Access list and NAT for SSL VPN in DMZ

Unanswered Question
Apr 17th, 2008


I am going to implement the SSL VPN appliance in the DMZ of PIX515E (6.3 Ver)

I have to give access to SSL VPN from outside users and as well as from inside inside users.

Please help me.

My understanding is SSL VPN has to be NATTED for outside and also for Inside,then appropriate ACL has to be applied.

Please help me.

Thanks and Regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bwilmoth Wed, 04/23/2008 - 12:05

For SSL VPN users to get access to the DMZ, define nat (DMZ) with the access-list command that permits the DMZ subnet to go to the VPN user's subnet without getting natted. (like nat (inside) 0 statement.)

As an example try out the configuration given below,

#> nat ( dmz ) 0 access-list dmz_nat0

Issue the access-list (dmz_nat0) command with the source as DMZ network and the desitination as the VPN user's subnet.

dongdongliu Wed, 04/23/2008 - 18:49


set a local pool so that SSL user should get address from here.

using Nat 0 in order to traffic from DMZ to pool is not Natted.



This Discussion