Re: ASA+VPN+ inside/ouside public ips

bownessbrad · ‎10-19-2006

I am stumped and need some advice. I have ASA working for remote users using public ips on both inside and outside. The users are able to VPN and access inside & outside reosources set in ACL for their group..great.

BUT, I am at witts end trying to allow users to surf out as they can now but with using the inside public ip, it is working with the outside ip were users are NAT'd to a private and go out on the external IP. I need them to go back out with the internal public IP.

Anyone, what are the steps as I am still struggling with ASA configs.

Please respond ...

Thanks.

a.kiprawih · ‎10-20-2006

Both inside and outside interfaces are running on Public IP, and you want to allow internal users access the internet via internal Public IP.

If the internal users host are running on Public IP, you can use NAT 0 to achieve this.

nat (inside) 0

or, use policy-based IP using ACL to define permitted host/subnet:

access-list NONAT permit ip

access-list NONAT permit udp host any eq 53

access-list NONAT permit tcp host any eq www -> specific to HTTP only

access-list NONAT permit tcp host any

nat (inside) 0 access-list NONAT

access-list NONAT1 permit udp 10.1.1.0 255.255.255.0 any eq domain

access-list NONAT1 permit tcp 10.1.1.0 255.255.255.0 any eq www

access-list NONAT1 permit tcp host 10.1.2.10 any eq www

access-list NONAT1 permit udp host 10.1.2.10 any eq domain

access-list NONAT1 permit ip 10.1.3.0 255.255.255.0 any

nat (inside) 0 access-list NONAT1

*assuming all 10.1.x.x is public IP

HTH

AK

bownessbrad · ‎10-20-2006

Sorry for the confusion, what I want is to leave internal users alone as they will not use the VPN. The VPN sits behind a firewall.

What I want is remote users to surf etc. with an internal interface public IP...I beleive I was confusing terminalogy and need to setup PAT for this, is this right? If so how do I accomplish setting this up so VPN users attach to outside interface then grab a private address(NAT) internall to ASA then surf out inside interface? Is this wrong approach?

zhenningx · ‎10-20-2006

We have the similar setup. You do not need NAT at all. VPN users can get internal public IP and they can surf from outside interface of ASA according to ASA's routing table.

a.kiprawih · ‎10-20-2006

We did implement similar setup, except VPN users are terminated in DMZ2 segment. Split tunneling is disabled so all of them (VPN users) must use corporate proxy & link to go out to the internet.

But this doesn't have much different if it's terminated on the inside interface. Check Cisco SAFE Blueprint recommendation.

Basically, all VPN users will get IP from a dedicated IP block (configure as DHCP) that sits on the internal/inside segment. On your firewall (or if you haven't congure any), you need to NAT out the DHCP address block or range to be translated out to access internet. And (optional) if you have ACL, make sure they are also allowed to go out accordingly.

Example:

Internet segment: 10.1.1.0/24

VPN user DHCP range: 10.1.3.0/24

global (outside) 2 xx.xx.xx.10 --> public IP

nat (inside) 2 10.1.3.0 255.255.255.0

The above configuration will allow VPN users that assign with any IP under 10.1.3.x range to go out to internet via xx.xx.xx.10 Public IP. Otherwise, they can only access internal resources.

And of course (optional), check the VPN configuration on proxy server to be used and how you allow them to go to the internet, either enabling/disabling split tunneling.

*enable=need to use corporate network to access internet

*disable=can access internet & corporate network simultaneously

HTH

AK

a.kiprawih · ‎10-20-2006

*Correction:

Split tunneling:

Enabled: can access internet & corporate network simultaneously

Disabled: must use corporate network to access internet

zhenningx · ‎10-20-2006

I don't think the NAT will happen here. Even the VPN users pick up the IP from internal, they are considered at outside interface by ASA. If you do "show conn detail", you can see the vpn users are at outside. So "nat(inside)2 ...." may not happen.

bownessbrad · ‎10-20-2006

Okay help please, I understand now but not sure how to fix, below is part of my config.

Please suggest, as I am again trying to force outside vpn connections to tunnel everthing as if they are on an internal IP.

One last thing, I am trying to use one internal IP for all vpn users not grabbing from a internal dhcp pool.

Again, thanks for the awesome help.

!

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 142.XXX.XXX.193 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif Outside

security-level 10

ip address 142.XXX.XXX.227 255.255.255.248

ospf cost 10

!

interface Management0/0

nameif management

security-level 100

ip address XXX.XXX.XXX.XXX 255.255.255.0

ospf cost 10

management-only

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

ip local pool RemoteVPNPool 192.168.2.2-192.168.2.220 mask 255.255.255.0

no failover

monitor-interface Inside

monitor-interface Outside

monitor-interface management

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

nat-control

global (Inside) 23 interface

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Outside) 23 access-list Outside_pnat_outbound

nat (Outside) 1 192.168.2.0 255.255.255.0

nat (management) 0 access-list management_nat0_outbound

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 142.XXX.XXX.225 1