Cisco ASA 5505 V05 Issue
CompuTron99
Member Posts: 542
in Off-Topic
I'm hoping someone might point me in the right direction here.
We have an ASA 5505 V05 at one of our remote user's home office.
Right now we have it setup in VPN mode. The user can see the main office, print, and browse the internet. We are not able to access the remote site from the main office. We setup the ASA in Extension Mode and we were able to communicate back and forth with the remote office fine, except he has no internet access (IE or Skype). We must be missing something here. We would like to be able to access the remote office from the main office, the main office from the remote, and allow the remote user to browse the internet. Any ideas?
We have an ASA 5505 V05 at one of our remote user's home office.
Right now we have it setup in VPN mode. The user can see the main office, print, and browse the internet. We are not able to access the remote site from the main office. We setup the ASA in Extension Mode and we were able to communicate back and forth with the remote office fine, except he has no internet access (IE or Skype). We must be missing something here. We would like to be able to access the remote office from the main office, the main office from the remote, and allow the remote user to browse the internet. Any ideas?
Comments
-
cdad2000 Member Posts: 323Just from off the top w/o going to deep check the acl's and NATTing config.
-
broc Member Posts: 167I suppose that your main office ASA is configure as Easy VPN Server and the user's as Easy VPN client as you're speaking of Extension Mode. Can you confirm?
If this is the case, by default, all the communications from the remote ASA will be going through the main office and the main office ASA will not let communications go back the same interface.
You have two solutions, when you configure the remote access (VPN Client) you can allow the remote user to access other networks (like the internet or his own subnet) during the configuration, I don't remember at which stage on top of my head but if you send me your config, I will tell you what to add.
Or if that's unacceptable for your security policy (as it would leave the remote user vulnerable from worm and anything else from the net), you need to configure "same-security-traffic permit intra-interface" on the main ASA to allow the traffic coming from the remote client to leave again from the same interface to access the internet."Not everything that counts can be counted, and not everything that can be counted counts.”