03-11-2009 09:18 AM - edited 03-11-2019 08:03 AM
Hi there,
Recently I build a remote access vpn on ASA 5510. Users are able to login from outside. I created a DMZ wireless zone for wireless users and they are not able to login to the VPN using public IP Address. I excluded nat from the wireless router IP to the public IP and it still not working. Keep in mind that the same IP Address is used for internet access (PAT).
I run out of ideas
Solved! Go to Solution.
03-12-2009 08:00 AM
yep you got it! that would help, make sure you have the needed nonat statements and stuff too
03-11-2009 11:55 AM
Are these wireless users using the outside ip address as server for the vpn connection? If answer is yes then it is expected behavior, traffic that comes from a say zone of the firewall (DMZ) cannot reach an interface on another interface (outside) they should try using the DMZ interface and you should have the crypto map enabled on the dmz as well as the isakmp should be enabled on the dmz.
Make sure all of the nat and stuff are emulated on the firewall for traffic to go through.
03-11-2009 12:25 PM
Wireless users using outside IP address as VPN Server.
If I enable IPSEC and the dmz interface they are able to connect.
Issue is that all wireless users will required to have multiple VPN profiles (to connect to inside from wireless and outside)
I was thinking that it might be possible to create a static NAT
static (outside,dmz) public ip,public, ip mask
What do you think?
03-11-2009 12:26 PM
nope, not possible you just can't, by design of the firewall, connect to an interface that is not on the same "location" you are coming to.
03-11-2009 12:36 PM
So only one solution will be to use multiple Cisco VPN profiles for the end users.
Is there any way that I can setup some kind of redirecting ?
So whenever Wireless client trying to connect to VPN using outside ip address it will do a translation to the gateway of the DMZ ?
03-12-2009 06:57 AM
I ended up creating 2nd profile for Cisco VPN client.
Now the issue is that client are able to connect to the inside of the network using vpn client but not to DMZ. (You can access dmz if you vpn from outside)
Could it be the problem that you coming from the same interface where DMZ is connected?
I'm thinking of trying
same-security-traffic permit intra-interface
03-12-2009 08:00 AM
yep you got it! that would help, make sure you have the needed nonat statements and stuff too
03-12-2009 08:33 AM
Finally it's working
03-12-2009 08:36 AM
great! do rate useful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: