Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
0
Helpful
4
Replies

Hairpinning remote-access VPN on ASA

Go to solution
Boris Simunko
Level 1
Level 1

‎11-17-2017 05:24 AM - edited ‎03-12-2019 04:44 AM

Hello!

 

So I got tasked with a tricky assignment today...

 

We have an ASA with inside, outside and wifi interfaces (the other ones are not important). The outside has Public1 IP and the clients from the wifi interface are NATed to Public2 IP address. Is it possible to have wifi clients VPN to Public1 and be able to access inside subnets?

 

The configured VPNs are functional and there are no other issues.

 

My guess is that I will have to do some NAT magic? Could it be done?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to Boris Simunko

‎11-17-2017 07:02 AM

Yes, crypto map and crypto ike enable on the wireless interface.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎11-17-2017 06:47 AM

Unfortunately you can't use the outside IP interface to connect from the wireless interface, but you can activate the anyconnect on the wireless interface.

Depending on your setup you may be able to have the dns server respond with a correct IP for wireless clients. If not, you could use the anyconnect profile and have the both IPs in the server list.

0 Helpful

Go to solution
Boris Simunko
Level 1
Level 1
In response to Bogdan Nita

‎11-17-2017 06:50 AM

we use IPSec and L2TP...

 

so I would have to apply a crypto map on the wifi interface, like on the outside?

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to Boris Simunko

‎11-17-2017 07:02 AM

Yes, crypto map and crypto ike enable on the wireless interface.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bogdan Nita

‎11-17-2017 07:39 AM - edited ‎11-17-2017 07:40 AM

It is not clear whether the Remote Access VPN here is AnyConnect or is something else. The assumption is that it is AnyConnect, but that should be verified. If it is AnyConnect then there is no need for crypto map. AnyConnect does not use crypto map. You would just enable AnyConnect on the wireless interface the same as you did for the outside interface.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents