Solved

VPN and web access from internal interface to public IP on outside interface

Posted on 2010-11-09
6
379 Views
Last Modified: 2012-05-10
I am trying to see if it is possible to accomplish what I am trying. I have an ASA 5505 with the following setup.

1. There is an outside connection, connected to the ISP. Lets say that it is 10.1.1.1/24 for ease. There is a remote VPN setup that people access through this interface.

2. There is the inside network which is the normal LAN. This is the wired network in the office. lets say that it is 172.20.0.1/24.

3. There is a wireless network on a seperate VLAN called WLAN. It has an IP of 192.168.1.1/24. There is an ACL allowing traffic from this VLAN to the public internet.

Basically I would like users to be able to use the same VPN settings that they use when connecting from outside the office while connected to WLAN.

Also I would like them to be able to access the public IP addresses that I have NAT'd to internal servers. That way they can use the IP addresses that they use when on the public internet.

Can this be done?
0
Comment
Question by:ryan80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 34102436
If I am understanding your requirements, you wish your Wireless clients to access the inside network through the VPN. I would try something like configuring their VLAN on the outside interface rather than the inside interface.
0
 
LVL 12

Author Comment

by:ryan80
ID: 34105443
that is correct. I want them to be able to reach the internal VLAN through the existing VPN.

Correct me if I am wrong, but isnt each VLAN treated as a seperate interface?
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 34108510
Yes, you are right so scratch that. I was thinking more along the lines of putting the WLAN outside the firewall (like through a router or L3 switch). Then it wouldn't have to be routed or traverse the inside interface. At that point it should behave like any other outside address accessing the VPN.

How is the WLAN connected? Is it another VLAN on the ASA (Like a DMZ), or is it a seperate VLAN on your internal network?

It would probably be easiest if you can post a sanatized config of your ASA so I can determine your starting point. Change your public IP to 10.1.1.1 like in your description above. If passwords aren't encrypted mask them.

0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 
LVL 12

Author Comment

by:ryan80
ID: 34111427
The WLAN is on a seperate VLAN on the ASA. There are 3 VLANs on the ASA, the public outside, internal LAN, and the WLAN. I can post the config, but I am just trying to see if it is possible at this point in time.

I will sanitize the config and post it later, but may not have the chance until tomorrow.
0
 
LVL 12

Author Comment

by:ryan80
ID: 34116554
I havent had a chance to sanitize the config yet, but I was told by someone else that by design you cannot access a VPN on an interface that you are not connected directly to. However I can just apply the same crypto map to the other interface and then I hopefully can just use the VPN that way.

So I imagine that now they will just need to use the interface IP address of the WLAN interface.
0
 
LVL 12

Author Closing Comment

by:ryan80
ID: 34192523
Thanks for the help. As it turns out, you cannot access a vpn that is set on another IP interface. I applied the crypto map to the other interface and will just have to configure the VPN client to go to the other IP.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question