Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing VPN subnet access to DMZ

I need to allow users from our VPN subnet access to a webserver on our DMZ.

Both the inbound ACL's are correct, but I am unsure of what the translation would be.

Our VPN subnet is 172.16.140.0/24 and our DMZ is 172.16.110.0/24

Any help would be appreciated. BTW, this is an ASA5510

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Allowing VPN subnet access to DMZ

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ

You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

5 REPLIES
Green

Re: Allowing VPN subnet access to DMZ

Posting the config would help, but you probably just need nat exemption for the dmz.

access-list nonat_dmz permit ip any 172.16.140.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

Please rate helpful posts.

New Member

Re: Allowing VPN subnet access to DMZ

Here's the config

Green

Re: Allowing VPN subnet access to DMZ

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 172.16.140.0 255.255.255.0

nat (DMZ) access-list No-Nat-DMZ

You had the acl above in your No-Nat acl, but that is the nat exempt for the inside interface. That acl would never match. So you simply have to create a nat exemption for the DMZ with the appropriate acl.

New Member

Re: Allowing VPN subnet access to DMZ

thanks. that worked. Also, could you explain what the NAT exemption does in this instance?

Thanks again.

Green

Re: Allowing VPN subnet access to DMZ

It identifies the traffic which should be exempt from nat, or not nat'd. This allows the traffic to be part of the vpn.

Please rate helpful posts.

121
Views
0
Helpful
5
Replies