Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN in from DMZ

Hi there,

Recently I build a remote access vpn on ASA 5510. Users are able to login from outside. I created a DMZ wireless zone for wireless users and they are not able to login to the VPN using public IP Address. I excluded nat from the wireless router IP to the public IP and it still not working. Keep in mind that the same IP Address is used for internet access (PAT).

I run out of ideas

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN in from DMZ

yep you got it! that would help, make sure you have the needed nonat statements and stuff too

8 REPLIES

Re: VPN in from DMZ

Are these wireless users using the outside ip address as server for the vpn connection? If answer is yes then it is expected behavior, traffic that comes from a say zone of the firewall (DMZ) cannot reach an interface on another interface (outside) they should try using the DMZ interface and you should have the crypto map enabled on the dmz as well as the isakmp should be enabled on the dmz.

Make sure all of the nat and stuff are emulated on the firewall for traffic to go through.

Community Member

Re: VPN in from DMZ

Wireless users using outside IP address as VPN Server.

If I enable IPSEC and the dmz interface they are able to connect.

Issue is that all wireless users will required to have multiple VPN profiles (to connect to inside from wireless and outside)

I was thinking that it might be possible to create a static NAT

static (outside,dmz) public ip,public, ip mask

What do you think?

Re: VPN in from DMZ

nope, not possible you just can't, by design of the firewall, connect to an interface that is not on the same "location" you are coming to.

Community Member

Re: VPN in from DMZ

So only one solution will be to use multiple Cisco VPN profiles for the end users.

Is there any way that I can setup some kind of redirecting ?

So whenever Wireless client trying to connect to VPN using outside ip address it will do a translation to the gateway of the DMZ ?

Community Member

Re: VPN in from DMZ

I ended up creating 2nd profile for Cisco VPN client.

Now the issue is that client are able to connect to the inside of the network using vpn client but not to DMZ. (You can access dmz if you vpn from outside)

Could it be the problem that you coming from the same interface where DMZ is connected?

I'm thinking of trying

same-security-traffic permit intra-interface

Re: VPN in from DMZ

yep you got it! that would help, make sure you have the needed nonat statements and stuff too

Community Member

Re: VPN in from DMZ

Finally it's working

Re: VPN in from DMZ

great! do rate useful posts

496
Views
0
Helpful
8
Replies
CreatePlease to create content