Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Connection through the VPN tunnel from DMZ

We currently have the firewall configured with an outside, inside, failover, DMZ and secure interfaces. We have a business partner that connects to us via an MPLS line and connects via the DMZ. The users are able to connect to the inside interface but are not able to connect to the segment on the other side of the VPN tunnel. I get a "no route to x.x.x.x from x.x.x.x. The VPN tunnel work fine from the inside interface.

8 REPLIES

Re: Connection through the VPN tunnel from DMZ

The VPN tunnel starts/terminates where?

It is not clear from your question.

Regards

Farrukh

New Member

Re: Connection through the VPN tunnel from DMZ

Hello!

I have simular needs here. What I would like to achieve is to allow DMZ host to access VPN site-to-site network. All is ASA5510 based.

inside

+ASA+DMZ-Paris

outside

hosts from inside can access Paris, Paris can access inside, but DMZ hosts cannot access Paris. Should I change "protected networks" part of the VPN config or add DMZ nat to inside?

Thank you!

Re: Connection through the VPN tunnel from DMZ

You need to give more details about your setup

Regards

Farrukh

New Member

Re: Connection through the VPN tunnel from DMZ

ASA5510 which takes care of DMZ,inside,outside and 2 VPN site-to-site connections.

inside 192.168.91.x / 24

outside 195.128.91.x / 24

dmz 10.128.91.x / 24

1st VPN 192.168.93.x / 24

2nd VPN 192.168.92.x / 24

basically I have an email server 10.128.91.xx that is NATed to 195.128.91.xx and biNATed to inside interface in order to internal users have access to it by single DNS record. What I would like to achieve is make this DMZ server connect over already established VPN channel to another 2 servers 192.168.93.yy and 192.168.92.yy both in the VPN remote sites as they cannot be reached over Internet.

Please let me know if I didn't provide enough info.

Thank you!

Re: Connection through the VPN tunnel from DMZ

1st VPN 192.168.93.x / 24

2nd VPN 192.168.92.x / 24

These are subnets on the remove VPN end or one your ASA 5510?

Why can't the VPN users access the server using the DMZ IP 10.128.81.xx? You just have to include this traffic in the crypto and nat bypass access-lists. Thats it!

Regards

Farrukh

New Member

Re: Connection through the VPN tunnel from DMZ

Thank you for a reply.

New Member

Re: Connection through the VPN tunnel from DMZ

follow up:

this works with NAT exemption just great. The only thing which concerns me now is that between DMZ and remote lan connected to ASA through VPN ALL ip packets go out of Access Rules control. And I would like to limit those to the only smtp for example. In this case what should be changed in configuration?

Thank you!

Re: Connection through the VPN tunnel from DMZ

You can do this in multiple ways. One not-so-nice way is to do this via the crypto and nat exemption ACLs. But this is not a scalable solution. The correct way is to use vpn-filter ACLs:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Please rate if helpful,Regards

Farrukh

190
Views
0
Helpful
8
Replies
CreatePlease login to create content