Remote VPN access to DMZ

Unanswered Question
Jul 16th, 2008

Hello,

user connecting with the VPN Client to my ASA 5510 could access ressources in the internal Network 192.168.115.0.

But there is no access through the ipsec tunnel to the DMZ Network 192.168.116.0.

VPN clients get Addresses from 192.168.113.0.

There is no NAT-relation between the internal and the DMZ, the traffic is routed. I can access ressources between DMZ and internal without problems initiated in both directions.

What could be the reason for the denied access to the DMZ from the VPN clients?

Thank you for your ideas,

Peter

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Wed, 07/16/2008 - 02:57

do you have something like the following:

nat (dmz) 0 access-list nat0dmz_acl

...where nat0dmz_acl defines traffic from your dmz to 192.168.113.0/24?

also, if yo'ure using split tunneling, make sure it's included there.

peterblersch Thu, 07/17/2008 - 23:00

Hello srue,

there is no Nat rule between the DMZ and the

External Interface.

In the packet trace i see that packet from hosts in the DMZ route traffic to VPN LAN 192.168.113.0/24 send the packet to the default route, that is the external interface.

I will configure a static route with the virtual interface of the VPN tunnel endpoint 192.168.113.254

I suppose:

The traffic back from DMZ to VPN-LAN is not

sent to the tunnel gateway.

Thank you,

Peter

peterblersch Mon, 07/21/2008 - 03:30

Hello,

please see the attachment.

There is a entry in the root table when a RA-VPN connection is established.

But no traffic will flow form DMZ to VPN Client.

Thanks

Peter

a.alekseev Mon, 07/21/2008 - 03:54

access-list NO-NAT-DMZ permit ip 192.168.111.0 255.255.255.0 192.168.113.0 255.255.255.0

nat (DMZ) 0 access-list NO-NAT-DMZ

Actions

This Discussion