Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote VPN access to DMZ

Hello,

user connecting with the VPN Client to my ASA 5510 could access ressources in the internal Network 192.168.115.0.

But there is no access through the ipsec tunnel to the DMZ Network 192.168.116.0.

VPN clients get Addresses from 192.168.113.0.

There is no NAT-relation between the internal and the DMZ, the traffic is routed. I can access ressources between DMZ and internal without problems initiated in both directions.

What could be the reason for the denied access to the DMZ from the VPN clients?

Thank you for your ideas,

Peter

7 REPLIES
Gold

Re: Remote VPN access to DMZ

do you have something like the following:

nat (dmz) 0 access-list nat0dmz_acl

...where nat0dmz_acl defines traffic from your dmz to 192.168.113.0/24?

also, if yo'ure using split tunneling, make sure it's included there.

New Member

Re: Remote VPN access to DMZ

Hello srue,

there is no Nat rule between the DMZ and the

External Interface.

In the packet trace i see that packet from hosts in the DMZ route traffic to VPN LAN 192.168.113.0/24 send the packet to the default route, that is the external interface.

I will configure a static route with the virtual interface of the VPN tunnel endpoint 192.168.113.254

I suppose:

The traffic back from DMZ to VPN-LAN is not

sent to the tunnel gateway.

Thank you,

Peter

Re: Remote VPN access to DMZ

show the configuration of the ASA

New Member

Re: Remote VPN access to DMZ

Hello,

please see the attachment.

There is a entry in the root table when a RA-VPN connection is established.

But no traffic will flow form DMZ to VPN Client.

Thanks

Peter

Re: Remote VPN access to DMZ

access-list NO-NAT-DMZ permit ip 192.168.111.0 255.255.255.0 192.168.113.0 255.255.255.0

nat (DMZ) 0 access-list NO-NAT-DMZ

New Member

Re: Remote VPN access to DMZ

OK, it works,

thank you for the solution!

Peter

Re: Remote VPN access to DMZ

Great!

[Pls RATE if HELPS]

147
Views
5
Helpful
7
Replies