Can i create a IPSEC tunnel on my DMZ

Unanswered Question
Oct 6th, 2008
User Badges:

I have a ASA5520 with the asa707-k8.bin release.

My address are:

outside = public ip

DMZ1 = public IP

DMZ2 = public IP

Inside1 = private IP

Inside2 = private IP

I want to establish one vpn_client tunnel with the DMZ1 and another vpn_tunnel with the DMZ2 in the inet world.

This is possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
ajagadee Mon, 10/06/2008 - 13:07
User Badges:
  • Cisco Employee,


When you say vpn_client, are you referring to Remote Access VPN Client Users or are you referring to a Lan to Lan Tunnel.


Applying Crypto Maps to Interfaces

You must assign a crypto map set to each interface through which IPSec traffic flows. The security appliance supports IPSec on all interfaces. Assigning the crypto map set to an interface instructs the security appliance to evaluate all the traffic against the crypto map set and to use the specified policy during connection or SA negotiation.


Applying a Crypto map to a DMZ is possible. But, it all depends on what your end goal is.

For example, if you are planning to terminate Remote Access VPN Clients on the DMZ interface, then you need to make sure that your default gateway is pointing out through the DMZ unless you know what IP Subnet/Networks that your remote users are going to come from.

If you want to terminate L2L Tunnels on the DMZ, then make sure that your routing for the remote subnets is pointing through the DMZ, so traffic can get routed properly across the VPN Tunnel.

I hope it helps.



** Please rate all helpful posts **

p-loureiro Tue, 10/07/2008 - 15:11
User Badges:

I'm planning to terminate Remote Access VPN Clients on the DMZ interface - i have the cryto-map in my DMZ and i have a default route to my outside interface (because i do not know what is the source). I put a debug of isakmp and ipsec, and nothing happens.

If I apply the crypto map to the outside, it is ok

I put a different security level on the interfaces outside and DMZ / i put the same-security level and in the both cases, does not work.

Not even the ping works, if i try to ping the ip of the interface itself - if i ping to an IP LAN (a PC) in the DMZ already works

ajagadee Tue, 10/07/2008 - 16:17
User Badges:
  • Cisco Employee,


As per my previous post, terminating Remote Access VPN Clients on the DMZ with the default route pointing to the outside interface will not work.

If your default route is pointing through the outside interface (which is the case in 99% of the deployment) I think your best bet is to terminate Remote Access VPN Clients on the outside interface and terminate the L2L Connections on the DMZ.



** Please rate all helpful posts **

rcsu-it Fri, 07/09/2010 - 08:45
User Badges:

I had a similar plan to terminate IPSEC Remote client VPN connections onto my DMZ interface at 24.222.AAA.1.  Unfortunately my outside interface is the default gateway, is not internet addressable and goes onto my internet edge router which does NAT/PAT.  Given your post above, I see this will not work as it is configured so I wonder what would happen if I statically forwarded a free internet IP from the internet edge router down to the ASA outside interface and terminated IPSEC there. Is that even possible with something like NAT traversal or the like?

I know the simple answer here will likely be terminate on the edge device but it is not provisioned for that and is already under enough loading.

Any advice would be appreciated, thank you all!


This Discussion