NAT Exemption for IPSec VPN Client Traffic

Unanswered Question

First of all... this is a basic sanity check.

Configuration consists of an ASA 5520 and Cisco IPSec Client; clients connecting from Internet.  Since the VPN client tunnel terminate on the outside interface of my ASA, is the traffic associated with the security level assigned to this interface?  As a result, if I want VPN Client traffic to flow to a DMZ on another ASA interface (with a higher security level than the outside interface) a NAT exemption will be created on the DMZ interface with the default "NAT Exemption Direction" i.e., outbound traffic to lower security interfaces. Correct?  Also, will the access rules be applied on the Outside interface allowing traffic from the VPN client address space to the DMZ hosts on specific protocols?

Thank you in advance for your assistance, it will be appreciated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ricardo Prado Rueda Mon, 02/08/2010 - 11:21


   Yes, in this kind of setup you consider the remote VPN Clients as being connected on the outside interface of the ASA. Because of this, you need to create a NAT exemption if you need traffic from one of the ASA's interfaces to reach the VPN Clients. In regards to the access-rules applied on the Outside interface, the sysopt command (sysopt connection permit-vpn) overrides the need of opening the access-group on the outside to permit the traffic, all encrypted traffic is allowed through the ASA, thus bypassing the outside filter. If you remove this sysopt option, then you need to open the access on the outside access-list.




This Discussion