Cisco Support Community
Community Member

Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 

Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  

I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

VIP Purple

Have you also exempted the

Have you also exempted the DMZ-to-VPN-trafic from NAT? That is also needed.


P.S. This is more a Security/Firewall topic. You should move it to the right category.

Community Member

Yes, you should be able to

Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 

Share the configuration if you want help with the NAT exemption part.

CreatePlease to create content