Solved: Re: Remote Access VPN Cisco ASA

ToX1c1986 · ‎02-27-2014

Hello!

I have Cisco ASA version 9.1(3) with remote access VPN configured on interface outside. When the user connects from the Internet on the interface outside, it works ok. My goal is to allow connection from any other interfaces (inside, dmz and etc.) to the interface outside. Does Cisco ASA allow to do this? Output packet-tracer command is below:

msk-hq-fw1# packet-tracer input inside tcp 10.10.10.1 14214 1.1.1.2 443

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 1.1.1.2 255.255.255.255 identity

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 1.1.1.2 255.255.255.255 identity

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Jouni Forss · ‎02-27-2014

Hi,

Well you could naturally enable the VPN on the other interfaces but to be honest I have never even tried to configure the VPN that way other than for multiple external interfaces in the case of multiple ISP and in this case only for testing purposes.

Some things related to the ASA are well known but poorly documented.

The only official document that I can remember stating this is the following (which only references this limitation with regards to ICMP)

Note

For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.

Source (Old configuration guide):

http://www.cisco.com/c/en/us/td/docs/security/asa/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

- Jouni

View solution in original post

johnd2310 · ‎02-27-2014

Hi,

Is this vpn ipsec or ssl?

Thank

John

**Please rate posts you find helpful**

ToX1c1986 · ‎02-27-2014

John, thank you for reply.

It`s SSL Client VPN (AnyConnect)

Jouni Forss · ‎02-27-2014

Hi,

ASA does not allow connections to far end interface. In other words it does not allow you to connect to the "outside" interface IP address other than from behind that interface. Any other host would need to connect to the ASA interface to which they are connected to (the closes interface towards the host)

In the case of SSL VPN you could naturally enable the service on other interfaces of the ASA also. Same goes for IPsec VPN.

Why do you want to connect with VPN from the internal networks to the ASA?

- Jouni

ToX1c1986 · ‎02-27-2014

This is requirement of our IT team. Jouni, do you have a link from cisco.com with this restriction?

I think that they won't believe me without any documentary support.

Jouni Forss · ‎02-27-2014

Hi,

Well you could naturally enable the VPN on the other interfaces but to be honest I have never even tried to configure the VPN that way other than for multiple external interfaces in the case of multiple ISP and in this case only for testing purposes.

Some things related to the ASA are well known but poorly documented.

The only official document that I can remember stating this is the following (which only references this limitation with regards to ICMP)

Note

For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.

Source (Old configuration guide):

http://www.cisco.com/c/en/us/td/docs/security/asa/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

- Jouni

ToX1c1986 · ‎02-28-2014

Jouni, I've already done this but there is no result because the address for connection must be the only one.

So, this link is enough! Thank you very much for help!