Solved

VPN and web access from internal interface to public IP on outside interface

Posted on 2010-11-09
6
373 Views
Last Modified: 2012-05-10
I am trying to see if it is possible to accomplish what I am trying. I have an ASA 5505 with the following setup.

1. There is an outside connection, connected to the ISP. Lets say that it is 10.1.1.1/24 for ease. There is a remote VPN setup that people access through this interface.

2. There is the inside network which is the normal LAN. This is the wired network in the office. lets say that it is 172.20.0.1/24.

3. There is a wireless network on a seperate VLAN called WLAN. It has an IP of 192.168.1.1/24. There is an ACL allowing traffic from this VLAN to the public internet.

Basically I would like users to be able to use the same VPN settings that they use when connecting from outside the office while connected to WLAN.

Also I would like them to be able to access the public IP addresses that I have NAT'd to internal servers. That way they can use the IP addresses that they use when on the public internet.

Can this be done?
0
Comment
Question by:ryan80
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 34102436
If I am understanding your requirements, you wish your Wireless clients to access the inside network through the VPN. I would try something like configuring their VLAN on the outside interface rather than the inside interface.
0
 
LVL 12

Author Comment

by:ryan80
ID: 34105443
that is correct. I want them to be able to reach the internal VLAN through the existing VPN.

Correct me if I am wrong, but isnt each VLAN treated as a seperate interface?
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 34108510
Yes, you are right so scratch that. I was thinking more along the lines of putting the WLAN outside the firewall (like through a router or L3 switch). Then it wouldn't have to be routed or traverse the inside interface. At that point it should behave like any other outside address accessing the VPN.

How is the WLAN connected? Is it another VLAN on the ASA (Like a DMZ), or is it a seperate VLAN on your internal network?

It would probably be easiest if you can post a sanatized config of your ASA so I can determine your starting point. Change your public IP to 10.1.1.1 like in your description above. If passwords aren't encrypted mask them.

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 12

Author Comment

by:ryan80
ID: 34111427
The WLAN is on a seperate VLAN on the ASA. There are 3 VLANs on the ASA, the public outside, internal LAN, and the WLAN. I can post the config, but I am just trying to see if it is possible at this point in time.

I will sanitize the config and post it later, but may not have the chance until tomorrow.
0
 
LVL 12

Author Comment

by:ryan80
ID: 34116554
I havent had a chance to sanitize the config yet, but I was told by someone else that by design you cannot access a VPN on an interface that you are not connected directly to. However I can just apply the same crypto map to the other interface and then I hopefully can just use the VPN that way.

So I imagine that now they will just need to use the interface IP address of the WLAN interface.
0
 
LVL 12

Author Closing Comment

by:ryan80
ID: 34192523
Thanks for the help. As it turns out, you cannot access a vpn that is set on another IP interface. I applied the crypto map to the other interface and will just have to configure the VPN client to go to the other IP.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now