07-16-2008 02:51 AM - edited 03-11-2019 06:15 AM
Hello,
user connecting with the VPN Client to my ASA 5510 could access ressources in the internal Network 192.168.115.0.
But there is no access through the ipsec tunnel to the DMZ Network 192.168.116.0.
VPN clients get Addresses from 192.168.113.0.
There is no NAT-relation between the internal and the DMZ, the traffic is routed. I can access ressources between DMZ and internal without problems initiated in both directions.
What could be the reason for the denied access to the DMZ from the VPN clients?
Thank you for your ideas,
Peter
07-16-2008 02:57 AM
do you have something like the following:
nat (dmz) 0 access-list nat0dmz_acl
...where nat0dmz_acl defines traffic from your dmz to 192.168.113.0/24?
also, if yo'ure using split tunneling, make sure it's included there.
07-17-2008 11:00 PM
Hello srue,
there is no Nat rule between the DMZ and the
External Interface.
In the packet trace i see that packet from hosts in the DMZ route traffic to VPN LAN 192.168.113.0/24 send the packet to the default route, that is the external interface.
I will configure a static route with the virtual interface of the VPN tunnel endpoint 192.168.113.254
I suppose:
The traffic back from DMZ to VPN-LAN is not
sent to the tunnel gateway.
Thank you,
Peter
07-18-2008 01:59 AM
show the configuration of the ASA
07-21-2008 03:30 AM
Hello,
please see the attachment.
There is a entry in the root table when a RA-VPN connection is established.
But no traffic will flow form DMZ to VPN Client.
Thanks
Peter
07-21-2008 03:54 AM
access-list NO-NAT-DMZ permit ip 192.168.111.0 255.255.255.0 192.168.113.0 255.255.255.0
nat (DMZ) 0 access-list NO-NAT-DMZ
07-21-2008 10:38 PM
OK, it works,
thank you for the solution!
Peter
07-21-2008 10:41 PM
Great!
[Pls RATE if HELPS]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide