cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
374
Views
0
Helpful
5
Replies

Allowing VPN subnet access to DMZ

jgorman1977
Level 1
Level 1

I need to allow users from our VPN subnet access to a webserver on our DMZ.

Both the inbound ACL's are correct, but I am unsure of what the translation would be.

Our VPN subnet is 172.16.140.0/24 and our DMZ is 172.16.110.0/24

Any help would be appreciated. BTW, this is an ASA5510

1 Accepted Solution

Accepted Solutions

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ

You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

View solution in original post

5 Replies 5

acomiskey
Level 10
Level 10

Posting the config would help, but you probably just need nat exemption for the dmz.

access-list nonat_dmz permit ip any 172.16.140.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

Please rate helpful posts.

Here's the config

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ

You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

thanks. that worked. Also, could you explain what the NAT exemption does in this instance?

Thanks again.

It identifies the traffic which should be exempt from nat, or not nat'd. This allows the traffic to be part of the vpn.

Please rate helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: