Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN client connects to ASA but not DMZ's or Internet

Hi, I have a Cisco 5520. I have managed to use the Cisco VPN Client to connect to the Outside interface and communicate with the servers on the LAN. My VPN pool is 192.168.8.x/24 and I simply added a rule on the Outside:

source = 192.168.8.x/24 destination = any

protocol = ip

then a rule on the Inside:

source = any destination = 192.168.8.x/24

protocol = ip

Now I just need to work out who to get to the Internet and the DMZ I have on this ASA.

The Internet is just through the Outside of the ASA's Interface and the DMZ of a giga port on the ASA.

Let me know what info you need.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: VPN client connects to ASA but not DMZ's or Internet

Internet-

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.8.0 255.255.255.0

DMZ Access-

access-list dmz_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

14 REPLIES

Re: VPN client connects to ASA but not DMZ's or Internet

Hi Andy

Please attach your running-config.

Do you want your VPN clients to connect internet via VPN tunnel over ASA or you want them to connect internet via their local gateway and utilize the local bandwidth instead main office's?

Regards

Community Member

Re: VPN client connects to ASA but not DMZ's or Internet

Hi there, I'll get the config over when I get it, however it's huge, do you need just part of it?

And yes their internet traffic has to go over the tunnel to the ASA.

Green

Re: VPN client connects to ASA but not DMZ's or Internet

Internet-

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.8.0 255.255.255.0

DMZ Access-

access-list dmz_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

Re: VPN client connects to ASA but not DMZ's or Internet

Andy,

You can exclude the outside_access_in and inside_access_in access-lists, exclude object groups and names. Also use attach file feature and upload your config as a txt file.

Regards

Community Member

Re: VPN client connects to ASA but not DMZ's or Internet

Here it is, let me know if I've cut too much out and I'll paste back what you need.

Green

Re: VPN client connects to ASA but not DMZ's or Internet

Add..

access-list DMZ2_nat0_outbound extended permit ip any 192.168.8.0 255.255.255.0

access-list DMZ_inbound_nat0_acl outside extended permit ip any 192.168.8.0 255.255.255.0

access-list DMZ4_outbound_nat0_acl outside extended permit ip any 192.168.8.0 255.255.255.0

same-security-traffic permit intra-interface

nat (outside) 1 192.168.8.0 255.255.255.0

Community Member

Re: VPN client connects to ASA but not DMZ's or Internet

I will try this tomorrow, for my understading what does "same-security-traffic permit intra-interface" do?

Also could "nat (outside) 1 192.168.8.0 255.255.255.0"

be

"nat (VPN_Client) 1 192.168.8.0 255.255.255.0"

so I know what it is? or does it have to be outside?

Green

Re: VPN client connects to ASA but not DMZ's or Internet

same-security-traffic permit intra-interface allows traffic to enter and exit the same interface. Since you want your vpn clients to access the internet via the outside interface of the ASA, this traffic will be bouncing off the outside interface.

No, it must be...

nat (outside) 1 192.168.8.0 255.255.255.0

Community Member

Re: VPN client connects to ASA but not DMZ's or Internet

Thanks for your inforamtive replies they are a great help I'm going to try this today, what does the 1 mean in the "nat (outside) 1 192.168.8.0 255.255.255.0

"?

Community Member

Re: VPN client connects to ASA but not DMZ's or Internet

Hi I get this eror:

ASA(config)# nat (outside) 1 192.168.8.0 255.255.255.0

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

ASA(config)#

Green

Re: VPN client connects to ASA but not DMZ's or Internet

The "1" ties the statement to the "1" in your global (outside) 1 interface command.

The message you are getting is just a warning, it's not an error, and you do not need the outside keyword. Should work fine.

Community Member

Re: VPN client connects to ASA but not DMZ's or Internet

Hi, it's not working yet, but I realised I didn't add:

same-security-traffic permit intra-interface

global (outside) 1 interface

Only:

nat (outside) 1 192.168.8.0 255.255.255.0

Do I need the other 2 lines?

Green

Re: VPN client connects to ASA but not DMZ's or Internet

Yes you need both of those.

Community Member

Re: VPN client connects to ASA but not DMZ's or Internet

Damn your good that fixed it all!

I tried similar stuff through the ASDM, but couldn't find the "same-security-traffic permit intra-interface "

global (outside) 1 interface was already on the ASA

also is "access-list dmz_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound " basically and exempt rule?

181
Views
0
Helpful
14
Replies
CreatePlease to create content