cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1599
Views
0
Helpful
8
Replies

VPN in from DMZ

mike.drugov
Level 1
Level 1

Hi there,

Recently I build a remote access vpn on ASA 5510. Users are able to login from outside. I created a DMZ wireless zone for wireless users and they are not able to login to the VPN using public IP Address. I excluded nat from the wireless router IP to the public IP and it still not working. Keep in mind that the same IP Address is used for internet access (PAT).

I run out of ideas

1 Accepted Solution

Accepted Solutions

yep you got it! that would help, make sure you have the needed nonat statements and stuff too

View solution in original post

8 Replies 8

Ivan Martinon
Level 7
Level 7

Are these wireless users using the outside ip address as server for the vpn connection? If answer is yes then it is expected behavior, traffic that comes from a say zone of the firewall (DMZ) cannot reach an interface on another interface (outside) they should try using the DMZ interface and you should have the crypto map enabled on the dmz as well as the isakmp should be enabled on the dmz.

Make sure all of the nat and stuff are emulated on the firewall for traffic to go through.

Wireless users using outside IP address as VPN Server.

If I enable IPSEC and the dmz interface they are able to connect.

Issue is that all wireless users will required to have multiple VPN profiles (to connect to inside from wireless and outside)

I was thinking that it might be possible to create a static NAT

static (outside,dmz) public ip,public, ip mask

What do you think?

nope, not possible you just can't, by design of the firewall, connect to an interface that is not on the same "location" you are coming to.

So only one solution will be to use multiple Cisco VPN profiles for the end users.

Is there any way that I can setup some kind of redirecting ?

So whenever Wireless client trying to connect to VPN using outside ip address it will do a translation to the gateway of the DMZ ?

I ended up creating 2nd profile for Cisco VPN client.

Now the issue is that client are able to connect to the inside of the network using vpn client but not to DMZ. (You can access dmz if you vpn from outside)

Could it be the problem that you coming from the same interface where DMZ is connected?

I'm thinking of trying

same-security-traffic permit intra-interface

yep you got it! that would help, make sure you have the needed nonat statements and stuff too

Finally it's working

great! do rate useful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: