Ok thanks, so client will

Turkey Twizzler · ‎07-04-2016

Hello,

I am trying to configure an ASA5512-X to allow remote-access VPN and also site-site VPN. The interfaces are fairly straightforward - 'outside' interface goes out to the internet, 'DMZ' has a couple of sub interfaces for a webserver, database etc. 'inside' has multiple sub-interfaces for different IT systems.

I have successfully got a simple AnyConnect config working using the ADSM wizard, which is a good start. The result is that the VPN client now sits on the "outside" interface.

What I'd like to happen (unless it is bad practice?) is that the VPN terminates on a different interface than outside (perhaps a new VPN-DMZ interface), then I can use ACL/NAT to give them the access I want.

Is this possible?

How can I do this, preferably with ASDM?

Thank you!

Aditya Ganjoo · ‎07-04-2016

Hi,

I am not sure if it is a bad practice as it depends on your requirement.

You need to allow NAT/ACL rules to give the access.

So if you want users are trying to connect from the outside network then Anyconnect should be enabled on the outside interface rather than the inside one.

This is the only change you may need to make.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Turkey Twizzler · ‎07-05-2016

Ok thanks, so client will appear on the outside interface, then there will be NAT/ACL into the network.

1). The NAT entry will NAT the VPN address pool into the relevant network.

2). The ACL will check the address pool & users to allow.

Correct?

My only confusion with this is that everything I've read about user filters suggests that I shouldn't be able to use identity filtering without an ActiveDirectory - but I've tried and it appears to work when authenticating against LOCAL/users. What have I missunderstood?

Thanks again!

VPN to internal interfaces