05-29-2011 09:15 PM
inside network----ASA5505========internet===========Remote VPN client.
The ASA has one public IP on its outside interface and using PAT to the internet. It only has two interfaces, inside and outside using vlan. I created a IPSec VPN through CLI. My goal is for the remote client to browse the Internet throught tunnel.
Q1: Is it possible?
Q2: The remote side gets connected and has IP from the pool, with is part of inside network. But it cannot ping anything, including the gateway, which is the inside interface. I debug it, it shows the ASA receives the ping packages, but it doesnt send anything back to the client. Any recommand would be appreciated.
thanks,
Han
Solved! Go to Solution.
05-30-2011 07:47 PM
Hi,
Can you please paste the output of ipconfig/all here??
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. do rate helpful posts.
05-29-2011 09:58 PM
Hi Han,
It is very much possible.
You will have to configure u-turning on the ASA. and enable same-security permit intra interface.
Also try configuring "management-access inside" on ASA and let us know if the ASA replies to the ping from the client.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved.Do rate helpful posts.
05-30-2011 12:07 AM
what exactly is u-turning?
"management-access inside" what is the command exactly do?
thanks,
05-30-2011 01:01 AM
Hi,
U turning will be configuration of nat (outside,outside) statement. This is done because the traffic will come on ASA with the source ip as the pool ip and destination ip as a routable internet ip. for this packet to go on internet you will need to mask the actual pool ip to a routable ip.
With nat(outside,outside) statement you are telling the firewall to mask the traffic destined for outside coming from outside i.e. VPN pool.
therefore the U turning will have.
nat (outside,outside) interface
The command "management-access inside" enables the interface to respond to the pings. By default the ASA interface will not respond to the ping as it is a security device.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feelyour query is resolved. Do rate helpful posts.
05-30-2011 03:05 PM
Anisha,
For some reason, I always think it is something to do with the gateway that the client gets. In my case, it gets the right gateway, but i didnt even configure it. So I feel something fishy here.
How can you configure the gateway that the client gets?
thanks,
Han
05-30-2011 07:47 PM
Hi,
Can you please paste the output of ipconfig/all here??
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide