cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
735
Views
0
Helpful
4
Replies
Boris Simunko
Beginner

Hairpinning remote-access VPN on ASA

Hello!

 

So I got tasked with a tricky assignment today...

 

We have an ASA with inside, outside and wifi interfaces (the other ones are not important). The outside has Public1 IP and the clients from the wifi interface are NATed to Public2 IP address. Is it possible to have wifi clients VPN to Public1 and be able to access inside subnets?

 

The configured VPNs are functional and there are no other issues.

 

My guess is that I will have to do some NAT magic? Could it be done?

1 ACCEPTED SOLUTION

Accepted Solutions

Yes, crypto map and crypto ike enable on the wireless interface.

View solution in original post

4 REPLIES 4
Bogdan Nita
Rising star

Unfortunately you can't use the outside IP interface to connect from the wireless interface, but you can activate the anyconnect on the wireless interface.

Depending on your setup you may be able to have the dns server respond with a correct IP for wireless clients. If not, you could use the anyconnect profile and have the both IPs in the server list.

we use IPSec and L2TP...

 

so I would have to apply a crypto map on the wifi interface, like on the outside?

Yes, crypto map and crypto ike enable on the wireless interface.

View solution in original post

It is not clear whether the Remote Access VPN here is AnyConnect or is something else. The assumption is that it is AnyConnect, but that should be verified. If it is AnyConnect then there is no need for crypto map. AnyConnect does not use crypto map. You would just enable AnyConnect on the wireless interface the same as you did for the outside interface.

 

HTH

 

Rick

HTH

Rick
Content for Community-Ad