Connection through the VPN tunnel from DMZ

quintonw · ‎07-31-2008

We currently have the firewall configured with an outside, inside, failover, DMZ and secure interfaces. We have a business partner that connects to us via an MPLS line and connects via the DMZ. The users are able to connect to the inside interface but are not able to connect to the segment on the other side of the VPN tunnel. I get a "no route to x.x.x.x from x.x.x.x. The VPN tunnel work fine from the inside interface.

Farrukh Haroon · ‎07-31-2008

The VPN tunnel starts/terminates where?

It is not clear from your question.

Regards

Farrukh

nkaretnikov · ‎04-14-2009

Hello!

I have simular needs here. What I would like to achieve is to allow DMZ host to access VPN site-to-site network. All is ASA5510 based.

inside

+ASA+DMZ-Paris

outside

hosts from inside can access Paris, Paris can access inside, but DMZ hosts cannot access Paris. Should I change "protected networks" part of the VPN config or add DMZ nat to inside?

Thank you!

Farrukh Haroon · ‎04-14-2009

You need to give more details about your setup

Regards

Farrukh

nkaretnikov · ‎04-14-2009

ASA5510 which takes care of DMZ,inside,outside and 2 VPN site-to-site connections.

inside 192.168.91.x / 24

outside 195.128.91.x / 24

dmz 10.128.91.x / 24

1st VPN 192.168.93.x / 24

2nd VPN 192.168.92.x / 24

basically I have an email server 10.128.91.xx that is NATed to 195.128.91.xx and biNATed to inside interface in order to internal users have access to it by single DNS record. What I would like to achieve is make this DMZ server connect over already established VPN channel to another 2 servers 192.168.93.yy and 192.168.92.yy both in the VPN remote sites as they cannot be reached over Internet.

Please let me know if I didn't provide enough info.

Thank you!

Farrukh Haroon · ‎04-14-2009

1st VPN 192.168.93.x / 24

2nd VPN 192.168.92.x / 24

These are subnets on the remove VPN end or one your ASA 5510?

Why can't the VPN users access the server using the DMZ IP 10.128.81.xx? You just have to include this traffic in the crypto and nat bypass access-lists. Thats it!

Regards

Farrukh

nkaretnikov · ‎04-15-2009

Thank you for a reply.

nkaretnikov · ‎04-15-2009

follow up:

this works with NAT exemption just great. The only thing which concerns me now is that between DMZ and remote lan connected to ASA through VPN ALL ip packets go out of Access Rules control. And I would like to limit those to the only smtp for example. In this case what should be changed in configuration?

Thank you!

Farrukh Haroon · ‎04-15-2009

You can do this in multiple ways. One not-so-nice way is to do this via the crypto and nat exemption ACLs. But this is not a scalable solution. The correct way is to use vpn-filter ACLs:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Please rate if helpful,Regards

Farrukh