Re: Split-tunnel ASA - Access Public Secure Cloud IP( IAAS Public ip)

in2it · ‎05-11-2022

Good day , I really need some help with a project for my company remote workers. We have ASA split tunnel set up and has secure cloud servers which could only access from our LAN . . How can i get my VPN users 192.168.200.x to access this secure cloud system which is using public ip.

ASA Version 8.2(3)

UdupiKrishna · ‎05-11-2022

Ensure you include the secure cloud server IP address into the split tunnel ACL. Setup a NAT statement which looks like below.

object network VPN_POOL
subnet 192.168.200.0 255.255.255.0
nat (outside,outside) dynamic interface

Then add - same-security-traffic permit intra-interface so that traffic can land and exit on the same interface.

in2it · ‎05-12-2022

Thanks, will this work for ASA Version 8.2(3)?

in2it · ‎05-12-2022

I have this in place already,

nat-control
global (outside) 1 interface
nat (inside) 0 access-list 415
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) x.x.x.x 192.168.x.x netmask 255.255.255.255
static (inside,dmz) 192.168.1x.0 192.168.x.0 netmask 255.255.255.192
static (inside,outside) 12.1.1.x 172.13.x.x netmask 255.255.255.255

Would this VPN pool nat damage what i have in place already ? Since i already have static

object-group network VPN_IP_Pool_
description Remote Access
network-object 192.168.135.0 255.255.255.0
nat (outside) 1 192.168.135.0 255.255.255.0

UdupiKrishna · ‎05-12-2022

Yea that NAT (nat (outside) 1 192.168.135.0 255.255.255.0) should do the job and it will translate any outbound connections to Internet. Ensure you configure necessary NAT exemption for traffic between VPN pool and internal networks.

Saurabh Dhakate · ‎05-11-2022

I agree with @UdupiKrishna.

Also, if those servers are public and no such requirement of traffic going over tunnel, they should to reachable even without adding them in split tunnel. In this case, traffic would go in plain text (outside of tunnel) though.