07-31-2008 01:53 PM - edited 03-11-2019 06:23 AM
We currently have the firewall configured with an outside, inside, failover, DMZ and secure interfaces. We have a business partner that connects to us via an MPLS line and connects via the DMZ. The users are able to connect to the inside interface but are not able to connect to the segment on the other side of the VPN tunnel. I get a "no route to x.x.x.x from x.x.x.x. The VPN tunnel work fine from the inside interface.
07-31-2008 06:18 PM
The VPN tunnel starts/terminates where?
It is not clear from your question.
Regards
Farrukh
04-14-2009 12:09 AM
Hello!
I have simular needs here. What I would like to achieve is to allow DMZ host to access VPN site-to-site network. All is ASA5510 based.
inside
+ASA+DMZ-Paris
outside
hosts from inside can access Paris, Paris can access inside, but DMZ hosts cannot access Paris. Should I change "protected networks" part of the VPN config or add DMZ nat to inside?
Thank you!
04-14-2009 06:06 AM
You need to give more details about your setup
Regards
Farrukh
04-14-2009 06:16 AM
ASA5510 which takes care of DMZ,inside,outside and 2 VPN site-to-site connections.
inside 192.168.91.x / 24
outside 195.128.91.x / 24
dmz 10.128.91.x / 24
1st VPN 192.168.93.x / 24
2nd VPN 192.168.92.x / 24
basically I have an email server 10.128.91.xx that is NATed to 195.128.91.xx and biNATed to inside interface in order to internal users have access to it by single DNS record. What I would like to achieve is make this DMZ server connect over already established VPN channel to another 2 servers 192.168.93.yy and 192.168.92.yy both in the VPN remote sites as they cannot be reached over Internet.
Please let me know if I didn't provide enough info.
Thank you!
04-14-2009 06:22 AM
1st VPN 192.168.93.x / 24
2nd VPN 192.168.92.x / 24
These are subnets on the remove VPN end or one your ASA 5510?
Why can't the VPN users access the server using the DMZ IP 10.128.81.xx? You just have to include this traffic in the crypto and nat bypass access-lists. Thats it!
Regards
Farrukh
04-15-2009 06:00 AM
Thank you for a reply.
04-15-2009 10:45 PM
follow up:
this works with NAT exemption just great. The only thing which concerns me now is that between DMZ and remote lan connected to ASA through VPN ALL ip packets go out of Access Rules control. And I would like to limit those to the only smtp for example. In this case what should be changed in configuration?
Thank you!
04-15-2009 11:10 PM
You can do this in multiple ways. One not-so-nice way is to do this via the crypto and nat exemption ACLs. But this is not a scalable solution. The correct way is to use vpn-filter ACLs:
Please rate if helpful,Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: