09-01-2010 01:08 PM
Hi all,
I'm trying to set up an SSL VPN (not clientless) with a cisco ASA 5510, but i am a little blocked since for tests the vpn will be in the same subnet as the destination to reach and therefore there will be only one interfaces connected to the network which would deal with internal and external traffic. I enclosed a diagram of what i am trying to do and my ASA configuration, hopes that would be helpful.
The entire network is for historical reasons on routed public ip addresses. There are acls in order to block the traffic from the internet to the workstation on our network which is 8.8.36.0/24.
Since i am not in charge of the management of this network, i would like to perform vpn tests in several steps.
1) First step is to test this vpn from the inside to the inside
2) Second step would be to test this vpn from outside the internet to the inside network
3) and the last step would be to put this vpn into a separate vlan
For the first step, i tried to connect to the vpn server with the anyconnect client, no problem with the vpn establishement, and i am correctly obtaining an ip from the pool (for example: 8.8.36.181) but I cannot contact internal workstation on the 8.8.36.0/24 network.
I'im sure I am missing something in the configuration, would it be possible to help me ?
Thanks in Advance,
Solved! Go to Solution.
09-01-2010 02:46 PM
1. please use a different subnet as vpn client pool other than your internal network 8.8.36/24
2. since the traffic will make a U turn on ASA, you need the following command.
same-security-traffic permit intra-interface
09-01-2010 02:46 PM
1. please use a different subnet as vpn client pool other than your internal network 8.8.36/24
2. since the traffic will make a U turn on ASA, you need the following command.
same-security-traffic permit intra-interface
09-01-2010 11:56 PM
Thanks for your fast answer, I tried to change the client vpn pool and the intra traffic command, but still cannot contact internal workstations, perhaps this could be split tunneling issues, because I have already an IP addr in the internal network ?
09-02-2010 03:19 PM
Sorry, I might mis-understand what you are trying to test.
Is your SSL VPN client connecting to ASA from outside interface?
If yes, after SSL vpn is up, your client could not talk to a host behind ASA?
Could you please provide the full configuration file?
After you SSL VPN is up, can you initiate some traffic to the inside host and then capture the following command?
show vpn-sessiondb svc
09-06-2010 11:03 AM
Thanks for your answer.
After some thoughts, what I was trying seems to be impossible. In fact I was trying to bind inside and outside "logical" interfaces into the same physical interface with the same network, which involves routing problems.
I did rewrite my configuration, i will only do a classical vpn setup with one inside and one outside interface and with different logical network addressing.
Many Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide