VPN in from DMZ

Answered Question
Mar 11th, 2009

Hi there,

Recently I build a remote access vpn on ASA 5510. Users are able to login from outside. I created a DMZ wireless zone for wireless users and they are not able to login to the VPN using public IP Address. I excluded nat from the wireless router IP to the public IP and it still not working. Keep in mind that the same IP Address is used for internet access (PAT).

I run out of ideas

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 7 months ago

yep you got it! that would help, make sure you have the needed nonat statements and stuff too

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Ivan Martinon Wed, 03/11/2009 - 11:55

Are these wireless users using the outside ip address as server for the vpn connection? If answer is yes then it is expected behavior, traffic that comes from a say zone of the firewall (DMZ) cannot reach an interface on another interface (outside) they should try using the DMZ interface and you should have the crypto map enabled on the dmz as well as the isakmp should be enabled on the dmz.

Make sure all of the nat and stuff are emulated on the firewall for traffic to go through.

mike.drugov Wed, 03/11/2009 - 12:25

Wireless users using outside IP address as VPN Server.

If I enable IPSEC and the dmz interface they are able to connect.

Issue is that all wireless users will required to have multiple VPN profiles (to connect to inside from wireless and outside)

I was thinking that it might be possible to create a static NAT

static (outside,dmz) public ip,public, ip mask

What do you think?

Ivan Martinon Wed, 03/11/2009 - 12:26

nope, not possible you just can't, by design of the firewall, connect to an interface that is not on the same "location" you are coming to.

mike.drugov Wed, 03/11/2009 - 12:36

So only one solution will be to use multiple Cisco VPN profiles for the end users.

Is there any way that I can setup some kind of redirecting ?

So whenever Wireless client trying to connect to VPN using outside ip address it will do a translation to the gateway of the DMZ ?

mike.drugov Thu, 03/12/2009 - 06:57

I ended up creating 2nd profile for Cisco VPN client.

Now the issue is that client are able to connect to the inside of the network using vpn client but not to DMZ. (You can access dmz if you vpn from outside)

Could it be the problem that you coming from the same interface where DMZ is connected?

I'm thinking of trying

same-security-traffic permit intra-interface

Correct Answer
Ivan Martinon Thu, 03/12/2009 - 08:00

yep you got it! that would help, make sure you have the needed nonat statements and stuff too


This Discussion