Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2473
Views
5
Helpful
3
Replies

Guest Wifi access to Public VPN (ASA-5510)

Go to solution
bwooden
Level 1
Level 1

‎09-25-2012 08:08 PM

Hello,

I have an ASA 5510 that has the following setup:

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.240 (fake IP address for obvious reasons)

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.200 255.255.0.0

interface Ethernet0/2

nameif guest

security-level 100

ip address 10.10.10.1 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 0 access-list nonat

nat (guest) 1 0.0.0.0 0.0.0.0

-------------------------------

What would I need to do in order for a guest Wifi (eth0/2) client to be able to access our VPN that is configured on the outside interface?  This is a Cisco AnyConnect VPN setup using the mobile client.  As it is, they get DNS from the WAP and try to connect to "vpn.mysite.com" which resolves to the public IP (outside interface) of my ASA. 

When I was first asked to allow this change I thought it would be a simple NAT rule but I think I am missing something as I can't seem to get this to work.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-25-2012 08:17 PM

They won't be able to VPN to the outside interface IP Address from the guest network as it is by design not allowed.

They would need to connect to the guest interface ip address to be able to VPN to the ASA from guest network, and you would need to enable AnyConnect on the guest interface as well. "vpn.mysite.com" should then need to resolve to the guest interface ip address when they are connecting via the guest interface.

View solution in original post

3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-25-2012 08:17 PM

They won't be able to VPN to the outside interface IP Address from the guest network as it is by design not allowed.

They would need to connect to the guest interface ip address to be able to VPN to the ASA from guest network, and you would need to enable AnyConnect on the guest interface as well. "vpn.mysite.com" should then need to resolve to the guest interface ip address when they are connecting via the guest interface.

Go to solution
bwooden
Level 1
Level 1
In response to Jennifer Halim

‎10-11-2012 05:58 AM

sorry this took so long for me to reply, but this was the correct answer and worked perfectly.

thank you

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to bwooden

‎10-11-2012 06:11 AM

Thanks for the update and glad it's working perfectly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents