Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN users accessing DMZ Servers with IP Static NAT to Inside

I have static nat on inside to the VPN so that internal clients can access the VPN. The problen is that VPN clients and L2L conections cannot access the dmz. Any thoughts?

4 REPLIES
Cisco Employee

Re: VPN users accessing DMZ Servers with IP Static NAT to Inside

You probably have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This stops your VPN traffic from being NAT'd so that it'll match your crypto access-list correctly. This is only doing it for traffic coming from the inside interface though. For VPN users to get to the DMZ interface you need the same sort of thing like this:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

New Member

Re: VPN users accessing DMZ Servers with IP Static NAT to Inside

Is the Static (dmz, inside) statemnet still going to screw me up? I still need internal/vpn clients to use an internal address for the dmz server.

Green

Re: VPN users accessing DMZ Servers with IP Static NAT to Inside

Mike,

No it will not. As Glenn has posted, you can use nat exemption for the dmz to vpn clients. This is first in the nat order of operations and will not affect your (dmz,inside) destination nat.

New Member

Re: VPN users accessing DMZ Servers with IP Static NAT to Inside

Thank you both. i will try this in my lab.

120
Views
0
Helpful
4
Replies
CreatePlease login to create content