RA VPN from DMZ to outside interface

Unanswered Question
Dec 18th, 2008


I have an ASA 5520 on which i have created a IPsec VPN profile, that is enabled on my outside interface. Everything runs just perfect and I can connect from the internet using Cisco VPN client.

Now I wan't to be able to connect using VPN client from a DMZ interface on the same ASA using the same VPN profile in my Cisco VPN client.

however when I try to connect it just times out and the ASA logs "UDP request discarded".

what do I need to configure on the ASA to be able to connect to the IP address of my outside interface from the DMZ ?

any help i GREATLY appreciated :)

best regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
passioncas Fri, 12/19/2008 - 01:27

While confiuring VPN profile it has to be assigned on the interface.In your scenario , it has already been configured on the OUTSIDE interface and so you will be able to do it from outside.But for DMZ interface , the VPN profile is not configured.

rasmusan1 Fri, 12/19/2008 - 04:04

Yes exactly, but I want to use the same VPN profile when connecting from the DMZ - that is: be able to connect to the ip address of the outside interface while on the DMZ.

husycisco Fri, 12/19/2008 - 04:20

Hello Rasmus,

"be able to connect to the ip address of the outside interface while on the DMZ"

This is not possible with Cisco firewalls. But you can enable isakmp and map a cryptomap to DMZ interface and still be able to use that VPN Group. But if DMZ is a public subnet and requires a default route which will override outside default route, VPN termination at both interfaces wont be possible.


rasmusan1 Fri, 12/19/2008 - 05:19

ok, that's what i thought - unfortunately

well thanks for your help, I have to solve it some other way

best regards


This Discussion