[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

VPN and web access from internal interface to public IP on outside interface

Posted on 2010-11-09
6
Medium Priority
?
382 Views
Last Modified: 2012-05-10
I am trying to see if it is possible to accomplish what I am trying. I have an ASA 5505 with the following setup.

1. There is an outside connection, connected to the ISP. Lets say that it is 10.1.1.1/24 for ease. There is a remote VPN setup that people access through this interface.

2. There is the inside network which is the normal LAN. This is the wired network in the office. lets say that it is 172.20.0.1/24.

3. There is a wireless network on a seperate VLAN called WLAN. It has an IP of 192.168.1.1/24. There is an ACL allowing traffic from this VLAN to the public internet.

Basically I would like users to be able to use the same VPN settings that they use when connecting from outside the office while connected to WLAN.

Also I would like them to be able to access the public IP addresses that I have NAT'd to internal servers. That way they can use the IP addresses that they use when on the public internet.

Can this be done?
0
Comment
Question by:ryan80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 34102436
If I am understanding your requirements, you wish your Wireless clients to access the inside network through the VPN. I would try something like configuring their VLAN on the outside interface rather than the inside interface.
0
 
LVL 12

Author Comment

by:ryan80
ID: 34105443
that is correct. I want them to be able to reach the internal VLAN through the existing VPN.

Correct me if I am wrong, but isnt each VLAN treated as a seperate interface?
0
 
LVL 28

Accepted Solution

by:
bgoering earned 1500 total points
ID: 34108510
Yes, you are right so scratch that. I was thinking more along the lines of putting the WLAN outside the firewall (like through a router or L3 switch). Then it wouldn't have to be routed or traverse the inside interface. At that point it should behave like any other outside address accessing the VPN.

How is the WLAN connected? Is it another VLAN on the ASA (Like a DMZ), or is it a seperate VLAN on your internal network?

It would probably be easiest if you can post a sanatized config of your ASA so I can determine your starting point. Change your public IP to 10.1.1.1 like in your description above. If passwords aren't encrypted mask them.

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Author Comment

by:ryan80
ID: 34111427
The WLAN is on a seperate VLAN on the ASA. There are 3 VLANs on the ASA, the public outside, internal LAN, and the WLAN. I can post the config, but I am just trying to see if it is possible at this point in time.

I will sanitize the config and post it later, but may not have the chance until tomorrow.
0
 
LVL 12

Author Comment

by:ryan80
ID: 34116554
I havent had a chance to sanitize the config yet, but I was told by someone else that by design you cannot access a VPN on an interface that you are not connected directly to. However I can just apply the same crypto map to the other interface and then I hopefully can just use the VPN that way.

So I imagine that now they will just need to use the interface IP address of the WLAN interface.
0
 
LVL 12

Author Closing Comment

by:ryan80
ID: 34192523
Thanks for the help. As it turns out, you cannot access a vpn that is set on another IP interface. I applied the crypto map to the other interface and will just have to configure the VPN client to go to the other IP.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question