Remote VPN access to DMZ

Unanswered Question
Jul 16th, 2008
User Badges:


user connecting with the VPN Client to my ASA 5510 could access ressources in the internal Network

But there is no access through the ipsec tunnel to the DMZ Network

VPN clients get Addresses from

There is no NAT-relation between the internal and the DMZ, the traffic is routed. I can access ressources between DMZ and internal without problems initiated in both directions.

What could be the reason for the denied access to the DMZ from the VPN clients?

Thank you for your ideas,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
srue Wed, 07/16/2008 - 02:57
User Badges:
  • Blue, 1500 points or more

do you have something like the following:

nat (dmz) 0 access-list nat0dmz_acl

...where nat0dmz_acl defines traffic from your dmz to

also, if yo'ure using split tunneling, make sure it's included there.

peterblersch Thu, 07/17/2008 - 23:00
User Badges:

Hello srue,

there is no Nat rule between the DMZ and the

External Interface.

In the packet trace i see that packet from hosts in the DMZ route traffic to VPN LAN send the packet to the default route, that is the external interface.

I will configure a static route with the virtual interface of the VPN tunnel endpoint

I suppose:

The traffic back from DMZ to VPN-LAN is not

sent to the tunnel gateway.

Thank you,


a.alekseev Fri, 07/18/2008 - 01:59
User Badges:
  • Gold, 750 points or more

show the configuration of the ASA

peterblersch Mon, 07/21/2008 - 03:30
User Badges:


please see the attachment.

There is a entry in the root table when a RA-VPN connection is established.

But no traffic will flow form DMZ to VPN Client.



a.alekseev Mon, 07/21/2008 - 03:54
User Badges:
  • Gold, 750 points or more

access-list NO-NAT-DMZ permit ip

nat (DMZ) 0 access-list NO-NAT-DMZ

a.alekseev Mon, 07/21/2008 - 22:41
User Badges:
  • Gold, 750 points or more




This Discussion