https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060522#M895175 <HTML><HEAD></HEAD><BODY><P>Most likely you are just missing nat exemption. </P><P></P><P>access-list dmz_nat0_outbound extended permit ip any <VPN.CLIENT.SUBNET></VPN.CLIENT.SUBNET></P><P>nat (dmz) 0 access-list dmz_nat0_outbound</P></BODY></HTML> Mon, 13 Oct 2008 12:02:41 GMT acomiskey 2008-10-13T12:02:41Z https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060520#M895168 <P>I have a Cisco 5510 that has a DMZ setup on it and supports Remote Access via the legacy client, not web or SSL. While on VPN I can get to all internal resources, have no problems. However I cannot conect to any resouce in the Dmz. I've look at the Nat rules and firewall rules, however I am stumped. I think the order of operations is the VPN packet arrives at the outside interface, ACLs are checked, then decrypted, then Nat'd (if any) and the passed. </P><P></P><P>So I am assuming i need to have rules that allow the decrypted packet traverse from the Outside interface to the Dmz and back.</P><P></P><P>However I am not sure how to go about this. The address I am trying to reach in the DMZ is the actual address of the webserver and not its Nat'd address.</P><P></P><P>Thanks.</P><P></P><P>Randy</P> Mon, 11 Mar 2019 13:56:39 GMT https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060520#M895168 moorera 2019-03-11T13:56:39Z https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060521#M895172 <HTML><HEAD></HEAD><BODY><P>Can you post your config and maybe that will shed some light on it?</P><P></P><P>What type of service does the Server on DMZ supply?</P></BODY></HTML> Mon, 13 Oct 2008 11:23:58 GMT https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060521#M895172 jstabl 2008-10-13T11:23:58Z https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060522#M895175 <HTML><HEAD></HEAD><BODY><P>Most likely you are just missing nat exemption. </P><P></P><P>access-list dmz_nat0_outbound extended permit ip any <VPN.CLIENT.SUBNET></VPN.CLIENT.SUBNET></P><P>nat (dmz) 0 access-list dmz_nat0_outbound</P></BODY></HTML> Mon, 13 Oct 2008 12:02:41 GMT https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060522#M895175 acomiskey 2008-10-13T12:02:41Z https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060523#M895177 <HTML><HEAD></HEAD><BODY><P>Thanks for the post. That is what I thought but still no joy.... WOuld you perhaps know from what interface would the PIX think this request originates from. My thought is since the traffic comes through the Outside interface, is deencrypted and then placed in the inside interface que that perhaps there is no way to bounce this traffic to the DMZ interface as it would be entering the interface (inside) to get there form where it is from. I'm thinking this is not allowed (normally isn't) and I cannot think of how to make this work..... THoughts?</P></BODY></HTML> Mon, 13 Oct 2008 14:23:50 GMT https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060523#M895177 moorera 2008-10-13T14:23:50Z https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060524#M895178 <HTML><HEAD></HEAD><BODY><P>If you are using a legacy client is it setup to use the default gateway on the remote network? Nothing to do with the asa itself but how the vpn is handling routing.</P></BODY></HTML> Mon, 13 Oct 2008 21:33:31 GMT https://community.cisco.com/t5/network-security/access-to-services-on-the-dmz-while-vpn-d-in/m-p/1060524#M895178 sjones1966 2008-10-13T21:33:31Z