outside_cryptomap_2 is the VPN to the cloud

Thanks

So,below are the networks i have

192.168.104.0/24 - Internal N/W

10.169.0.0/16 - Cloud N/W

192.168.125.1-192.168.125.10 (/24) - VPN Pool

Let me know if this info helps

Thanks

Hi Philip,

Apparently, I figured out something and it worked. I think I didn't allowed the VPN pool network object and hence the issue.

Its sorted.

Thanks a lot for all your help

Just a quick question, now, if we want to allow some other site-to-site vpn to remote user? same process? can we add multiple IPs?

Thanks a lot

Hi Philip,

So, I got a problem :( 

Now, the VPN is working fine but site-to-site VPN is not working. Like from internal network I cannot ping to any of the servers in cloud but strangely I'm able to connect once I VPN to asa.

Let me know what i messed up. Sorry to bug you again

Thanks

I'm going to guess that the NAT rules are not correct.  Look in the log and generate some traffic.  When it is broken see if you are getting NAT or xlate errors.  That will confirm it.

Hi Philip,

Everything is working fine. I need to go bit deeper in this and allow my public IP of my AWS server to be accessed using VPN.

So, lets say one of my SQL server located in AWS has public IP 52.64.10.1 and I can access this server using my office WAP IP.

So now, if someone from outside doesn VPN to CiscoASA then they shud be able to rdp to 52.64.10.1

I know this has to do something with routing but unable to figure out how

is this possible? please let me know

Thanks

Before we were talking about using the site to site VPN you add to Amazon.

If you want them to access it via your user to site VPN and then pop out over the Internet then add the public IP addresses of your AWS servers to the split tunnel ACL.  You will also need to adjust your NAT configuration.

Hi Philip,

I did added the server IP to split tunnel ACL but still users unable to access servers using public IP.

Can you please share the config to adjust NAT.

Thanks

It will be something like (where vpn-network=an object representing your VPN users):

object network vpn-network
  nat (any,outside) dynamic interface

Thanks this worked. :-)

Just  curious to know, I hope my network is not exposed to outside world by doing these configs and allowing access thru internet?

Really appreciate all your help

Thanks

It is only exposed to VPN users which are already authenticated.  So nothing to worry about with these changes.

Can you confirm in the log that it is a NAT or xlate problem.

Can you supply the current NAT ruleset please and related objects.

Hi,

What is ip name-server for?

also, how do i configure dns of ISP?

I'm going to server DHCP from the firewall itself. So, clients should get DNS of ISP from the firewall itself.

Thanks for help