Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
2
Replies

Use AnyConnect inside LAN to outside ASA interface

Gonzo1
Level 1
Level 1

‎07-25-2018 12:38 AM - edited ‎02-21-2020 09:25 PM

Hello,

 

When working externally we use our AnyConnect client and use an FQDN that points to the public IP of the outside interface.

 

I've been asked if we can use this when we are coming from the inside interface (on our LAN ) too, possible?

 

I've managed to get it to work using the inside interface private IP, but my boss wants the FQDN or public IP to be used instead.

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-25-2018 03:30 AM

If you are using the same Asa for internet access, then this is not possible. The ASA does not allow access to an interface (outside) when you initiate traffic from another interface on the same ASA (inside).

0 Helpful

Karsten Iwen
VIP
VIP

‎07-25-2018 04:15 AM

As Rahul mentioned, this is not directly possible on the ASA. But there are two workarounds that you could implement:

  1. DNS-Views: Make sure that your internal DNS-server answers with the private ASA-IP when queried for the public FQDN. I would go for this solution.
  2. The dirty way that makes your ASA-config more complex (and remember that complexity is the adversary to security): Configure destination NAT where you change the public IP to the private IP. Never used that, but it should work.
0 Helpful
Customers Also Viewed These Support Documents