Allowing VPN subnet access to DMZ

Answered Question
Oct 26th, 2007
User Badges:

I need to allow users from our VPN subnet access to a webserver on our DMZ.


Both the inbound ACL's are correct, but I am unsure of what the translation would be.


Our VPN subnet is 172.16.140.0/24 and our DMZ is 172.16.110.0/24


Any help would be appreciated. BTW, this is an ASA5510

Correct Answer by acomiskey about 9 years 7 months ago

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ


You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 10/26/2007 - 10:19
User Badges:
  • Green, 3000 points or more

Posting the config would help, but you probably just need nat exemption for the dmz.


access-list nonat_dmz permit ip any 172.16.140.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz


Please rate helpful posts.

Correct Answer
acomiskey Fri, 10/26/2007 - 10:47
User Badges:
  • Green, 3000 points or more

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ


You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

jgorman1977 Fri, 10/26/2007 - 11:05
User Badges:

thanks. that worked. Also, could you explain what the NAT exemption does in this instance?


Thanks again.

acomiskey Fri, 10/26/2007 - 11:10
User Badges:
  • Green, 3000 points or more

It identifies the traffic which should be exempt from nat, or not nat'd. This allows the traffic to be part of the vpn.


Please rate helpful posts.

Actions

This Discussion