12-17-2017 03:15 PM - edited 03-12-2019 04:50 AM
Hello: I have an ASA 5516. Users who connect using AnyConnect cannot get to our corporate public website, which on the internal LAN is accessed via an internal 192.x ip. Users on the vpn trying to access the website are being directed to this 192. address but cannot reach it. Is there a way to force or map the vpn users to route to the site using its external/public ip?
12-17-2017 05:01 PM
Hi,
It is possible but it is better make them get to you website using their vpn IP address. You need to make sure that the IP range they get when connect to the VPN is permitted to reach you webserver. If you are controlling client VPN using ACL then make sure you have a permit for this site.
You can confirm this buy running a packet tracer on the ASA.
The other possibility is you to have some filter on the DNS side. You may need to add the VPN network on this filter.
For further suggestion, would be good if you share you firewall config.
-If I helped you somehow, please, rate it as useful.-
12-17-2017 05:19 PM
12-17-2017 05:48 PM
You said: "..Users who connect using AnyConnect cannot get to our corporate public website"
But then you say: "... The ip addresses the vpn users receive can reach the website via its internal ip"
They are able to reach through the internal network but dont through the public IP address? Why you want then to reach thought the public access?
The problem of client VPN reach website using your public IP address is the hairpinning problem, when the packet need to enter and leave the same firewall interface.
Will be much more easy if they can go internal.
-If I helped you somehow, please, rate it as useful.-
12-17-2017 07:42 PM
To clarify, if a user was to use the ip they receive through the vpn, on their desktop at work, they can get to the corporate website via the standard URL. However, when connecting through the VPN on their personal machines, they cannot get there using the standard URL. There is only the standard URL. Our website admins and networking teams must have implemented a way for internal users to get to the site without the traffic leaving the LAN. I am not sure why this doesn't work when connected via the vpn, which uses an address pool on the same subnet as internal desktops.
12-26-2017 05:08 AM
I worked with the TAC on this and we added a public DNS address in front of our internal DNS server, which resolved the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide