Access to services on the DMZ while VPN'd in

Unanswered Question
Oct 13th, 2008
User Badges:

I have a Cisco 5510 that has a DMZ setup on it and supports Remote Access via the legacy client, not web or SSL. While on VPN I can get to all internal resources, have no problems. However I cannot conect to any resouce in the Dmz. I've look at the Nat rules and firewall rules, however I am stumped. I think the order of operations is the VPN packet arrives at the outside interface, ACLs are checked, then decrypted, then Nat'd (if any) and the passed.

So I am assuming i need to have rules that allow the decrypted packet traverse from the Outside interface to the Dmz and back.

However I am not sure how to go about this. The address I am trying to reach in the DMZ is the actual address of the webserver and not its Nat'd address.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 10/13/2008 - 05:02
User Badges:
  • Green, 3000 points or more

Most likely you are just missing nat exemption.

access-list dmz_nat0_outbound extended permit ip any

nat (dmz) 0 access-list dmz_nat0_outbound

moorera Mon, 10/13/2008 - 07:23
User Badges:

Thanks for the post. That is what I thought but still no joy.... WOuld you perhaps know from what interface would the PIX think this request originates from. My thought is since the traffic comes through the Outside interface, is deencrypted and then placed in the inside interface que that perhaps there is no way to bounce this traffic to the DMZ interface as it would be entering the interface (inside) to get there form where it is from. I'm thinking this is not allowed (normally isn't) and I cannot think of how to make this work..... THoughts?

sjones1966 Mon, 10/13/2008 - 14:33
User Badges:

If you are using a legacy client is it setup to use the default gateway on the remote network? Nothing to do with the asa itself but how the vpn is handling routing.


This Discussion