Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
239
Views
0
Helpful
1
Replies

Need assistance with DMZ Subnet accessing outside interface on same firewall

Scott Conklin
Level 1
Level 1

‎08-28-2015 06:18 AM - edited ‎03-11-2019 11:30 PM

Hello, we have an ASA5520 that is functioning as our Remote access VPN endpoint for remote users on the Internet.  We are currently using the legacy Cisco IPSec VPN client for VPN connections, moving to AnyConnect shortly.
This ASA firewall has 3 interfaces, Outside (31.x.x.x), Inside (10.x.x.x), and a DMZ interface (192.168.100.x) that we have connectedd to our internal Wireless network.  The ASA is providing IP parameters to wireless clients via DHCP using itself as the default gateway to get to the Internet.  Traffic from this interface is being natted dynamically to 31.x.x.200.  Traffic to the Internet is working perfectly fine.  However, the issue that we are facing is that specific users on the Wireless LAN need to connect to our Remote Access VPN 31.x.x.128, which is the outside interface of the firewall itself.  These users are unable to connect, my guess is that the firewall just isn't allowing the traffic to go out the Outside interface and back in.

I have both of the same-security-traffic commands entered into this ASA, but I suspect they are not relevant to this situation.
Any idea if this issue can be rectified, and if so, how?  I have an ugly workaround in mind, but would prefer to get this specific connection working.

I have attached a crude diagram of the environment.
Thanks!

Labels:
Preview file
16 KB
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎08-28-2015 02:36 PM

This will not work as the ASA does not allow users to connect to an IP address located on an interface that is not the ingress interface.  You will need to enable IPsec access on the DMZ interface and have the users connect to that interface's IP.

If the users are accessing the VPN via URL, then, if you have control of the DNS server, you will need to configure an entry that will map the URL to the DMZ interface for those users.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card