Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
10
Helpful
5
Replies

ASA VPN Hairpinning

Mokhalil82
Level 4
Level 4

‎10-06-2017 09:08 AM - edited ‎03-12-2019 04:36 AM

Hi

We have our guest wifi whos layer 3 SVI is on our ASA so that we can ensure it is not allowed to any inside networks. Now some long term guests need access to certain internal servers and already have anyconnect access from the outside. So now as they are working on our premesis, they will be connected to the guest WIFI and try anyconnect to access the internal servers.

 

What do we need to do to as the Anyconnect VPN terminates on the ouside infterface, so Anconnect traffic for these guests will hit the firewall on the Guest WIFI Interface, then go out of the outside interface and return back on the same interface for VPN. 

 

We have already "same-security-traffic permit intra-interface" enabled

 

Thanks

 

Labels:
0 Helpful
5 Replies 5

Kias
Level 1
Level 1

‎10-08-2017 09:25 PM

Hi,

Good Morning

 

Woud it be possible to create  a different SSID for long term guest and have a separate IP pool for those group. We can control the resources with ACL either at Mobility Express, WLC, Wifi or ASA.

 

Hair pining will work from outside->outside, and not required for outside->inside.

 

Regards,

Kias

 

 

 

Kias
Fonicom Limited
raiseaticket Malta

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-09-2017 12:40 AM

Why not just enable SSL VPN on the Guest Wi-fi interface (in addiiton to the current outside interface)? I have done that for some customers and it works perfectly.

Mokhalil82
Level 4
Level 4
In response to Marvin Rhoads

‎10-12-2017 07:14 AM

Yes that seems to work apart from one thing. On the Guest WIFI I can access the internet, once I connect to anyconnect VPN now that I enabled it on the Guest interface, then I am unable to get internet connectivity. 

But if I connect to anyconnect from my inside network, I can get internet connectivity.

Any Ideas?

0 Helpful

Kias
Level 1
Level 1
In response to Mokhalil82

‎10-12-2017 08:08 AM

Is split tunneling enabled on the WIFI pool?

 

Kias
Fonicom Limited
raiseaticket Malta
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎10-12-2017 08:49 AM

If there's no split tunneling then external users had required something like a "nat (outside,outside) dynamic interface" rule.

 

For yor guest wireless users a similar rule will be required. Something along the lines of "nat (guest,outside)..."

0 Helpful
Customers Also Viewed These Support Documents