10-13-2008 12:45 AM - edited 03-11-2019 06:56 AM
I have a Cisco 5510 that has a DMZ setup on it and supports Remote Access via the legacy client, not web or SSL. While on VPN I can get to all internal resources, have no problems. However I cannot conect to any resouce in the Dmz. I've look at the Nat rules and firewall rules, however I am stumped. I think the order of operations is the VPN packet arrives at the outside interface, ACLs are checked, then decrypted, then Nat'd (if any) and the passed.
So I am assuming i need to have rules that allow the decrypted packet traverse from the Outside interface to the Dmz and back.
However I am not sure how to go about this. The address I am trying to reach in the DMZ is the actual address of the webserver and not its Nat'd address.
Thanks.
Randy
10-13-2008 04:23 AM
Can you post your config and maybe that will shed some light on it?
What type of service does the Server on DMZ supply?
10-13-2008 05:02 AM
Most likely you are just missing nat exemption.
access-list dmz_nat0_outbound extended permit ip any
nat (dmz) 0 access-list dmz_nat0_outbound
10-13-2008 07:23 AM
Thanks for the post. That is what I thought but still no joy.... WOuld you perhaps know from what interface would the PIX think this request originates from. My thought is since the traffic comes through the Outside interface, is deencrypted and then placed in the inside interface que that perhaps there is no way to bounce this traffic to the DMZ interface as it would be entering the interface (inside) to get there form where it is from. I'm thinking this is not allowed (normally isn't) and I cannot think of how to make this work..... THoughts?
10-13-2008 02:33 PM
If you are using a legacy client is it setup to use the default gateway on the remote network? Nothing to do with the asa itself but how the vpn is handling routing.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: