VPN users accessing DMZ Servers with IP Static NAT to Inside

Unanswered Question
Sep 10th, 2007

I have static nat on inside to the VPN so that internal clients can access the VPN. The problen is that VPN clients and L2L conections cannot access the dmz. Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Mon, 09/10/2007 - 22:02

You probably have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This stops your VPN traffic from being NAT'd so that it'll match your crypto access-list correctly. This is only doing it for traffic coming from the inside interface though. For VPN users to get to the DMZ interface you need the same sort of thing like this:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

mikecastdogg Tue, 09/11/2007 - 03:32

Is the Static (dmz, inside) statemnet still going to screw me up? I still need internal/vpn clients to use an internal address for the dmz server.

acomiskey Tue, 09/11/2007 - 04:53


No it will not. As Glenn has posted, you can use nat exemption for the dmz to vpn clients. This is first in the nat order of operations and will not affect your (dmz,inside) destination nat.


This Discussion