Connection through the VPN tunnel from DMZ

Unanswered Question

We currently have the firewall configured with an outside, inside, failover, DMZ and secure interfaces. We have a business partner that connects to us via an MPLS line and connects via the DMZ. The users are able to connect to the inside interface but are not able to connect to the segment on the other side of the VPN tunnel. I get a "no route to x.x.x.x from x.x.x.x. The VPN tunnel work fine from the inside interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 07/31/2008 - 18:18

The VPN tunnel starts/terminates where?

It is not clear from your question.



nkaretnikov Tue, 04/14/2009 - 00:09


I have simular needs here. What I would like to achieve is to allow DMZ host to access VPN site-to-site network. All is ASA5510 based.




hosts from inside can access Paris, Paris can access inside, but DMZ hosts cannot access Paris. Should I change "protected networks" part of the VPN config or add DMZ nat to inside?

Thank you!

nkaretnikov Tue, 04/14/2009 - 06:16

ASA5510 which takes care of DMZ,inside,outside and 2 VPN site-to-site connections.

inside 192.168.91.x / 24

outside 195.128.91.x / 24

dmz 10.128.91.x / 24

1st VPN 192.168.93.x / 24

2nd VPN 192.168.92.x / 24

basically I have an email server 10.128.91.xx that is NATed to 195.128.91.xx and biNATed to inside interface in order to internal users have access to it by single DNS record. What I would like to achieve is make this DMZ server connect over already established VPN channel to another 2 servers 192.168.93.yy and 192.168.92.yy both in the VPN remote sites as they cannot be reached over Internet.

Please let me know if I didn't provide enough info.

Thank you!

Farrukh Haroon Tue, 04/14/2009 - 06:22

1st VPN 192.168.93.x / 24

2nd VPN 192.168.92.x / 24

These are subnets on the remove VPN end or one your ASA 5510?

Why can't the VPN users access the server using the DMZ IP 10.128.81.xx? You just have to include this traffic in the crypto and nat bypass access-lists. Thats it!



nkaretnikov Wed, 04/15/2009 - 22:45

follow up:

this works with NAT exemption just great. The only thing which concerns me now is that between DMZ and remote lan connected to ASA through VPN ALL ip packets go out of Access Rules control. And I would like to limit those to the only smtp for example. In this case what should be changed in configuration?

Thank you!


This Discussion