I have a vendor using VPN client to my ASA and working and now they are asking to have local LAN access from the PC that has VPN client. The gave me the public ip address and I was told that these ip address are in the DMZ. Now that I know they using the vpn client from their PC in the DMZ. My question is what kind of security risks if I allow the local lan access with public ip address? Thank you.
You can configure IPSEC VPN to provide secure access to the VPN client to access DMZ.
The URL below provides step-by-step instructions on how to allow Cisco VPN Client to only access their local LAN while tunneled into a Cisco ASA 5500 Series Security Appliance or PIX 500 Series Security Appliance. This configuration allows Cisco VPN Clients secure access to corporate resources via IPsec and still give the client the ability to carry out activities like printing wherever the client is located. If it is permitted, traffic destined for the Internet is still tunneled to the ASA or PIX.
Thanks for the reply. We did configure the local lan access for couple of the vendors with their private ip address. However this specific vendor gave me the public ip addresses for their local lan and I was told these ip are in their DMZ. Let say PC/server A,B,and C in the vendor DMZ and I am not sure if those servers are doing any hosting. Server A using vpn client to my ASA which is fine. If the local lan enable, server A will send traffic to server B or C unencrypted. Now if server B is compromised, then the information from A to B can be viewed. From there on what will happened that is part of my concern. Typically, enable local lan and most lan is in the inside network and there will be some kind of protection for their LAN but in the DMZ I am not sure how secure is their DMZ.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...