cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1850
Views
0
Helpful
1
Replies

NAT Exemption for IPSec VPN Client Traffic

arlis
Level 1
Level 1

First of all... this is a basic sanity check.

Configuration consists of an ASA 5520 and Cisco IPSec Client; clients connecting from Internet.  Since the VPN client tunnel terminate on the outside interface of my ASA, is the traffic associated with the security level assigned to this interface?  As a result, if I want VPN Client traffic to flow to a DMZ on another ASA interface (with a higher security level than the outside interface) a NAT exemption will be created on the DMZ interface with the default "NAT Exemption Direction" i.e., outbound traffic to lower security interfaces. Correct?  Also, will the access rules be applied on the Outside interface allowing traffic from the VPN client address space to the DMZ hosts on specific protocols?

Thank you in advance for your assistance, it will be appreciated!

1 Reply 1

Ricardo Prado Rueda
Cisco Employee
Cisco Employee

Hi,

   Yes, in this kind of setup you consider the remote VPN Clients as being connected on the outside interface of the ASA. Because of this, you need to create a NAT exemption if you need traffic from one of the ASA's interfaces to reach the VPN Clients. In regards to the access-rules applied on the Outside interface, the sysopt command (sysopt connection permit-vpn) overrides the need of opening the access-group on the outside to permit the traffic, all encrypted traffic is allowed through the ASA, thus bypassing the outside filter. If you remove this sysopt option, then you need to open the access on the outside access-list.

Regards,

Rick.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: