Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT entry to allow Anyconnect users access to DMZ servers

I'm trying to set up Anyconnect so that users can also view the internet sites that my organization hosts (ie. our corporate website). I run an ASA 5510 with 8.2.1.  VPN users are assigned 192.168.200.x addresses, DMZ addresses are 192.168.2.x

I have NAT entries in place that allow VPN users to access internal resources and other internet sites, but I'm having a terrible time getting them access to our internet sites. I've read a number of posts in these forums with no success.

I feel like I'm missing a single NAT entry but don't know what I've missed. Any help would be appreciated.



Re: NAT entry to allow Anyconnect users access to DMZ servers

Looking at your config, I would have thought that DMZ resources are working, but internal ones are not. You need to NAT0 both networks. You have one for the DMZ, but not for the inside.

Have: nat (dmz) 0 access-list no_nat_vpn

Don't Have: nat (inside) 0 access-list no_nat_vpn

When you try and access a DMZ resource, is there anything in the logs? Specifically an entry like "no translation group found".

I've attached the config guide for AnyConnect.

New Member

Re: NAT entry to allow Anyconnect users access to DMZ servers

I should probably clarify my network setup. We run our dmz with back to back firewalls, per the image. There is no internal interface on the ASA in question, only DMZ and external.
My issue is that AnyConnect VPN users who authenticate to the edge ASA can access DMZ resources (by DMZ IP) and Internal resources per the attached diagram. However, they cannot access our webservers in the DMZ by their public IPs (ie.

I'll take a look at the logs to see if there's anything of use/interest.


Re: NAT entry to allow Anyconnect users access to DMZ servers

Are your intranet sites hosted on the DMZ servers that have static NAT entires in your config? If so, you might try implementing DNS doctoring on the static NATs by adding 'dns' to the end of the NAT entry. You'll have to remove the static NATs and re-add them with 'dns' tacked on, then clear the xlate. If you're using domain names to resolve the IPs for your intranet sites the ASA will rewrite the DNS response with the internal 192.168 IP instead of the public IP. Ought to work if you're able to access the DMZ servers (and sites) with their private IPs.

You may also try adding an access list rule permitting the network to hit the public IPs of your DMZ servers as a test as well.

Good luck!


CreatePlease to create content