Anyconnect / Can't reach DMZ

Unanswered Question
Jul 21st, 2009

I have Anyconnect configured and working on an ASA that also houses the DMZ.

I can reach the entire network from behind the Anyconnect except for the DMZ. Is there something additional that needs to be configured?

I checked to make sure I wasn't NATing the traffic and there are no ACL's blocking me and the DMZ is in my tunneled routes (I can ping the DMZ interface on the ASA); it just won't send traffic.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Roman Rodichev Tue, 07/21/2009 - 21:22

are you sure it's not natting?

do you have:

nat (dmz) 0 access-list ACL

and ACL should permit source DMZ_SUBNET destination VPN_POOL_SUBNET

can you post:

sh run nat

sh run access-group

sh run access-list

*** don't post outside_int_inbound ACL :)

BrianMitchellTX Wed, 07/22/2009 - 07:38

Thank you for the reply...yep it was indeed a NAT issue.

I went to post the config you asked for and when I did a sho run nat I saw I had:

nat (Inside) 0 access-list NONAT

nat (Inside) 1

nat (DMZ) 1

I made the correct entries in the NONAT acl but I didn't have a nat (DMZ) 0 statement. Once I added that I was able to get to the DMZ.

Thanks again, your request actually led me to the correct solution.


This Discussion