cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2411
Views
0
Helpful
2
Replies

U-Turn anyconnect with public IP addresses

edsi-tech
Level 1
Level 1

Hello everyone,

I want to setup anyconnect on a ASA5505 but I cannot reach anything when I'm connected.

The client must receive a public IP address and all traffic must pass by the VPN tunnel.

The ASA has only one interface connected (outside) and a public IP address.

The public IP subnet for VPN is routed to the ASA.

I don't have any "internal" network and I don't need one.

VPN clients must be able to exchange traffic between them.

 

My network setup:

- ASA outside IP: x.y.z.19

- IP range allocated to VPN: x.y.z.48 to x.y.z.63

- There is a firewall rule that allow VPN IP range to any and from any to VPN IP range on "global" interface.

 

If I establish a VPN connection, I receive an IP address, for example x.y.z.50

 

Traceroute from external location to x.y.z.50 for example shows x.y.z.19 as last hop, so routing is working properly.

From the VPN client, I cannot ping or reach anything on x.y.z.19 nor 8.8.8.8

Packet tracer in ASDM from x.y.z.50 to 8.8.8.8 shows that the packet can pass.

 

What am I missing ? Do I need to use NAT even if I don't have any inside network ?

 

thanks for your help !

1 Accepted Solution

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi,

 

Yes. You have enable same-security traffic permit intra-interface as you come and go via same interface..... you need to do no-nat with (outside,outside) with your vpn address....

 

Regards

Karthik

View solution in original post

2 Replies 2

nkarthikeyan
Level 7
Level 7

Hi,

 

Yes. You have enable same-security traffic permit intra-interface as you come and go via same interface..... you need to do no-nat with (outside,outside) with your vpn address....

 

Regards

Karthik

Peter Long
Level 1
Level 1

Hi

Cisco ASA - Remote VPN Client Internet Access

You want 'Option 2'

 

Pete