cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1103
Views
5
Helpful
6
Replies

Remote Access VPN Cisco ASA

ToX1c1986
Level 1
Level 1

Hello!

I have Cisco ASA version 9.1(3) with remote access VPN configured on interface outside. When the user connects from the Internet on the interface outside, it works ok. My goal is to allow connection from any other interfaces (inside, dmz and etc.) to the interface outside. Does Cisco ASA allow to do this? Output packet-tracer command is below:

msk-hq-fw1# packet-tracer input inside tcp 10.10.10.1 14214 1.1.1.2 443

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.2  255.255.255.255 identity

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.2  255.255.255.255 identity

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

1 Accepted Solution

Accepted Solutions

Hi,

Well you could naturally enable the VPN on the other interfaces but to be honest I have never even tried to configure the VPN that way other than for multiple external interfaces in the case of multiple ISP and in this case only for testing purposes.

Some things related to the ASA are well known but poorly documented.

The only official document that I can remember stating this is the following (which only references this limitation with regards to ICMP)

Note

For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.

Source (Old configuration guide):

http://www.cisco.com/c/en/us/td/docs/security/asa/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

- Jouni

View solution in original post

6 Replies 6

johnd2310
Level 8
Level 8

Hi,

Is this vpn ipsec or ssl?

Thank

John

**Please rate posts you find helpful**

John, thank you for reply.

It`s SSL Client VPN (AnyConnect)

Hi,

ASA does not allow connections to far end interface. In other words it does not allow you to connect to the "outside" interface IP address other than from behind that interface. Any other host would need to connect to the ASA interface to which they are connected to (the closes interface towards the host)

In the case of SSL VPN you could naturally enable the service on other interfaces of the ASA also. Same goes for IPsec VPN.

Why do you want to connect with VPN from the internal networks to the ASA?

- Jouni

This is requirement of our IT team. Jouni, do you have a link from cisco.com with this restriction?

I think that they won't believe me without any documentary support.

Hi,

Well you could naturally enable the VPN on the other interfaces but to be honest I have never even tried to configure the VPN that way other than for multiple external interfaces in the case of multiple ISP and in this case only for testing purposes.

Some things related to the ASA are well known but poorly documented.

The only official document that I can remember stating this is the following (which only references this limitation with regards to ICMP)

Note

For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.

Source (Old configuration guide):

http://www.cisco.com/c/en/us/td/docs/security/asa/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

- Jouni

Jouni, I've already done this but there is no result because the address for connection must be the only one.

So, this link is enough! Thank you very much for help!