cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
0
Helpful
4
Replies

Access to services on the DMZ while VPN'd in

moorera
Level 1
Level 1

I have a Cisco 5510 that has a DMZ setup on it and supports Remote Access via the legacy client, not web or SSL. While on VPN I can get to all internal resources, have no problems. However I cannot conect to any resouce in the Dmz. I've look at the Nat rules and firewall rules, however I am stumped. I think the order of operations is the VPN packet arrives at the outside interface, ACLs are checked, then decrypted, then Nat'd (if any) and the passed.

So I am assuming i need to have rules that allow the decrypted packet traverse from the Outside interface to the Dmz and back.

However I am not sure how to go about this. The address I am trying to reach in the DMZ is the actual address of the webserver and not its Nat'd address.

Thanks.

Randy

4 Replies 4

jstabl
Level 1
Level 1

Can you post your config and maybe that will shed some light on it?

What type of service does the Server on DMZ supply?

Most likely you are just missing nat exemption.

access-list dmz_nat0_outbound extended permit ip any

nat (dmz) 0 access-list dmz_nat0_outbound

Thanks for the post. That is what I thought but still no joy.... WOuld you perhaps know from what interface would the PIX think this request originates from. My thought is since the traffic comes through the Outside interface, is deencrypted and then placed in the inside interface que that perhaps there is no way to bounce this traffic to the DMZ interface as it would be entering the interface (inside) to get there form where it is from. I'm thinking this is not allowed (normally isn't) and I cannot think of how to make this work..... THoughts?

sjones1966
Level 1
Level 1

If you are using a legacy client is it setup to use the default gateway on the remote network? Nothing to do with the asa itself but how the vpn is handling routing.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: