Allowing VPN subnet access to DMZ

Answered Question
Oct 26th, 2007

I need to allow users from our VPN subnet access to a webserver on our DMZ.

Both the inbound ACL's are correct, but I am unsure of what the translation would be.

Our VPN subnet is 172.16.140.0/24 and our DMZ is 172.16.110.0/24

Any help would be appreciated. BTW, this is an ASA5510

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 2 months ago

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ

You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 10/26/2007 - 10:19

Posting the config would help, but you probably just need nat exemption for the dmz.

access-list nonat_dmz permit ip any 172.16.140.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

Please rate helpful posts.

Correct Answer
acomiskey Fri, 10/26/2007 - 10:47

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ

You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

jgorman1977 Fri, 10/26/2007 - 11:05

thanks. that worked. Also, could you explain what the NAT exemption does in this instance?

Thanks again.

acomiskey Fri, 10/26/2007 - 11:10

It identifies the traffic which should be exempt from nat, or not nat'd. This allows the traffic to be part of the vpn.

Please rate helpful posts.

Actions

This Discussion