Assymetric Routing - ASA SSL VPN
7of9
Member Posts: 76 ■■■□□□□□□□
I am configuring a ASA 5505 HA Pair to essentially be used as a VPN concentrator only. This device is meant to sit on the DMZ, accept incoming SSL vpn connections, both web and anyconnect, and then drop them onto the corporate LAN. I have a connection to both the DMZ and the LAN and can connect to the ASA's using anyconnect and ping around the internal network. I have it set up to receive an IP pool from an internal scope.
Here's where the problem is...ping is all I can do. Any other traffic arrives out of sequence and fails to pass the stateful firewall inspection on the ASA's because the packets are coming from the remote user out the DMZ interface on the 5505, then coming back in on the LAN interface. This also wreaked havoc on the arp lists on my core layer 3 switches.
Now...I've found where I can turn off stateful inspection, but I'm guessing this won't help my issues with assymetric routing, only make the 5505's tolerate it. What am I missing here? The logs show my remote user with the correct IP address, but coming from the DMZ interface, which should only be the VPN interface that they connect to, not their ultimate destination. I have all ACL's on the 5505's set to permit any and all nats set to no-nat.
Thanks!
Here's where the problem is...ping is all I can do. Any other traffic arrives out of sequence and fails to pass the stateful firewall inspection on the ASA's because the packets are coming from the remote user out the DMZ interface on the 5505, then coming back in on the LAN interface. This also wreaked havoc on the arp lists on my core layer 3 switches.
Now...I've found where I can turn off stateful inspection, but I'm guessing this won't help my issues with assymetric routing, only make the 5505's tolerate it. What am I missing here? The logs show my remote user with the correct IP address, but coming from the DMZ interface, which should only be the VPN interface that they connect to, not their ultimate destination. I have all ACL's on the 5505's set to permit any and all nats set to no-nat.
Thanks!
Working on Security+ study, then going back to re-do my Cisco Certs, in between dodging moose and riding my Harley