sagar
01-23-2016 09:59 AM
The ASA comes with "demo" licence that enables two concurrent AnyConnect users. Otherwise you have to buy an "AnyConnect Essentials" licence (it has a new name now, can't remember what it is). That licence is not very expensive.
It does use a public SSL certificate on the ASA though which is also an extra cost. You can use a private certificate if you don't mind users getting a warning that the certificate is not trusted.
You also need a Cisco SmartNet contract (or similar Cisco maintenance contract) to download the Cisco AnyConnect client, or the older IPSec client.
AnyConnect is the best way to go. There is a Wizard in the ASDM for configuring AnyConnect. I would start by using that.
The other option is to use the older Cisco IPSec client. It is no longer developed. It does not play nicely with Windows 10. However you don't need any extra licencing on the 5505 or a public SSL certificate.
The ASDM has a wizard for configuring it was well.
01-23-2016 10:00 AM
Also note there will be some extra pain giving the users access to the servers in the cloud.
You'll need to extend the site to site VPN encryption domain to include the IP addresses of your VPN users.
01-24-2016 05:24 PM
Thanks Philip. Do you have any guide or video on AnyConnect VPN? I tried using wizard and configured the same using old Cisco VPN Client but it fails.
Also, is it possible to use Windows/Mac in-built VPN service to configure VPN and use it instead of any VPN clients?
The main purpose of configuring VPN is allowing users to access to the servers located in cloud.
Let me know
Thanks
01-24-2016 06:46 PM
Best you post your whole config as it stands now then.
01-24-2016 08:26 PM
So, the thing is..after using the wizard and changing couple of settings...I'm able to connect to AnyConnect VPN using my WAN IP.
So, once the VPN is successfully connected, I'm unable to use couple of things
1. Internet doesnt work once the VPN is connected
2. I cannot ping or connect to Firewall using my internal IP
3. As i said, I have site-to-site VPN configured to my servers in cloud, I need to connect to those servers. Need to enable that network too once the users are connected.
Below is the config for your reference...
Thanks for all your help...
Config:
ciscoasa# show conf
: Saved
:
: Serial Number: XXXXXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 03:12:37.896 UTC Mon Jan 25 2016
!
ASA Version 9.1(6)
!
hostname ciscoasa
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
names
ip local pool ADKVPN 192.168.XXX.1-192.168.XXX.10 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.XXX.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.252
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_24
subnet XXX.XXX.XXX.XXX 255.255.255.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_24
subnet XXX.XXX.XXX.XXX 255.255.255.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_16
subnet XXX.XXX.XXX.XXX 255.255.0.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX_28
subnet XXX.XXX.XXX.XXX 255.255.255.240
access-list outside_cryptomap_1 extended permit ip 192.168.XXX.0 255.255.255.0 192.168.XXX.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.XXX.0 255.255.255.0 10.XXX.0.0 255.255.0.0
access-list adk-vpn_splitTunnelAcl standard permit 192.168.XXX.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 destination static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 destination static NETWORK_OBJ_10.XXX.0.0_16 NETWORK_OBJ_10.XXX.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.XXX.0_24 NETWORK_OBJ_192.168.XXX.0_24 destination static NETWORK_OBJ_192.168.XXX.0_28 NETWORK_OBJ_192.168.XXX.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.XXX.0_28 NETWORK_OBJ_192.168.XXX.0_28 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.XXX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=192.168.XXX.XXX,CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint advpn
enrollment self
subject-name CN=adkvpn.adknowledgeasia.com
keypair adkvpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 7e4ea356
30820203 3082016c a0030201 0202047e 4ea35630 0d06092a 864886f7 0d010105
05003046 3111300f 06035504 03130863 6973636f 61736131 18301606 03550403
130f3139 322e3136 382e3130 342e3235 34311730 1506092a 864886f7 0d010902
16086369 73636f61 7361301e 170d3136 30313235 30313432 31305a17 0d323630
31323230 31343231 305a3046 3111300f 06035504 03130863 6973636f 61736131
18301606 03550403 130f3139 322e3136 382e3130 342e3235 34311730 1506092a
864886f7 0d010902 16086369 73636f61 73613081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100c3 11d89fbf 8956a8c7 fd4e775f 410a66cf
bdfaa675 54d86a37 cf7aad65 3a34608a fc36c23e 125638bc 986c917c 18827662
c6bf6541 9a273c10 86be490b acdfd39e 2dd3e12c 887446e9 c3ff4d9e a58d6fc3
4b266a77 ca1a33d2 a4d914f9 ea79babe 4b25c0a7 f14e5f0e 8167f872 803ec0eb
20770f37 07068ddb 4df3293a a73f2b02 03010001 300d0609 2a864886 f70d0101
05050003 81810030 efbbd462 0daf5515 cd72e678 f99afd73 88585af3 472f67b7
3f72d00b 0f6523cb 3bbe9d2c 4edeef86 d652c459 d4886b36 3d2053c9 4b8f0fb4
054a03d7 2ba6ebc1 100f5ab7 3d3a31c3 bfbcee92 9d2d0876 a71cfb81 7aa74622
2f856fdb 2019c72f d1df417b db7acede 5031fe06 7538c639 a6ca817f 18cc0bf2
4fa890e0 bd33c0
quit
crypto ca certificate chain advpn
certificate 7f4ea356
308201f3 3082015c a0030201 0202047f 4ea35630 0d06092a 864886f7 0d010105
0500303e 31233021 06035504 03131a61 646b7670 6e2e6164 6b6e6f77 6c656467
65617369 612e636f 6d311730 1506092a 864886f7 0d010902 16086369 73636f61
7361301e 170d3136 30313235 30323132 30315a17 0d323630 31323230 32313230
315a303e 31233021 06035504 03131a61 646b7670 6e2e6164 6b6e6f77 6c656467
65617369 612e636f 6d311730 1506092a 864886f7 0d010902 16086369 73636f61
73613081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c5
a0482d37 3d34ff9c e525d2c1 f3a185ab e070366a 8b0e49a2 e97c80a6 5658baa1
ba64810c d5c71dda 904d78cb be755655 e4da08be b032d92b 4782a5e6 c0cc0f76
b4816d94 11d5caa9 91261536 87f6401c cef2c2d2 bd4785f6 525e1e3e 3d49bec1
5f384f6d d21698aa 3e5eb0a3 aaef52d1 9459bd2f 768d7ed9 5f0f9029 7e2bf102
03010001 300d0609 2a864886 f70d0101 05050003 8181007f ae7a1903 77aee0b5
47c3e823 1366b7ab 460fbfb4 229477fe 058357c4 283552ad 29e8570e 2fdcfcbf
0b33118f 06a2a66f a7af6568 364a2ab5 2450fb8a 188c4b65 e627825f cb8e5410
c84da372 672953a6 9a2e403f 4b22071c 74758c11 9ae0a5af 0832b28b 133f0898
868fca8e 0e3e55c9 fff70969 037d3bef 5d5fd5af 1f3a22
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint advpn
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.XXX.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 165.21.83.88 165.21.100.88
dhcpd lease 432000
dhcpd domain adknowledgeasia.com
dhcpd auto_config outside
!
dhcpd address 192.168.XXX.50-192.168.XXX.252 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point advpn outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.0.00048-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.0.00048-k9.pkg 2
anyconnect profiles adkasia_vpn_client_profile disk0:/adkasia_vpn_client_profile.xml
anyconnect profiles adkvpn_client_profile disk0:/adkvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_adkvpn internal
group-policy GroupPolicy_adkvpn attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain none
webvpn
url-list value Bookmark1
anyconnect profiles value adkvpn_client_profile type user
group-policy GroupPolicy_XXX.XXX.XXX.XXX internal
group-policy GroupPolicy_XXX.XXX.XXX.XXX attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_XXX.XXX.XXX.XXX internal
group-policy GroupPolicy_XXX.XXX.XXX.XXX attributes
vpn-tunnel-protocol ikev1 ikev2
username adkuser password XXXXXXXXXX encrypted
username adkuser attributes
vpn-group-policy GroupPolicy_adkvpn
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
default-group-policy GroupPolicy_XXX.XXX.XXX.XXX
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
default-group-policy GroupPolicy_XXX.XXX.XXX.XXX
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group adkvpn type remote-access
tunnel-group adkvpn general-attributes
address-pool ADKVPN
default-group-policy GroupPolicy_adkvpn
tunnel-group adkvpn webvpn-attributes
group-alias AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:cc381fac8d9dcaf9bc7ac4cbb34ef61a
ciscoasa#
01-24-2016 09:53 PM
You need to configure it to use the split acl to access the Internet at the same time. You also need to add the cloud subnets to the split acl.
group-policy GroupPolicy_adkvpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value adk-vpn_splitTunnelAcl
01-25-2016 12:31 AM
Hi Philip,
Internet works with above commands but my cloud servers still doesnt works neither they respond to pings. Please help
Thanks
01-25-2016 12:40 AM
Add your cloud servers to the split ACL. Create a rule to prevent NAT from the VPN address range to the cloud address range.
Of course, the VPN to the cloud service needs to have your users VPN pool included in the encryption domain. Have you extended this existing VPN yet?
01-25-2016 12:52 AM
Not yet. Can you please help
Also, how do i do NAT?
Sorry, never done this before so asking silly questions
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide