05-13-2008 10:40 AM - edited 03-11-2019 05:44 AM
Not sure what is needed to fix this but i have an ASA 5520 with 2 interfaces. 1 dmz and 1 outside.
I'm using the ASA for both firewall and VPN but the problem occurs when people internally try to test the VPN portion and it directs them to the public ip address of the outside interface of the ASA. So the traffic comes in on interface dmz and needs to return out that same interface. VPN access is only allowed on the outside interface. I have the following already configured.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
05-13-2008 10:51 AM
Any chance you could explain that in a different way? It's a little confusing what you are trying to accomplish, thanks.
05-13-2008 11:13 AM
darren:
do you have users/testers on the dmz trying to establish a vpn connection to the outside interface of the ASA?
05-13-2008 11:54 AM
Yes that is correct. I can enable VPN on the dmz interface but didn't want to do that.
05-13-2008 11:57 AM
i'm not sure that's possible (though i've never tried).
is nat-control enabled?
05-13-2008 12:00 PM
Yeah i'm not sure if that will work either but i thought i'd throw it out there.
Yes nat-control is enabled.
05-13-2008 12:20 PM
The ASA is used for VPN. When users wether they are internal or external to my network they use the same dns entry which has a public ip address. Externally everything works fine. The problem occurs when testing VPN internally users need to connect to the external ip address of the ASA and it doesn't work. Hopefully that makes more sense.
I know i can enable vpn on the dmz interface but didn't want to do that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide