03-11-2013 09:20 AM - edited 03-11-2019 06:12 PM
I have an ASA with 3 interfaces, inside, outside and a DMZ running on 8.4(5). There are also VPN users conencting into the firewall.
Connected to the DMZ is an ACE with a private VIP that I can normally get to from Inside and so can the VPN users.
As soon as I assign a public address to the private VIP via the outside interface, the VPN users can't connect to the private VIP any more.
Through the inside interface it still works OK.
I have been looking for something like a NAT exemption for the VPN users, is there such a thing on 8.4(5) ?
03-11-2013 09:30 AM
You have to use manual (twice) nat to accomplish this:
object network VIP
host 192.168.10.10
object network RAVPN_POOL
subnet 192.168.X.0 255.255.255.0
nat (dmz,outside) source static VIP VIP destination static RAVPN_POOL RAVPN_POOL
03-11-2013 09:50 AM
This doc might help you:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide