I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
Is this possible?
Not sure if i have got the scenario correctly but here it goes.....
If we are trying to hair pin traffic of Anyconnect client connected on inside interface and sending it over a Lan to Lan tunnel established with another ASA on its respective inside interface then answer is YES..
Only requirement is that hair pinning should be configured, L2L vpn crypto acl shud have anyconnect client listed in it... Also, if there is any split tunneling configured for anyconnect then it should have remote network (inside network of another ASA) listed in it..
Sent from Cisco Technical Support Android App
No, This is all being done with 1 ASA. 3 Connections 1)External-Internet,, 2)Corporate inside, 3) Wireless Guest.
Waht to be able to establish the VPN connection from Wireless Guest back in to the Corporate inside using the same External Internet connection.
In that case, this is simply Hairpinning and it should be okay..
You can enable Anyconnect on your Wireless Guest Interface, user can connect on it and can easily access Inside or External resources depending upon the privileges provided in the profile.
Ok that works, but is there any way to do it without enabling Anyconnect on the wireless guest interface, I would like to be able to keep the same External DNS name of the ASA configured on the client. if not I would have to give them the IP of the Wireless Guest Interface of the ASA or set up a DNS server on the Wireless Guest Network with a DNS entry that would point to the Wireless Guest access.
When we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.