cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
594
Views
5
Helpful
7
Replies

Remote VPN access to DMZ

peterblersch
Level 1
Level 1

Hello,

user connecting with the VPN Client to my ASA 5510 could access ressources in the internal Network 192.168.115.0.

But there is no access through the ipsec tunnel to the DMZ Network 192.168.116.0.

VPN clients get Addresses from 192.168.113.0.

There is no NAT-relation between the internal and the DMZ, the traffic is routed. I can access ressources between DMZ and internal without problems initiated in both directions.

What could be the reason for the denied access to the DMZ from the VPN clients?

Thank you for your ideas,

Peter

7 Replies 7

srue
Level 7
Level 7

do you have something like the following:

nat (dmz) 0 access-list nat0dmz_acl

...where nat0dmz_acl defines traffic from your dmz to 192.168.113.0/24?

also, if yo'ure using split tunneling, make sure it's included there.

Hello srue,

there is no Nat rule between the DMZ and the

External Interface.

In the packet trace i see that packet from hosts in the DMZ route traffic to VPN LAN 192.168.113.0/24 send the packet to the default route, that is the external interface.

I will configure a static route with the virtual interface of the VPN tunnel endpoint 192.168.113.254

I suppose:

The traffic back from DMZ to VPN-LAN is not

sent to the tunnel gateway.

Thank you,

Peter

show the configuration of the ASA

Hello,

please see the attachment.

There is a entry in the root table when a RA-VPN connection is established.

But no traffic will flow form DMZ to VPN Client.

Thanks

Peter

access-list NO-NAT-DMZ permit ip 192.168.111.0 255.255.255.0 192.168.113.0 255.255.255.0

nat (DMZ) 0 access-list NO-NAT-DMZ

OK, it works,

thank you for the solution!

Peter

Great!

[Pls RATE if HELPS]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: