05-03-2010 12:13 AM
Hi,
I need to make users connected with vpn client to central office's lan, going to internet using the central office's internet connection. I mean wihout having split-tunnel and without using an internal proxy. I would like to know if it is possible with PIX or ASA. I think it's like to tell to have traffic going in and out the firewall using the same outside interface. Thank you very much in advance for your appreciated support.
Best regards
Angelo
Solved! Go to Solution.
05-03-2010 12:17 AM
Yes, definitely can.
You would need to configure the following:
same-security-traffic permit intra-interface
Plus, assuming that you already have "global (outside) 1 interface", you can configure the following:
nat (outside) 1
For example: if the ip pool subnet for the vpn client is 192.168.100.0/24, then the following:
nat (outside) 1 192.168.100.0 255.255.255.0
Hope that helps.
05-03-2010 12:17 AM
Yes, definitely can.
You would need to configure the following:
same-security-traffic permit intra-interface
Plus, assuming that you already have "global (outside) 1 interface", you can configure the following:
nat (outside) 1
For example: if the ip pool subnet for the vpn client is 192.168.100.0/24, then the following:
nat (outside) 1 192.168.100.0 255.255.255.0
Hope that helps.
05-03-2010 04:12 AM
Hi, thanks a lot for your right advice.
Regards
angelo
PS: Does it also mean that I could also make a vpn connection on my firewall starting from the inside? I mean just for testing purpose. Thanks.
05-03-2010 04:17 AM
As far as routing is concern, if you connect to the ASA inside interface, it would be different to when you are connecting to the outside interface.
When connecting to the outside, the VPN Pool would be routed to the outside interface, and when connecting to the inside interface, now the VPN Pool would be routed to the inside interface, hence the NAT statement will also change to the inside interface instead of outside.
It will not be a true test of when VPN is connected via the outside interface.
05-03-2010 04:23 AM
Ok it's all prefectly clear. Thank you very much. So the only way to
test vpn connectivity is to have another internet connection.
Regards
angelo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide