VPN users accessing DMZ Servers with IP Static NAT to Inside

Unanswered Question
Sep 10th, 2007
User Badges:

I have static nat on inside to the VPN so that internal clients can access the VPN. The problen is that VPN clients and L2L conections cannot access the dmz. Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Mon, 09/10/2007 - 22:02
User Badges:
  • Cisco Employee,

You probably have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This stops your VPN traffic from being NAT'd so that it'll match your crypto access-list correctly. This is only doing it for traffic coming from the inside interface though. For VPN users to get to the DMZ interface you need the same sort of thing like this:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

mikecastdogg Tue, 09/11/2007 - 03:32
User Badges:

Is the Static (dmz, inside) statemnet still going to screw me up? I still need internal/vpn clients to use an internal address for the dmz server.

acomiskey Tue, 09/11/2007 - 04:53
User Badges:
  • Green, 3000 points or more


No it will not. As Glenn has posted, you can use nat exemption for the dmz to vpn clients. This is first in the nat order of operations and will not affect your (dmz,inside) destination nat.


This Discussion