VPN and web access from internal interface to public IP on outside interface

I am trying to see if it is possible to accomplish what I am trying. I have an ASA 5505 with the following setup.

1. There is an outside connection, connected to the ISP. Lets say that it is 10.1.1.1/24 for ease. There is a remote VPN setup that people access through this interface.

2. There is the inside network which is the normal LAN. This is the wired network in the office. lets say that it is 172.20.0.1/24.

3. There is a wireless network on a seperate VLAN called WLAN. It has an IP of 192.168.1.1/24. There is an ACL allowing traffic from this VLAN to the public internet.

Basically I would like users to be able to use the same VPN settings that they use when connecting from outside the office while connected to WLAN.

Also I would like them to be able to access the public IP addresses that I have NAT'd to internal servers. That way they can use the IP addresses that they use when on the public internet.

Can this be done?
LVL 12
ryan80Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
bgoeringConnect With a Mentor Commented:
Yes, you are right so scratch that. I was thinking more along the lines of putting the WLAN outside the firewall (like through a router or L3 switch). Then it wouldn't have to be routed or traverse the inside interface. At that point it should behave like any other outside address accessing the VPN.

How is the WLAN connected? Is it another VLAN on the ASA (Like a DMZ), or is it a seperate VLAN on your internal network?

It would probably be easiest if you can post a sanatized config of your ASA so I can determine your starting point. Change your public IP to 10.1.1.1 like in your description above. If passwords aren't encrypted mask them.

0
 
bgoeringCommented:
If I am understanding your requirements, you wish your Wireless clients to access the inside network through the VPN. I would try something like configuring their VLAN on the outside interface rather than the inside interface.
0
 
ryan80Author Commented:
that is correct. I want them to be able to reach the internal VLAN through the existing VPN.

Correct me if I am wrong, but isnt each VLAN treated as a seperate interface?
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
ryan80Author Commented:
The WLAN is on a seperate VLAN on the ASA. There are 3 VLANs on the ASA, the public outside, internal LAN, and the WLAN. I can post the config, but I am just trying to see if it is possible at this point in time.

I will sanitize the config and post it later, but may not have the chance until tomorrow.
0
 
ryan80Author Commented:
I havent had a chance to sanitize the config yet, but I was told by someone else that by design you cannot access a VPN on an interface that you are not connected directly to. However I can just apply the same crypto map to the other interface and then I hopefully can just use the VPN that way.

So I imagine that now they will just need to use the interface IP address of the WLAN interface.
0
 
ryan80Author Commented:
Thanks for the help. As it turns out, you cannot access a vpn that is set on another IP interface. I applied the crypto map to the other interface and will just have to configure the VPN client to go to the other IP.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.