12-12-2011 09:33 PM
Hi all,
I have two isp's connected on my ASA (outside and outside2), and SLA ISP backup is configured, now the default gateway for internet access is outside interface.
Recently i have configured SSL Vpn on my other interface (outside2) , and it is working fine, after few days, i got a requirement from my boss, that he need to connect to exchange server, which is over the internet, after successfully connected to SSL vpn, i know there is a concept called client u-turn in cisco, so with that i have configured, the following
access-list 101 extended permit ip 10.10.10.0 255.255.255.0 host 148.45.87.65 **(10.10.10.0/24 is the ssl vpn client pool, 148.45.87.65 is the ip of exchange server).
nat (ouside2) 3 access-list 101
global (outside2) 3 121.25.6.8 ** ( 121.25.6.8 is one of the ip of my outside2 wan pool)
same-security-traffic permit intra-interface
But the above configuration does not works for my requirement.
Kindly help , for the same.
Ashraf
12-12-2011 09:46 PM
Configuration looks ok . Do you have split tunnel enabled ? also if you can attach output of packet tracer.
Thanks
Ajay
12-13-2011 12:52 AM
Hi Ajay,
There is no split tunnel configured for SSL vpn , all the client's traffic is comming to my ASA,
Few thing i missed
1. the default gateway is outside interface not the outside2 for ASA
2. do we need to allow the ssl traffic to exit from outside interface to reach exchange server, which is over the internet.
3. if the traffic is exiting from outside interface, do we need to configure the following.
An Acl allowing all the traffic, and is applied on outside2 interface in IN direction, and global (outside) 3 119.118.12.8
(ip 119.118.12.8 is once of the ip of wan pool for outside interface.
Even i have attached Screenshot of packet tracer.
hope this give u more clarity ...
Ashraf
12-13-2011 01:07 AM
Looks like default gateway is pointing to outside interface. As per your last config that should point outside2.
yes you can change the nat config global (outside) 3 119.118.12.8 this will solve the issue.
Change it and post the packet tracer once more.
thanks
12-13-2011 09:58 PM
Hi Ajay,
I have applied an ACL on outside2 interface in IN direction with permit any any statement, and added
global (outside) 3 119.118.12.8
still no luck, no change in the packet tracer it is still the same.
Ashraf
12-13-2011 10:10 PM
Please post full cnfiguration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide