Using VPN anyconnect from inside to access other inside client interface

anders.henriksson1 · ‎03-03-2020

Hello Everyone,

I have something I cannot wrap my head around, and let’s see if you can help me out,

We have two clustered ASA 5516, running 3 “main” interfaces; Outside, Inside and Clients.

Inside is running the management, hosts, routers, switches, and FWS.

On Clients, we are running different subinterfaces, one per client, one private C-net and each in their VLAN. Works perfectly.

GigabitEthernet1/3.170

GigabitEthernet1/3.171

GigabitEthernet1/3.172

etc

Clients are connecting through VPN Clients from outside or distant offices, (some on site-to-site from ASA 5506). Works perfectly.

From inside, we cannot connect to any of the above client subnets over VPN, since we are already on the inside. We do not want to route the full network, so all can access, nor do we want “enable traffic between two or more interfaces on the same security levels”, seems to do the same, all access.

The best way would be to allow VPN access from inside, is that even possible?

Or I’m I missing something crucial here,

Thanks in advance,

Cheers

Anders

Rob Ingram · ‎03-03-2020

Hi,
Yes, you can establish a VPN to the inside interface, you just need to enable it on the interface.

HTH

Cristian Matei · ‎03-03-2020

Hi,

It's not clear what you're trying to achieve: "From inside, we cannot connect to any of the above client subnets over VPN, since we are already on the inside. We do not want to route the full network, so all can access, nor do we want “enable traffic between two or more interfaces on the same security levels”, seems to do the same, all access."

Better said, who needs to be able to speak with who, and under what restrictions.

Regards,

Cristian Matei.